CVE-2016-2510
A deserialization flaw allowing remote code execution was found in the BeanShell library. If BeanShell was on the classpath, it could permit code execution if another part of the application deserialized objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the BeanShell library.
Find out more about CVE-2016-2510 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS v2 metrics
| Base Score | 6.8 |
|---|---|
| Base Metrics | AV:N/AC:M/Au:N/C:P/I:P/A:P |
| Access Vector | Network |
| Access Complexity | Medium |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | Partial |
| Availability Impact | Partial |
CVSS v3 metrics
| CVSS3 Base Score | 7.4 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | High |
| Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat JBoss Data Virtualization 6.2 | RHSA-2016:1135 | 2016-05-26 |
| Red Hat JBoss BPMS 6.2 | RHSA-2016:0539 | 2016-03-30 |
| Red Hat JBoss SOA Platform 5.3 | RHSA-2016:1376 | 2016-06-30 |
| Red Hat JBoss BRMS 6.2 | RHSA-2016:0540 | 2016-03-30 |
| Red Hat JBoss Fuse 6.3 | RHSA-2016:2035 | 2016-10-06 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat JBoss Operations Network 3 | Core Server | Not affected |
| Red Hat JBoss Fuse Service Works 6 | Camel | Affected |
| Red Hat JBoss Enterprise Application Platform 5.2 | bsh2 | Not affected |
| Red Hat JBoss BRMS 5 | jbossas | Will not fix |