PT-2016-5930 · Apache+1 · Apache Commons Collections+2
Jacob Baines
·
Published
2016-09-21
·
Updated
2018-02-17
·
CVE-2016-4385
CVSS v2.0
7.5
High
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
HP Network Automation Software versions 9.1x through 9.2x
HP Network Automation Software versions 10.0x through 10.00.02.00
HP Network Automation Software versions 10.1x through 10.10.99.99
Description
The issue allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections and Commons BeanUtils libraries. This is due to a deserialization of untrusted data vulnerability in the RMI service.
Recommendations
For HP Network Automation Software versions 9.1x through 9.2x, update to version 10.00.02.01 or later.
For HP Network Automation Software versions 10.0x through 10.00.02.00, update to version 10.00.02.01 or later.
For HP Network Automation Software versions 10.1x through 10.10.99.99, update to version 10.11.00.01 or later.
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Commons Beanutils
Apache Commons Collections
Hpe Network Automation