Bug 1327037 (CVE-2016-3690) - CVE-2016-3690 PooledInvokerServlet is not secured, and deserializes data
Summary: CVE-2016-3690 PooledInvokerServlet is not secured, and deserializes data
Alias: CVE-2016-3690
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1334139 1334142 1334143 1334144 1334145 1369987
Blocks: 1283518
TreeView+ depends on / blocked
Reported: 2016-04-14 07:10 UTC by Jason Shepherd
Modified: 2021-02-17 04:03 UTC (History)
25 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was discovered that the LegacyInvokerServlet is exposed on all network interfaces and deserializes objects sent to it. An attacker could use this flaw to cause remote code execution in the JVM running it.
Clone Of:
Last Closed: 2016-10-16 22:18:18 UTC

Attachments (Terms of Use)

Description Jason Shepherd 2016-04-14 07:10:27 UTC
The HA Pooled Invoker allows unauthorised access, and deserializes any payload sent to it.

This is one of the attack vectors for CVE-2015-7501. There are many new gadget chains available in the ysoserial project. For example the Beanshell library could be used to create a malicious serialized object. When deserialized by the HA Pooled Invoker servlet allows remote code execution.

Comment 1 Jason Shepherd 2016-04-14 07:13:33 UTC

Name: Dennis Reed (Red Hat)

Comment 5 Jason Shepherd 2016-05-09 02:13:46 UTC
Any KCS already published on the topic: https://access.redhat.com/solutions/45530

Comment 7 Jason Shepherd 2016-05-09 02:20:13 UTC
Need to update Installation Guides with WARNING about unsecured Invokers, and linked to the KCS Solution 45530

Comment 10 Jason Shepherd 2016-08-19 06:34:43 UTC

The PooledInvokerServlet is no longer required and can be removed by following the details in this knowledgebase solution: https://access.redhat.com/solutions/178393

Comment 12 Jason Shepherd 2016-10-16 22:18:18 UTC
A proactive notification was sent to customer on 7th October.

Note You need to log in before you can comment on or make changes to this bug.