Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2016-0376

Published: Jun 03, 2016 | Modified: Sep 12, 2023
CVSS 3.x
8.1
HIGH
Source:
NVD
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
5.1 MEDIUM
AV:N/AC:H/Au:N/C:P/I:P/A:P
RedHat/V2
6.8 CRITICAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
RedHat/V3
Ubuntu
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2016-0376
CWEhttps://cwe.mitre.org/data/definitions/NVD-Other.html

The com.ibm.rmi.io.SunSerializableFactory class in IBM SDK, Java Technology Edition 6 before SR16 FP25 (6.0.16.25), 6 R1 before SR8 FP25 (6.1.8.25), 7 before SR9 FP40 (7.0.9.40), 7 R1 before SR3 FP40 (7.1.3.40), and 8 before SR3 (8.0.3.0) does not properly deserialize classes in an AccessController doPrivileged block, which allows remote attackers to bypass a sandbox protection mechanism and execute arbitrary code as demonstrated by the readValue method of the com.ibm.rmi.io.ValueHandlerPool.ValueHandlerSingleton class, which implements the javax.rmi.CORBA.ValueHandler interface. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-5456.

Affected Software

Name Vendor Start Version End Version
Suse_linux_enterprise_software_development_kit Novell 11.0-sp4 (including) 11.0-sp4 (including)
Suse_linux_enterprise_software_development_kit Novell 12.0 (including) 12.0 (including)
Suse_linux_enterprise_software_development_kit Novell 12.0-sp1 (including) 12.0-sp1 (including)
Suse_linux_enterprise_module_for_legacy_software Novell 12 (including) 12 (including)
Suse_linux_enterprise_server Novell 11.0-sp2 (including) 11.0-sp2 (including)
Suse_linux_enterprise_server Novell 11.0-sp3 (including) 11.0-sp3 (including)
Suse_linux_enterprise_server Novell 11.0-sp4 (including) 11.0-sp4 (including)
Suse_linux_enterprise_server Novell 12.0 (including) 12.0 (including)
Suse_linux_enterprise_server Novell 12.0-sp1 (including) 12.0-sp1 (including)
Suse_manager Novell 2.1 (including) 2.1 (including)
Suse_manager_proxy Novell 2.1 (including) 2.1 (including)
Suse_openstack_cloud Novell 5 (including) 5 (including)
Red Hat Enterprise Linux 5 Supplementary RedHat java-1.7.0-ibm-1:1.7.0.9.40-1jpp.1.el5 *
Red Hat Enterprise Linux 5 Supplementary RedHat java-1.6.0-ibm-1:1.6.0.16.25-1jpp.1.el5 *
Red Hat Enterprise Linux 6 Supplementary RedHat java-1.7.1-ibm-1:1.7.1.3.40-1jpp.1.el6_7 *
Red Hat Enterprise Linux 6 Supplementary RedHat java-1.6.0-ibm-1:1.6.0.16.25-1jpp.1.el6_7 *
Red Hat Enterprise Linux 6 Supplementary RedHat java-1.8.0-ibm-1:1.8.0.3.0-1jpp.1.el6 *
Red Hat Enterprise Linux 7 Supplementary RedHat java-1.7.1-ibm-1:1.7.1.3.40-1jpp.1.el7 *
Red Hat Enterprise Linux 7 Supplementary RedHat java-1.8.0-ibm-1:1.8.0.3.0-1jpp.1.el7 *
Red Hat Satellite 5.6 RedHat java-1.7.0-ibm-1:1.7.0.9.40-1jpp.1.el5 *
Red Hat Satellite 5.6 RedHat java-1.7.1-ibm-1:1.7.1.3.40-1jpp.1.el6_7 *
Red Hat Satellite 5.6 RedHat spacewalk-java-0:2.0.2-109.el6sat *
Red Hat Satellite 5.6 RedHat java-1.7.1-ibm-1:1.7.1.4.1-1jpp.1.el6_8 *
Red Hat Satellite 5.7 RedHat java-1.7.1-ibm-1:1.7.1.3.40-1jpp.1.el6_7 *
Red Hat Satellite 5.7 RedHat spacewalk-java-0:2.3.8-146.el6sat *
Red Hat Satellite 5.7 RedHat java-1.7.1-ibm-1:1.7.1.4.1-1jpp.1.el6_8 *

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use