{"containers": {"cna": {"affected": [{"product": "EAP-5", "vendor": "Red Hat, Inc.", "versions": [{"status": "affected", "version": "EAP-5"}]}], "datePublic": "2016-12-13T00:00:00", "descriptions": [{"lang": "en", "value": "Red Hat JBoss EAP version 5 is vulnerable to a deserialization of untrusted data in the JMX endpoint when deserializes the credentials passed to it. An attacker could exploit this vulnerability resulting in a denial of service attack."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-03-10T10:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1404528"}, {"name": "94932", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/94932"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T02:59:02.542Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1404528"}, {"name": "94932", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/94932"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2016-9585", "dateReserved": "2016-11-23T00:00:00", "dateUpdated": "2024-08-06T02:59:02.542Z", "state": "PUBLISHED", "datePublished": "2018-03-09T15:00:00Z"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "F5D7F1AD-4BD3-4C37-B6B5-B287464B2EEB", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Red Hat JBoss EAP version 5 is vulnerable to a deserialization of untrusted data in the JMX endpoint when deserializes the credentials passed to it. An attacker could exploit this vulnerability resulting in a denial of service attack."}, {"lang": "es", "value": "Red Hat JBoss EAP, versi\u00f3n 5, es vulnerable a una deserializaci\u00f3n de datos no fiables en el endpoint JMX cuando deserializa las credenciales que se le pasan. Un atacante puede explotar esta vulnerabilidad para provocar una denegaci\u00f3n de servicio (DoS)."}], "id": "CVE-2016-9585", "lastModified": "2019-10-09T23:20:36.850", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 2.6, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-03-09T15:29:00.203", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/94932"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1404528"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-502"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "This issue was discovered by Jason Shepherd (Red Hat).", "bugzilla": {"description": "EAP-5: unsafe deserialization of user credentials by the JMX endpoint", "id": "1404528", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1404528"}, "csaw": false, "cvss": {"cvss_base_score": "2.6", "cvss_scoring_vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P", "status": "draft"}, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["Red Hat JBoss EAP version 5 is vulnerable to a deserialization of untrusted data in the JMX endpoint when deserializes the credentials passed to it. An attacker could exploit this vulnerability resulting in a denial of service attack.", "It was found that the JMX endpoint of Red Hat JBoss EAP 5 deserializes the credentials passed to it. An attacker could use this flaw to cause a denial of service."], "mitigation": {"lang": "en:us", "value": "You should not expose Remote JMX on EAP 5, or SOA-P 5. To do that remove this system property from bin/run.conf, or bin/run.conf.bat:\ncom.sun.management.jmxremote.port=<portNum>"}, "name": "CVE-2016-9585", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5", "fix_state": "Will not fix", "package_name": "jbossas", "product_name": "Red Hat JBoss Enterprise Application Platform 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:5", "fix_state": "Will not fix", "package_name": "jbossas", "product_name": "Red Hat JBoss SOA Platform 5"}], "public_date": "2016-12-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2016-9585\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-9585"], "threat_severity": "Low"}