1395077 – (CVE-2016-8648) CVE-2016-8648 Karaf JMX Console RCE during deserialization

Bug 1395077 (CVE-2016-8648) - CVE-2016-8648 Karaf JMX Console RCE during deserialization

Summary: CVE-2016-8648 Karaf JMX Console RCE during deserialization

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2016-8648
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1395074 (view as bug list)
Depends On:
Blocks:	1395084
TreeView+	depends on / blocked

Reported:	2016-11-15 05:29 UTC by Jason Shepherd
Modified:	2021-10-21 11:47 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	It was found that the Karaf container used by Red Hat JBoss Fuse 6.x, and Red Hat JBoss A-MQ 6.x, deserializes objects passed to MBeans via JMX operations. An attacker could use this flaw to execute remote code on the server as the user running the Java Virtual Machine if the target MBean contain deserialization gadgets in its classpath.
Clone Of:
Environment:
Last Closed:	2021-10-21 11:47:44 UTC
Embargoed:

Attachments	(Terms of Use)

Description Jason Shepherd 2016-11-15 05:29:53 UTC

It was found that Karaf deserializes objects passed to certain MBeans via the JMX endpoint. An attacker could use this flaw to execute remote code on the server as the user running the Java Virtual Machine.

Comment 1 Jason Shepherd 2016-11-15 05:29:59 UTC

Acknowledgments:

Name: Jason Shepherd (Red Hat)

Comment 4 Jason Shepherd 2016-11-24 06:45:54 UTC

Mitigation:

In order to exploit this issue you need to have credentials of a user with the 'admin' role. Therefore a good mitigation against this attack is to set a strong password for any user with the 'admin' role in the 'etc/users.properties' file of the Red Hat JBoss Fuse 6, or Red Hat JBoss AM-Q 6.

Comment 6 Jason Shepherd 2016-11-30 01:46:52 UTC

Updated it to amq-6. However seems amq-6.3.0 was valid to me. Maybe you didn't have the latest product.ini?

Comment 7 Hiram Chirino 2016-12-02 14:09:27 UTC

Which MBeans are affected?

Comment 11 Jason Shepherd 2020-07-13 22:20:34 UTC

*** Bug 1395074 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.