9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.005 Low
EPSS
Percentile
77.3%
The Aternity webserver, version 9 and prior, is reportedly vulnerable to cross-site scripting (XSS) on several web pages, and remote code execution via inclusion of untrusted functionality by default due to improper authentication before execution.
CWE-80**: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) -**CVE-2016-5061
Reportedly, the Aternity HTTPAgent
, MacAgent
, getExternalURL
and retrieveTrustedUrl
pages are susceptible to Cross-site scripting (XSS). An attacker may be able to craft a malicious script that can access any cookies, session tokens, or other sensitive information retained by the browser and used with the Aternity server.
CWE-829**: Inclusion of Functionality from Untrusted Control Sphere -**CVE-2016-5062
Reportedly, the Aternity server by default allows remote loading of Java MBeans using the getMBeansFromURL
method without proper authentication due to a misconfiguration of JMX RMI services. A remote attacker may utilize this misconfiguration to register attacker-controlled MBeans, which are Java classes that can invoke Java language functionality including system commands, resulting in remote code execution with SYSTEM privileges.
Note that Aternity provides recommended firewall settings which would block exploit of this vulnerability; only misconfigured servers would be directly vulnerable.
The vulnerable configuration has been documented by Oracle for some time. As shown in the official documents:
āTo disable both password authentication and SSL (namely to disable all security), you should set the following system properties when you start the Java VM. _
com.sun.management.jmxremote.authenticate=false
com.sun.management.jmxremote.ssl=false
_Caution _- This configuration is insecure: any remote user who knows (or guesses) your port number and host name will be able to monitor and control your Java applications and platform. Furthermore, possible harm is not limited to the operations you define in your MBeans. A remote client could create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs, at least if there is no security manager. In other words, a rogue remote client could make your Java application execute arbitrary code. _
Consequently, while disabling security might be acceptable for development, it is strongly recommended that you do not disable security for production systems.ā
It is believed that Aternity version 9 and prior are affected by this vulnerability, but the CERT/CC has not received confirmation from the vendor.
A remote unauthenticated attacker may be able to craft a malicious script that can access any cookies, session tokens, or other sensitive information retained by the browser and used with the Aternity server, or execute code on the server with SYSTEM privileges.
The CERT/CC is currently unaware of a practical solution to this problem. However, the following workarounds are recommended:
Restrict port 14777
Restricting inbound remote access to Aternity via port 14777 mitigates this issue.
706359
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: August 09, 2016 Updated: September 13, 2016
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C |
Temporal | 7.6 | E:POC/RL:W/RC:UR |
Environmental | 5.7 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
Thanks to Matthew Benton and Richard Kelley for reporting this vulnerability.
This document was written by Garret Wassermann.
CVE IDs: | CVE-2016-5061, CVE-2016-5062 |
---|---|
Date Public: | 2016-09-28 Date First Published: |
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.005 Low
EPSS
Percentile
77.3%