PT-2016-5914 · Apache+1 · Apache Commons Collections+3
Published
2016-06-08
·
Updated
2016-06-10
·
CVE-2016-4368
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
HPE Universal CMDB versions 10.0 through 10.21
HPE Universal CMDB Configuration Manager versions 10.0 through 10.21
HPE Universal Discovery versions 10.0 through 10.21
Description
The issue allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
Recommendations
For HPE Universal CMDB versions 10.0 through 10.21, consider disabling the use of the Apache Commons Collections library until a patch is available.
For HPE Universal CMDB Configuration Manager versions 10.0 through 10.21, restrict access to the affected modules to minimize the risk of exploitation.
For HPE Universal Discovery versions 10.0 through 10.21, avoid using the vulnerable
serialized Java object parameter in the affected API endpoints until the issue is resolved.Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Commons Collections
Hp Universal Cmdb
Hpe Universal Cmdb Configuration Manager
Hpe Universal Discovery