Back to bug 1395077
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Jason Shepherd | 2016-11-15 05:29:53 UTC | CC | security-response-team | |
| Jason Shepherd | 2016-11-15 05:54:15 UTC | Blocks | 1395084 | |
| Jason Shepherd | 2016-11-16 04:20:06 UTC | Alias | CVE-2016-8648 | |
| Jason Shepherd | 2016-11-16 04:20:09 UTC | Summary | EMBARGOED JMX Console RCE during deserialization | EMBARGOED CVE-2016-8648 JMX Console RCE during deserialization |
| Jason Shepherd | 2016-11-17 03:25:55 UTC | Whiteboard | impact=important,public=20161220,reported=20161115,source=redhat,cvss2=6.5/AV:N/AC:L/Au:S/C:P/I:P/A:P,cvss3=7.2/CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H,cwe=502,fuse-6/karaf=affected | impact=important,public=20161220,reported=20161115,source=redhat,cvss2=6.5/AV:N/AC:L/Au:S/C:P/I:P/A:P,cvss3=7.2/CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H,cwe=502,fuse-6/karaf=affected,amq-6.3.0/Karaf=affected |
| Jason Shepherd | 2016-11-17 05:08:43 UTC | Summary | EMBARGOED CVE-2016-8648 JMX Console RCE during deserialization | EMBARGOED CVE-2016-8648 Karaf JMX Console RCE during deserialization |
| Jason Shepherd | 2016-11-24 06:41:42 UTC | Whiteboard | impact=important,public=20161220,reported=20161115,source=redhat,cvss2=6.5/AV:N/AC:L/Au:S/C:P/I:P/A:P,cvss3=7.2/CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H,cwe=502,fuse-6/karaf=affected,amq-6.3.0/Karaf=affected | impact=moderate,public=20161220,reported=20161115,source=redhat,cvss2=6.5/AV:N/AC:L/Au:S/C:P/I:P/A:P,cvss3=7.2/CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H,cwe=502,fuse-6/karaf=affected,amq-6.3.0/Karaf=affected |
| Jason Shepherd | 2016-11-24 06:41:49 UTC | Severity | high | medium |
| Jason Shepherd | 2016-11-24 06:41:52 UTC | Priority | high | medium |
| Jason Shepherd | 2016-11-24 06:41:55 UTC | Whiteboard | impact=moderate,public=20161220,reported=20161115,source=redhat,cvss2=6.5/AV:N/AC:L/Au:S/C:P/I:P/A:P,cvss3=7.2/CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H,cwe=502,fuse-6/karaf=affected,amq-6.3.0/Karaf=affected | impact=moderate,public=20161115,reported=20161115,source=redhat,cvss2=6.5/AV:N/AC:L/Au:S/C:P/I:P/A:P,cvss3=7.2/CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H,cwe=502,fuse-6/karaf=affected,amq-6.3.0/Karaf=affected |
| Jason Shepherd | 2016-11-24 06:41:58 UTC | Summary | EMBARGOED CVE-2016-8648 Karaf JMX Console RCE during deserialization | CVE-2016-8648 Karaf JMX Console RCE during deserialization |
| Jason Shepherd | 2016-11-24 06:42:00 UTC | Group | security, qe_staff | |
| Jason Shepherd | 2016-11-24 06:42:24 UTC | Whiteboard | impact=moderate,public=20161115,reported=20161115,source=redhat,cvss2=6.5/AV:N/AC:L/Au:S/C:P/I:P/A:P,cvss3=7.2/CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H,cwe=502,fuse-6/karaf=affected,amq-6.3.0/Karaf=affected | impact=moderate,public=20161124,reported=20161115,source=redhat,cvss2=6.5/AV:N/AC:L/Au:S/C:P/I:P/A:P,cvss3=7.2/CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H,cwe=502,fuse-6/karaf=affected,amq-6.3.0/Karaf=affected |
| Jason Shepherd | 2016-11-24 07:10:01 UTC | Doc Text | It was found that the Karaf container uses by Red Hat JBoss Fuse 6.x, and Red Hat JBoss A-MQ 6.x, deserializes objects passed to MBeans via JMX operations. An attacker could use this flaw to execute remote code on the server as the user running the Java Virtual Machine if the target MBean contain deserialization gadgets in its classpath. | |
| Andrej Nemec | 2016-11-25 08:09:56 UTC | Whiteboard | impact=moderate,public=20161124,reported=20161115,source=redhat,cvss2=6.5/AV:N/AC:L/Au:S/C:P/I:P/A:P,cvss3=7.2/CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H,cwe=502,fuse-6/karaf=affected,amq-6.3.0/Karaf=affected | impact=moderate,public=20161124,reported=20161115,source=redhat,cvss2=6.5/AV:N/AC:L/Au:S/C:P/I:P/A:P,cvss3=7.2/CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H,cwe=CWE-502,fuse-6/karaf=affected,amq-6.3.0/Karaf=affected |
| Eric Christensen | 2016-11-28 14:58:38 UTC | Doc Text | It was found that the Karaf container uses by Red Hat JBoss Fuse 6.x, and Red Hat JBoss A-MQ 6.x, deserializes objects passed to MBeans via JMX operations. An attacker could use this flaw to execute remote code on the server as the user running the Java Virtual Machine if the target MBean contain deserialization gadgets in its classpath. | It was found that the Karaf container used by Red Hat JBoss Fuse 6.x, and Red Hat JBoss A-MQ 6.x, deserializes objects passed to MBeans via JMX operations. An attacker could use this flaw to execute remote code on the server as the user running the Java Virtual Machine if the target MBean contain deserialization gadgets in its classpath. |
| Summer Long | 2016-11-30 01:12:18 UTC | CC | slong | |
| Whiteboard | impact=moderate,public=20161124,reported=20161115,source=redhat,cvss2=6.5/AV:N/AC:L/Au:S/C:P/I:P/A:P,cvss3=7.2/CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H,cwe=CWE-502,fuse-6/karaf=affected,amq-6.3.0/Karaf=affected | impact=moderate,public=20161124,reported=20161115,source=redhat,cvss2=6.5/AV:N/AC:L/Au:S/C:P/I:P/A:P,cvss3=7.2/CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H,cwe=CWE-502,fuse-6/karaf=affected,amq-6.3.0/Karaf=affected,openstack-8/opendaylight=notaffected,openstack-9/opendaylight=notaffected | ||
| Summer Long | 2016-11-30 01:16:29 UTC | CC | jshepherd | |
| Flags | needinfo?(jshepherd) | |||
| Jason Shepherd | 2016-11-30 01:45:39 UTC | Whiteboard | impact=moderate,public=20161124,reported=20161115,source=redhat,cvss2=6.5/AV:N/AC:L/Au:S/C:P/I:P/A:P,cvss3=7.2/CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H,cwe=CWE-502,fuse-6/karaf=affected,amq-6.3.0/Karaf=affected,openstack-8/opendaylight=notaffected,openstack-9/opendaylight=notaffected | impact=moderate,public=20161124,reported=20161115,source=redhat,cvss2=6.5/AV:N/AC:L/Au:S/C:P/I:P/A:P,cvss3=7.2/CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H,cwe=CWE-502,fuse-6/karaf=affected,openstack-8/opendaylight=notaffected,openstack-9/opendaylight=notaffected |
| Jason Shepherd | 2016-11-30 01:46:02 UTC | Whiteboard | impact=moderate,public=20161124,reported=20161115,source=redhat,cvss2=6.5/AV:N/AC:L/Au:S/C:P/I:P/A:P,cvss3=7.2/CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H,cwe=CWE-502,fuse-6/karaf=affected,openstack-8/opendaylight=notaffected,openstack-9/opendaylight=notaffected | impact=moderate,public=20161124,reported=20161115,source=redhat,cvss2=6.5/AV:N/AC:L/Au:S/C:P/I:P/A:P,cvss3=7.2/CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H,cwe=CWE-502,fuse-6/karaf=affected,openstack-8/opendaylight=notaffected,openstack-9/opendaylight=notaffected,amq-6/Karaf=affected |
| Jason Shepherd | 2016-11-30 01:47:24 UTC | Flags | needinfo?(jshepherd) | |
| Hiram Chirino | 2016-12-02 14:09:27 UTC | CC | hchirino | |
| Hooman Broujerdi | 2016-12-19 01:41:49 UTC | CC | hghasemb | |
| PnT Account Manager | 2018-11-09 22:32:38 UTC | CC | hghasemb | |
| Product Security DevOps Team | 2019-09-29 13:59:56 UTC | Whiteboard | impact=moderate,public=20161124,reported=20161115,source=redhat,cvss2=6.5/AV:N/AC:L/Au:S/C:P/I:P/A:P,cvss3=7.2/CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H,cwe=CWE-502,fuse-6/karaf=affected,openstack-8/opendaylight=notaffected,openstack-9/opendaylight=notaffected,amq-6/Karaf=affected | |
| Joshua Padman | 2021-10-21 11:47:44 UTC | Status | NEW | CLOSED |
| Resolution | --- | ERRATA | ||
| Last Closed | 2021-10-21 11:47:44 UTC |
Back to bug 1395077