CVE-2016-3690

Impact:
Important
Public Date:
2016-06-13
CWE:
CWE-502
Bugzilla:
1327037: CVE-2016-3690 PooledInvokerServlet is not secured, and deserializes data
It was discovered that the LegacyInvokerServlet is exposed on all network interfaces and deserializes objects sent to it. An attacker could use this flaw to cause remote code execution in the JVM running it.

Find out more about CVE-2016-3690 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.

Base Score 7.5
Base Metrics AV:N/AC:L/Au:N/C:P/I:P/A:P
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Affected Packages State

Platform Package State
Red Hat JBoss Enterprise SOA Platform 5 JBossAS Will not fix
Red Hat JBoss Enterprise SOA Platform 4 JBossAS Will not fix
Red Hat JBoss EAP 5 jbossas Will not fix
Red Hat JBoss EAP 4 jbossas Will not fix
Red Hat JBoss BRMS 5 jbossas Will not fix

Acknowledgements

This issue was discovered by Dennis Reed (Red Hat).

Mitigation

The PooledInvokerServlet is no longer required and can be removed by following the details in this knowledgebase solution: https://access.redhat.com/solutions/178393

Last Modified