Vulnerability CVE-2016-8648


Published: 2018-08-01

Description:
It was found that the Karaf container used by Red Hat JBoss Fuse 6.x, and Red Hat JBoss A-MQ 6.x, deserializes objects passed to MBeans via JMX operations. An attacker could use this flaw to execute remote code on the server as the user running the Java Virtual Machine if the target MBean contain deserialization gadgets in its classpath.

Type:

CWE-502

(Deserialization of Untrusted Data)

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.5/10
6.4/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Redhat -> Jboss a-mq 
Redhat -> Jboss fuse 

 References:
http://www.securityfocus.com/bid/94513
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8648

Copyright 2024, cxsecurity.com

 

Back to Top