Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
canvasImmunity CanvasVREALIZE_VCOFACTORY_DESERIALIZE
HistoryDec 21, 2015 - 3:59 a.m.

Immunity Canvas: VREALIZE_VCOFACTORY_DESERIALIZE

2015-12-2103:59:00
Immunity Canvas
exploitlist.immunityinc.com
516

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.003 Low

EPSS

Percentile

65.6%

JSON
Name vrealize_vcofactory_deserialize
CVE CVE-2015-6934 Exploit Pack
VENDOR: VMWare
NOTES:
IMPORTANT NOTE: Any instance of this application running Apache Commons Collections version prior to 3.0 WILL NOT WORK.

VMWare VRealize has a remoting interface named vcofactory. It communicates with a client by exchanging
serialized Java objects.

Apache Commons pre-3.2 allows users to serialize
transformers on collection values. Of importance to us is the InvokerTransfomer, which is capable
of invoking Java methods. We are able to run these transformers by adding them to an
annotation map whose members are acccessed. The right chain of method invocations leads to arbitrary
code execution.

Tested targets:
> vRealize 6.0.1.2490144
- Windows 8.1 Pro x86_64 EN / Java 6u45 - SUCCESS
- Windows 8.1 Pro x86_64 EN / Java 7u80 - SUCCESS
- Windows 8.1 Pro x86_64 EN / Java 8u73 - SUCCESS

> vCenter Orchestrator Appliance
- Appliance’s VMDK is corrupted

> vRealize Operations Manager Appliance 6.2.0.3
- Publically accessible interfaces require client certificate authentication. A CA-signed client certificate is necessary to connect.

Repeatability: Infinite
References: [‘https://www.vmware.com/security/advisories/VMSA-2015-0009’]
CVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6934

Related

prion 1
vmware 2
cve 1
nessus 2
openvas 2
impervablog 1
prion
prion
Design/Logic Flaw
2015-12-21 03:59:00
vmware
vmware
VMware vCenter Server updates address an important reflected cross-site scripting issue
2015-12-18 00:00:00
VMware product updates address a critical deserialization vulnerability
2015-12-18 00:00:00
cve
cve
CVE-2015-6934
2015-12-21 03:59:00
nessus
nessus
VMware vCenter / vRealize Orchestrator 4.2.x / 5.x / 6.x Java Object Deserialization RCE (VMSA-2015-0009)
2016-01-06 00:00:00
VMware vCenter / vRealize Orchestrator Appliance 4.2.x / 5.x / 6.x Java Object Deserialization RCE (VMSA-2015-0009)
2016-01-06 00:00:00
openvas
openvas
VMware vRealize Orchestrator RCE Vulnerability (VMSA-2015-0009)
2017-04-20 00:00:00
VMware vRealize Operations RCE Vulnerability (VMSA-2015-0009)
2017-04-21 00:00:00
impervablog
impervablog
Deserialization Attacks Surge Motivated by Illegal Crypto-mining
2018-01-24 17:45:08

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.003 Low

EPSS

Percentile

65.6%

JSON
Related for VREALIZE_VCOFACTORY_DESERIALIZE
prion1vmware2cve1nessus2openvas2impervablog1