Vulnerability Details : CVE-2016-8648
It was found that the Karaf container used by Red Hat JBoss Fuse 6.x, and Red Hat JBoss A-MQ 6.x, deserializes objects passed to MBeans via JMX operations. An attacker could use this flaw to execute remote code on the server as the user running the Java Virtual Machine if the target MBean contain deserialization gadgets in its classpath.
Products affected by CVE-2016-8648
- cpe:2.3:a:redhat:jboss_fuse:6.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_a-mq:6.0.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-8648
0.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 40 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-8648
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
7.2
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
NIST | |
7.2
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
Red Hat, Inc. |
CWE ids for CVE-2016-8648
-
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.Assigned by:
- nvd@nist.gov (Secondary)
- secalert@redhat.com (Primary)
References for CVE-2016-8648
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8648
1395077 – (CVE-2016-8648) CVE-2016-8648 Karaf JMX Console RCE during deserializationMitigation;Issue Tracking;Third Party Advisory
-
http://www.securityfocus.com/bid/94513
Apache Karaf CVE-2016-8648 Remote Code Execution VulnerabilityVDB Entry;Third Party Advisory
Jump to