CVE-2016-3690
critical
CVSS v3
9.8
CVSS v2
7.5
VIR risk
9.8
Description
The PooledInvokerServlet in JBoss EAP 4.x and 5.x allows remote attackers to execute arbitrary code via a crafted serialized payload.
Predictions
Exploit likelihood
97%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: secalert@redhat.com — https://bugzilla.redhat.com/show_bug.cgi?id=1327037
Vendor advisory: secalert@redhat.com — https://access.redhat.com/solutions/45530
Vendor advisory: secalert@redhat.com — https://access.redhat.com/solutions/178393
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| redhat | jboss_enterprise_application_platform | 4.2.0 | |
| redhat | jboss_enterprise_application_platform | 4.3.0 | |
| redhat | jboss_enterprise_application_platform | 5.0.0 | |
| redhat | jboss_enterprise_application_platform | 5.1.0 | |
| redhat | jboss_enterprise_application_platform | 5.1.1 | |
| redhat | jboss_enterprise_application_platform | 5.1.2 | |
| redhat | jboss_enterprise_application_platform | 5.2.0 | |
References
- http://www.securityfocus.com/bid/99079
- https://access.redhat.com/solutions/178393
- https://access.redhat.com/solutions/45530
- https://bugzilla.redhat.com/show_bug.cgi?id=1327037
- http://www.securityfocus.com/bid/99079
- https://access.redhat.com/solutions/178393
- https://access.redhat.com/solutions/45530
- https://bugzilla.redhat.com/show_bug.cgi?id=1327037
CWEs
CWE-502
Verify integrity in audit chain (admin only). AS-IS.