Bug 1327037 (CVE-2016-3690)
Summary: | CVE-2016-3690 PooledInvokerServlet is not secured, and deserializes data | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jason Shepherd <jshepherd> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | aileenc, alazarot, dandread, etirelli, fnasser, gvarsami, huwang, jcoleman, kconner, ldimaggi, lgao, lpetrovi, mbaluch, mwinkler, myarboro, nwallace, pavelp, pcheung, rrajasek, rwagner, rzhang, security-response-team, tcunning, tkirby, twalsh |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
It was discovered that the LegacyInvokerServlet is exposed on all network interfaces and deserializes objects sent to it. An attacker could use this flaw to cause remote code execution in the JVM running it.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2016-10-16 22:18:18 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1334139, 1334142, 1334143, 1334144, 1334145, 1369987 | ||
Bug Blocks: | 1283518 |
Description
Jason Shepherd
2016-04-14 07:10:27 UTC
Acknowledgments: Name: Dennis Reed (Red Hat) Any KCS already published on the topic: https://access.redhat.com/solutions/45530 Need to update Installation Guides with WARNING about unsecured Invokers, and linked to the KCS Solution 45530 Mitigation: The PooledInvokerServlet is no longer required and can be removed by following the details in this knowledgebase solution: https://access.redhat.com/solutions/178393 A proactive notification was sent to customer on 7th October. |