PT-2018-5045 · Apache+2 · Karaf+3
Jason Shepherd
·
Published
2018-08-01
·
Updated
2023-02-12
·
CVE-2016-8648
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Red Hat JBoss Fuse versions 6.x
Red Hat JBoss A-MQ versions 6.x
Description
A flaw was discovered in the Karaf container used by Red Hat JBoss Fuse and Red Hat JBoss A-MQ, where it deserializes objects passed to MBeans via JMX operations. This could allow an attacker to execute remote code on the server as the user running the Java Virtual Machine if the target MBean contains deserialization gadgets in its classpath.
Recommendations
For Red Hat JBoss Fuse version 6.x, update to a version that includes a fix for this issue.
For Red Hat JBoss A-MQ version 6.x, update to a version that includes a fix for this issue.
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Java Virtual Machine
Karaf
Red Hat Jboss A-Mq
Red Hat Jboss Fuse