[SECURITY] Fedora 24 Update: xstream-1.4.9-1.fc24

XStream is a simple library to serialize objects to XML and back again. A high level facade is supplied that simplifies common use cases. Custom objects can be serialized without need for specifying mappings. Speed and low memory footprint are a crucial part of the design, making it suitable for...

Atlassian Bamboo Arbitrary Code Execution Vulnerability

Atlassian Bamboo is a set of continuous integration build tools from Atlassian Australia. A security vulnerability exists in a resource in Atlassian Bamboo versions prior to 5.9.9 and 5.10.x versions prior to 5.10.0, which can be exploited by remote attackers to execute arbitrary Java code by...

FreeBSD : activemq -- Unsafe deserialization (a258604d-f2aa-11e5-b4a9-ac220bdcec59)

Alvaro Muatoz, Matthias Kaiser and Christian Schneider reports : JMS Object messages depends on Java Serialization for marshaling/unmashaling of the message payload. There are a couple of places inside the broker where deserialization can occur, like web console or stomp object message...

Code injection

HPE Operations Orchestration 10.x before 10.51 and Operations Orchestration content before 1.7.0 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library...

openSUSE: Security Advisory for bsh2 (openSUSE-SU-2016:0788-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2016 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Security update for bsh2 (important)

This update for bsh2 fixes the following issues: - CVE-2016-2510: An application that includes BeanShell on the classpath may be vulnerable if another part of the application uses Java serialization or XStream to deserialize data from an untrusted source. Please see...

SUSE-SU-2016:0699-1 Security update for bsh2

This update for bsh2 fixes the following issue: - CVE-2016-2510: An application that includes BeanShell on the classpath may be vulnerable if another part of the application uses Java serialization or XStream to deserialize data from an untrusted source. Please see...

SUSE-SU-2016:0700-1 Security update for bsh2

This update for bsh2 fixes the following issues: - CVE-2016-2510: An application that includes BeanShell on the classpath may be vulnerable if another part of the application uses Java serialization or XStream to deserialize data from an untrusted source. Please see...

XStream 反序列化漏洞

Xstream 的反序列化漏洞的根源就是 Groovy 组件的问题参考 Apache Groovy MethodClosure 远程代码执行漏洞（CVE-2015-3253），只不过在 Xstream 中进行反序列化时恰好有触发存在缺陷函数的点，也就是 Xstream 在反序列化时调用了 Mapput 函数将构造好的 Expando 实例作为 key 添加到集合中时触发了代码执行，如下图: 这里的 key 就是我们构造的 Expando 的实例对象。 在构造 EXP 时，首先我们要构造一个 Expando 的一个对象实例，同时设置 hashCode 的实现为 MethodClosure...

Debian DLA-443-1 : bsh security update

A remote code execution vulnerability was found in BeanShell, an embeddable Java source interpreter with object scripting language features. CVE-2016-2510: An application that includes BeanShell on the classpath may be vulnerable if another part of the application uses Java serialization or XStre...

[SECURITY] Fedora 23 Update: rubygem-activemodel-4.2.3-2.fc23

Rich support for attributes, callbacks, validations, observers, serialization, internationalization, and testing. It provides a known set of interfaces for usage in model classes. It also helps building custom ORMs for use outside of the Rails framework...

[SECURITY] Fedora 22 Update: rubygem-activemodel-4.2.0-2.fc22

Rich support for attributes, callbacks, validations, observers, serialization, internationalization, and testing. It provides a known set of interfaces for usage in model classes. It also helps building custom ORMs for use outside of the Rails framework...

Java RMI services remote command execution exploit-vulnerability warning-the black bar safety net

Java RMI service is a remote method call Remote Method Invocation in. It is a mechanism that is able to make in a java virtual machine on the object calling another Java virtual machine object. In Java Web, many places will use RMI to communicate with each other to call. For example, many large...

WordPress < 3.6.1 Multiple Vulnerabilities

Binary data 9094.prm...

FreeBSD : bsh -- remote code execution vulnerability (9e5bbffc-d8ac-11e5-b2bd-002590263bf5)

Stian Soiland-Reyes reports : This release fixes a remote code execution vulnerability that was identified in BeanShell by Alvaro Munoz and Christian Schneider. The BeanShell team would like to thank them for their help and contributions to this fix! An application that includes BeanShell on the...

CVE-2016-2510

BeanShell bsh before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler...

UBUNTU-CVE-2016-2510

BeanShell bsh before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler...

bsh -- remote code execution vulnerability

Stian Soiland-Reyes reports: This release fixes a remote code execution vulnerability that was identified in BeanShell by Alvaro Muñoz and Christian Schneider. The BeanShell team would like to thank them for their help and contributions to this fix! An application that includes BeanShell on the...

Critical: Red Hat Security Advisory: Red Hat JBoss Operations Network 3.3.5 update

Red Hat JBoss Operations Network 3.3 update 5, which fixes two security issues and several bugs, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System CVSS base score, which gives...

PayPal Java Serialization Vulnerability

A Java serialization vulnerability disclosed more than a year ago figured to have a long shelf life. It lived in popular Java application development frameworks such as Apache Commons Collections—where it’s been patched—and not to mention widely deployed application servers such as Oracle WebLogi...