CVE-2016-8648
Last modified
CVE-2016-8648 is a vulnerability of currently unknown severity. It was found that the Karaf container used by Red Hat JBoss Fuse 6.x, and Red Hat JBoss A-MQ 6.x, deserializes objects passed to MBeans via JMX operations. An attacker could use this flaw to execute remote code on the server as the user running the Java Virtual Machine if the target MBean contain deserialization gadgets in its classpath.. EPSS estimates a 2.00% chance of exploitation in the next 30 days.
Description
It was found that the Karaf container used by Red Hat JBoss Fuse 6.x, and Red Hat JBoss A-MQ 6.x, deserializes objects passed to MBeans via JMX operations. An attacker could use this flaw to execute remote code on the server as the user running the Java Virtual Machine if the target MBean contain deserialization gadgets in its classpath.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Jboss A-Mq | 6.0.0 |
| Redhat | Jboss Fuse | 6.0.0 |
References
- http://www.securityfocus.com/bid/94513Third Party Advisory, VDB Entry
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8648Issue Tracking, Mitigation, Third Party Advisory
- http://www.securityfocus.com/bid/94513Third Party Advisory, VDB Entry
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8648Issue Tracking, Mitigation, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2016-8648?
How severe is CVE-2016-8648?
How do I fix CVE-2016-8648?
Are you affected by CVE-2016-8648?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST