#VU10576 Deserialization of untrusted data in JBoss Data Grid - CVE-2017-15089
Published: February 14, 2018
Vulnerability identifier: #VU10576
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2017-15089
CWE-ID: CWE-502
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
JBoss Data Grid
JBoss Data Grid
Software vendor:
Red Hat Inc.
Red Hat Inc.
Description
The vulnerability allows a remote authenticated attacker to execute arbitrary data on the target system.
The weakness exists due to unsafely read deserialized data on information from the cache. A remote attacker can inject specially-crafted serialized objects into data cache and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
The weakness exists due to unsafely read deserialized data on information from the cache. A remote attacker can inject specially-crafted serialized objects into data cache and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
Update to version 7.1.2.