Bug 1327037 (CVE-2016-3690) - CVE-2016-3690 PooledInvokerServlet is not secured, and deserializes data
Summary: CVE-2016-3690 PooledInvokerServlet is not secured, and deserializes data
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2016-3690
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1334139 1334142 1334143 1334144 1334145 1369987
Blocks: 1283518
TreeView+ depends on / blocked
 
Reported: 2016-04-14 07:10 UTC by Jason Shepherd
Modified: 2021-02-17 04:03 UTC (History)
25 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2016-10-16 22:18:18 UTC
Embargoed:

Attachments (Terms of Use)

Description Jason Shepherd 2016-04-14 07:10:27 UTC 
The HA Pooled Invoker allows unauthorised access, and deserializes any payload sent to it.

This is one of the attack vectors for CVE-2015-7501. There are many new gadget chains available in the ysoserial project. For example the Beanshell library could be used to create a malicious serialized object. When deserialized by the HA Pooled Invoker servlet allows remote code execution.
Comment 1 Jason Shepherd 2016-04-14 07:13:33 UTC 
Acknowledgments:

Name: Dennis Reed (Red Hat)
Comment 5 Jason Shepherd 2016-05-09 02:13:46 UTC 
Any KCS already published on the topic: https://access.redhat.com/solutions/45530
Comment 7 Jason Shepherd 2016-05-09 02:20:13 UTC 
Need to update Installation Guides with WARNING about unsecured Invokers, and linked to the KCS Solution 45530
Comment 10 Jason Shepherd 2016-08-19 06:34:43 UTC 
Mitigation:

The PooledInvokerServlet is no longer required and can be removed by following the details in this knowledgebase solution: https://access.redhat.com/solutions/178393
Comment 12 Jason Shepherd 2016-10-16 22:18:18 UTC 
A proactive notification was sent to customer on 7th October.
Note You need to log in before you can comment on or make changes to this bug.