Bug 1327037 (CVE-2016-3690)

Summary: CVE-2016-3690 PooledInvokerServlet is not secured, and deserializes data
Product: [Other] Security Response Reporter: Jason Shepherd <jshepherd>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aileenc, alazarot, dandread, etirelli, fnasser, gvarsami, huwang, jcoleman, kconner, ldimaggi, lgao, lpetrovi, mbaluch, mwinkler, myarboro, nwallace, pavelp, pcheung, rrajasek, rwagner, rzhang, security-response-team, tcunning, tkirby, twalsh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was discovered that the LegacyInvokerServlet is exposed on all network interfaces and deserializes objects sent to it. An attacker could use this flaw to cause remote code execution in the JVM running it.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-16 22:18:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1334139, 1334142, 1334143, 1334144, 1334145, 1369987    
Bug Blocks: 1283518    

Description Jason Shepherd 2016-04-14 07:10:27 UTC 
The HA Pooled Invoker allows unauthorised access, and deserializes any payload sent to it.

This is one of the attack vectors for CVE-2015-7501. There are many new gadget chains available in the ysoserial project. For example the Beanshell library could be used to create a malicious serialized object. When deserialized by the HA Pooled Invoker servlet allows remote code execution.
Comment 1 Jason Shepherd 2016-04-14 07:13:33 UTC 
Acknowledgments:

Name: Dennis Reed (Red Hat)
Comment 5 Jason Shepherd 2016-05-09 02:13:46 UTC 
Any KCS already published on the topic: https://access.redhat.com/solutions/45530
Comment 7 Jason Shepherd 2016-05-09 02:20:13 UTC 
Need to update Installation Guides with WARNING about unsecured Invokers, and linked to the KCS Solution 45530
Comment 10 Jason Shepherd 2016-08-19 06:34:43 UTC 
Mitigation:

The PooledInvokerServlet is no longer required and can be removed by following the details in this knowledgebase solution: https://access.redhat.com/solutions/178393
Comment 12 Jason Shepherd 2016-10-16 22:18:18 UTC 
A proactive notification was sent to customer on 7th October.