CVE Vulnerabilities

CVE-2016-8648

Deserialization of Untrusted Data

Published: Aug 01, 2018 | Modified: Nov 21, 2024
CVSS 3.x
7.2
HIGH
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
6.5 MEDIUM
AV:N/AC:L/Au:S/C:P/I:P/A:P
RedHat/V2
6.5 MODERATE
AV:N/AC:L/Au:S/C:P/I:P/A:P
RedHat/V3
7.2 MODERATE
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Ubuntu

It was found that the Karaf container used by Red Hat JBoss Fuse 6.x, and Red Hat JBoss A-MQ 6.x, deserializes objects passed to MBeans via JMX operations. An attacker could use this flaw to execute remote code on the server as the user running the Java Virtual Machine if the target MBean contain deserialization gadgets in its classpath.

Weakness

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Affected Software

Name Vendor Start Version End Version
Jboss_a-mq Redhat 6.0.0 (including) 6.0.0 (including)
Jboss_fuse Redhat 6.0.0 (including) 6.0.0 (including)

Potential Mitigations

  • Make fields transient to protect them from deserialization.
  • An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.

References