Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1327037 - (CVE-2016-3690) CVE-2016-3690 PooledInvokerServlet is not secured, and deserializes data
CVE-2016-3690 PooledInvokerServlet is not secured, and deserializes data
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20160613,repo...
: Security
Depends On: 1334139 1334142 1334143 1334144 1334145 1369987
Blocks: 1283518
  Show dependency treegraph
 
Reported: 2016-04-14 03:10 EDT by Jason Shepherd
Modified: 2016-11-08 11:06 EST (History)
25 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was discovered that the LegacyInvokerServlet is exposed on all network interfaces and deserializes objects sent to it. An attacker could use this flaw to cause remote code execution in the JVM running it.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-10-16 18:18:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Jason Shepherd 2016-04-14 03:10:27 EDT 
The HA Pooled Invoker allows unauthorised access, and deserializes any payload sent to it.

This is one of the attack vectors for CVE-2015-7501. There are many new gadget chains available in the ysoserial project. For example the Beanshell library could be used to create a malicious serialized object. When deserialized by the HA Pooled Invoker servlet allows remote code execution.
Comment 1 Jason Shepherd 2016-04-14 03:13:33 EDT 
Acknowledgments:

Name: Dennis Reed, Red Hat
Comment 5 Jason Shepherd 2016-05-08 22:13:46 EDT 
Any KCS already published on the topic: https://access.redhat.com/solutions/45530
Comment 7 Jason Shepherd 2016-05-08 22:20:13 EDT 
Need to update Installation Guides with WARNING about unsecured Invokers, and linked to the KCS Solution 45530
Comment 10 Jason Shepherd 2016-08-19 02:34:43 EDT 
Mitigation:

The PooledInvokerServlet is no longer required and can be removed by following the details in this knowledgebase solution: https://access.redhat.com/solutions/178393
Comment 12 Jason Shepherd 2016-10-16 18:18:18 EDT 
A proactive notification was sent to customer on 7th October.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.