9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
Recent assessments:
securitony at February 29, 2020 8:41pm UTC reported:
Several Red Hat JBoss products (JBoss Middleware Suite) widely used in enterprise environments were found to be vulnerable to a Java object serialization flaw. Exploit code is publicly available and PoC exploits are easy to develop, which allow attackers to execute arbitrary code on the affected servers with the permissions of the JBoss application.
The vulnerability resides in Apache Commons Collections library which allows deserialization of untrusted user input in JBoss and many other software products (for more information: <https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/>),
J3rryBl4nks at March 10, 2020 2:48pm UTC reported:
Several Red Hat JBoss products (JBoss Middleware Suite) widely used in enterprise environments were found to be vulnerable to a Java object serialization flaw. Exploit code is publicly available and PoC exploits are easy to develop, which allow attackers to execute arbitrary code on the affected servers with the permissions of the JBoss application.
The vulnerability resides in Apache Commons Collections library which allows deserialization of untrusted user input in JBoss and many other software products (for more information: <https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/>),
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5
rhn.redhat.com/errata/RHSA-2015-2500.html
rhn.redhat.com/errata/RHSA-2015-2501.html
rhn.redhat.com/errata/RHSA-2015-2502.html
rhn.redhat.com/errata/RHSA-2015-2514.html
rhn.redhat.com/errata/RHSA-2015-2516.html
rhn.redhat.com/errata/RHSA-2015-2517.html
rhn.redhat.com/errata/RHSA-2015-2521.html
rhn.redhat.com/errata/RHSA-2015-2522.html
rhn.redhat.com/errata/RHSA-2015-2524.html
rhn.redhat.com/errata/RHSA-2015-2670.html
rhn.redhat.com/errata/RHSA-2015-2671.html
rhn.redhat.com/errata/RHSA-2016-0040.html
rhn.redhat.com/errata/RHSA-2016-1773.html
www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
www.securityfocus.com/bid/78215
www.securitytracker.com/id/1034097
www.securitytracker.com/id/1037052
www.securitytracker.com/id/1037053
www.securitytracker.com/id/1037640
access.redhat.com/security/vulnerabilities/2059393
access.redhat.com/solutions/2045023
bugzilla.redhat.com/show_bug.cgi?id=1279330
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7501
rhn.redhat.com/errata/RHSA-2015-2536.html
www.oracle.com/security-alerts/cpujul2020.html
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C