PayPal takes four days to patch a critical remote code execution vulnerability



It only took PayPal four days to patch a critical remote code execution vulnerability with a Common Vulnerability Scoring System (CVSS) count of 9.3. The flaw, in the Java Debug Wire Protocol (JDWP) in PayPal's marketing online service web-server, allowed "remote attackers to execute system specific code against a target system to compromise the webserver."


JDWP, a component of the Java Platform Debugger Architecture, is the "protocol used for communication between a debugger and the Java virtual machine (VM) which it debugs,"explained independent security researcher Milan A. Solanki. "JDWP does not use any authentication and could be abused by an attacker to execute arbitrary code on the affected server."