Lucene search

K
canvasImmunity CanvasJBOSS6_JMXINVOKERSERVLET_DESERIALIZE
HistoryNov 09, 2017 - 5:29 p.m.

Immunity Canvas: JBOSS6_JMXINVOKERSERVLET_DESERIALIZE

2017-11-0917:29:00
Immunity Canvas
exploitlist.immunityinc.com
579

EPSS

0.018

Percentile

88.4%

Name jboss6_jmxinvokerservlet_deserialize
CVE CVE-2015-7501 Exploit Pack
VENDOR: Red Hat
NOTES:
IMPORTANT NOTE: Any instance of this application running Apache Commons Collections version prior to 3.0 WILL NOT WORK.

JBoss AS6 has a remote monitoring servlet named JMXInvokerServlet. It communicates
with a client by exchanging serialized Java Objects. Apache Commons pre-3.2 allows users to serialize
transformers on collection values. Of importance to us is the InvokerTransfomer, which is capable
of invoking Java methods. We are able to run these transformers by adding them to an
annotation map whose members are acccessed. The right chain of method invocations leads to arbitrary
code execution.

NOTE: By default, JBoss6 starts the console/management interface on localhost:8080.
For this module to work, the console/management interface needs to be accessible from
the host that runs CANVAS.

Version support:
> Ubuntu Linux 14.04.3 - x86
- 6.0.0 on Java SE 6 / 7 / 8
- 4.2.0 on Java SE 6 / 7 / 8
- 4.2.1 on Java SE 7
- 4.2.3 on Java SE 7
> Windows 7 Ultimate SP 1 x86
- 6.0.0 on Java SE 6 / 7
- 6.0.0 on Java SE 8 FAILED
- 4.2.0 on Java SE 6 / 7
- 4.2.0 on Java SE 8 FAILED
- 4.2.1 on Java SE 6 / 7
- 4.2.1 on Java SE 8 FAILED
- 4.2.3 on Java SE 6 / 7
- 4.2.3 on Java SE 8 FAILED

Repeatability: Infinite
References: [‘http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/’, ‘https://access.redhat.com/security/cve/CVE-2015-7501’, ‘https://access.redhat.com/solutions/2045023’]
CVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7501