CVE-2016-8648
Summary
| CVE | CVE-2016-8648 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2018-08-01 14:29:00 UTC |
| Updated | 2023-02-12 23:26:00 UTC |
| Description | It was found that the Karaf container used by Red Hat JBoss Fuse 6.x, and Red Hat JBoss A-MQ 6.x, deserializes objects passed to MBeans via JMX operations. An attacker could use this flaw to execute remote code on the server as the user running the Java Virtual Machine if the target MBean contain deserialization gadgets in its classpath. |
Risk And Classification
Problem Types: CWE-502
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Redhat | Jboss A-mq | 6.0.0 | All | All | All |
| Application | Redhat | Jboss A-mq | 6.0.0 | All | All | All |
| Application | Redhat | Jboss Fuse | 6.0.0 | All | All | All |
| Application | Redhat | Jboss Fuse | 6.0.0 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Apache Karaf CVE-2016-8648 Remote Code Execution Vulnerability | BID | www.securityfocus.com | Third Party Advisory, VDB Entry |
| 1395077 – (CVE-2016-8648) CVE-2016-8648 Karaf JMX Console RCE during deserialization | CONFIRM | bugzilla.redhat.com | Issue Tracking, Mitigation, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.