OpenCVE

It was found that the Karaf container used by Red Hat JBoss Fuse 6.x, and Red Hat JBoss A-MQ 6.x, deserializes objects passed to MBeans via JMX operations. An attacker could use this flaw to execute remote code on the server as the user running the Java Virtual Machine if the target MBean contain deserialization gadgets in its classpath.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Redhat	Jboss A-mq Jboss Fuse

Configuration 1 [-]

OR	cpe:2.3:a:redhat:jboss_a-mq:6.0.0:::::::*
	cpe:2.3:a:redhat:jboss_fuse:6.0.0:::::::*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/94513
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8648
https://nvd.nist.gov/vuln/detail/CVE-2016-8648
https://www.cve.org/CVERecord?id=CVE-2016-8648

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2018-08-01T14:00:00

Updated: 2024-08-06T02:27:41.427Z

Reserved: 2016-10-12T00:00:00

Link: CVE-2016-8648

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-08-01T14:29:00.300

Modified: 2024-11-21T02:59:45.650

Link: CVE-2016-8648

Redhat

Severity : Moderate

Publid Date: 2016-11-24T00:00:00Z

Links: CVE-2016-8648 - Bugzilla

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_a-mq:6.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "33C4404A-CFB7-4B47-9487-F998825C31CA", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_fuse:6.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "A305F012-544E-4245-9D69-1C8CD37748B1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "It was found that the Karaf container used by Red Hat JBoss Fuse 6.x, and Red Hat JBoss A-MQ 6.x, deserializes objects passed to MBeans via JMX operations. An attacker could use this flaw to execute remote code on the server as the user running the Java Virtual Machine if the target MBean contain deserialization gadgets in its classpath."}, {"lang": "es", "value": "Se ha detectado que el contenedor Karaf empleado por Red Hat JBoss Fuse 6.x y Red Hat JBoss A-MQ 6.x deserializa los objetos que se pasan a MBeans mediante operaciones JMX. Un atacante podr\u00eda emplear este error para ejecutar c\u00f3digo remoto en el servidor como el usuario que ejecuta la m\u00e1quina virtual de Java si el MBean objetivo contiene gadgets de deserializaci\u00f3n en su ruta de clase."}], "id": "CVE-2016-8648", "lastModified": "2024-11-21T02:59:45.650", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-08-01T14:29:00.300", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/94513"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Mitigation", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8648"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/94513"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Mitigation", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8648"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"acknowledgement": "This issue was discovered by Jason Shepherd (Red Hat).", "bugzilla": {"description": "Karaf JMX Console RCE during deserialization", "id": "1395077", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1395077"}, "csaw": false, "cvss": {"cvss_base_score": "6.5", "cvss_scoring_vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "status": "draft"}, "cvss3": {"cvss3_base_score": "7.2", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-502", "details": ["It was found that the Karaf container used by Red Hat JBoss Fuse 6.x, and Red Hat JBoss A-MQ 6.x, deserializes objects passed to MBeans via JMX operations. An attacker could use this flaw to execute remote code on the server as the user running the Java Virtual Machine if the target MBean contain deserialization gadgets in its classpath.", "It was found that the Karaf container used by Red Hat JBoss Fuse 6.x, and Red Hat JBoss A-MQ 6.x, deserializes objects passed to MBeans via JMX operations. An attacker could use this flaw to execute remote code on the server as the user running the Java Virtual Machine if the target MBean contain deserialization gadgets in its classpath."], "mitigation": {"lang": "en:us", "value": "In order to exploit this issue you need to have credentials of a user with the 'admin' role. Therefore a good mitigation against this attack is to set a strong password for any user with the 'admin' role in the 'etc/users.properties' file of the Red Hat JBoss Fuse 6, or Red Hat JBoss AM-Q 6."}, "name": "CVE-2016-8648", "package_state": [{"cpe": "cpe:/a:redhat:jboss_amq:6", "fix_state": "Affected", "package_name": "Karaf", "product_name": "Red Hat JBoss A-MQ 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Affected", "package_name": "karaf", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:openstack:8", "fix_state": "Not affected", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 8 (Liberty)"}, {"cpe": "cpe:/a:redhat:openstack:9", "fix_state": "Not affected", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 9 (Mitaka)"}], "public_date": "2016-11-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2016-8648\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-8648"], "threat_severity": "Moderate"}