Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1395077 - (CVE-2016-8648) CVE-2016-8648 Karaf JMX Console RCE during deserialization
CVE-2016-8648 Karaf JMX Console RCE during deserialization
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20161124,repor...
: Security
Depends On:
Blocks: 1395084
  Show dependency treegraph
 
Reported: 2016-11-15 00:29 EST by Jason Shepherd
Modified: 2016-12-18 21:36 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was found that the Karaf container used by Red Hat JBoss Fuse 6.x, and Red Hat JBoss A-MQ 6.x, deserializes objects passed to MBeans via JMX operations. An attacker could use this flaw to execute remote code on the server as the user running the Java Virtual Machine if the target MBean contain deserialization gadgets in its classpath.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Jason Shepherd 2016-11-15 00:29:53 EST 
It was found that Karaf deserializes objects passed to certain MBeans via the JMX endpoint. An attacker could use this flaw to execute remote code on the server as the user running the Java Virtual Machine.
Comment 1 Jason Shepherd 2016-11-15 00:29:59 EST 
Acknowledgments:

Name: Jason Shepherd (Red Hat)
Comment 4 Jason Shepherd 2016-11-24 01:45:54 EST 
Mitigation:

In order to exploit this issue you need to have credentials of a user with the 'admin' role. Therefore a good mitigation against this attack is to set a strong password for any user with the 'admin' role in the 'etc/users.properties' file of the Red Hat JBoss Fuse 6, or Red Hat JBoss AM-Q 6.
Comment 6 Jason Shepherd 2016-11-29 20:46:52 EST 
Updated it to amq-6. However seems amq-6.3.0 was valid to me. Maybe you didn't have the latest product.ini?
Comment 7 Hiram Chirino 2016-12-02 09:09:27 EST 
Which MBeans are affected?
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.