Multiple vulnerabilities in JBoss Enterprise Application Platform
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2016-9585 CVE-2016-7065 |
| CWE-ID | CWE-502 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #2 is available. |
| Vulnerable software |
JBoss Enterprise Application Platform Server applications / Application servers |
| Vendor | Red Hat Inc. |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Deserialization of Untrusted Data
EUVDB-ID: #VU37460
Risk: Medium
CVSSv4.0: 2.1 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2016-9585
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
Red Hat JBoss EAP version 5 is vulnerable to a deserialization of untrusted data in the JMX endpoint when deserializes the credentials passed to it. An attacker could exploit this vulnerability resulting in a denial of service attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsJBoss Enterprise Application Platform: 5.0.0
CPE2.3 External linkshttps://www.securityfocus.com/bid/94932
https://bugzilla.redhat.com/show_bug.cgi?id=1404528
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Deserialization of Untrusted Data
EUVDB-ID: #VU40073
Risk: High
CVSSv4.0: 7.4 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2016-7065
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: Yes
DescriptionThe vulnerability allows a remote authenticated user to execute arbitrary code.
The JMX servlet in Red Hat JBoss Enterprise Application Platform (EAP) 4 and 5 allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object.
MitigationInstall update from vendor's website.
Vulnerable software versionsJBoss Enterprise Application Platform: 4.0.0 - 5.0.0
CPE2.3- cpe:2.3:a:red_hat:jboss_enterprise_application_platform:4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:jboss_enterprise_application_platform:5.0.0:*:*:*:*:*:*:*
https://seclists.org/fulldisclosure/2016/Nov/143
https://www.securityfocus.com/bid/93462
https://bugzilla.redhat.com/show_bug.cgi?id=1382534
https://www.exploit-db.com/exploits/40842/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
