Deserialization of untrusted data in JBoss Data Grid - CVE-2017-15089
Published: February 14, 2018
Vulnerability identifier: #VU10576
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2017-15089
CWE-ID: CWE-502
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Red Hat Inc.
Affected software:
JBoss Data Grid
JBoss Data Grid
Detailed vulnerability description
The vulnerability allows a remote authenticated attacker to execute arbitrary data on the target system.
The weakness exists due to unsafely read deserialized data on information from the cache. A remote attacker can inject specially-crafted serialized objects into data cache and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
The weakness exists due to unsafely read deserialized data on information from the cache. A remote attacker can inject specially-crafted serialized objects into data cache and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
How to mitigate CVE-2017-15089
Update to version 7.1.2.