Immunity CanvasJBOSS6_JMXINVOKERSERVLET_DESERIALIZEImmunity Canvas: JBOSS6_JMXINVOKERSERVLET_DESERIALIZE
0.018 Low
EPSS
Percentile
88.4%
| Name | jboss6_jmxinvokerservlet_deserialize |
|---|---|
| CVE | CVE-2015-7501 Exploit Pack |
| VENDOR: Red Hat | |
| NOTES: | |
| IMPORTANT NOTE: Any instance of this application running Apache Commons Collections version prior to 3.0 WILL NOT WORK. |
JBoss AS6 has a remote monitoring servlet named JMXInvokerServlet. It communicates
with a client by exchanging serialized Java Objects. Apache Commons pre-3.2 allows users to serialize
transformers on collection values. Of importance to us is the InvokerTransfomer, which is capable
of invoking Java methods. We are able to run these transformers by adding them to an
annotation map whose members are acccessed. The right chain of method invocations leads to arbitrary
code execution.
NOTE: By default, JBoss6 starts the console/management interface on localhost:8080.
For this module to work, the console/management interface needs to be accessible from
the host that runs CANVAS.
Version support:
> Ubuntu Linux 14.04.3 - x86
- 6.0.0 on Java SE 6 / 7 / 8
- 4.2.0 on Java SE 6 / 7 / 8
- 4.2.1 on Java SE 7
- 4.2.3 on Java SE 7
> Windows 7 Ultimate SP 1 x86
- 6.0.0 on Java SE 6 / 7
- 6.0.0 on Java SE 8 FAILED
- 4.2.0 on Java SE 6 / 7
- 4.2.0 on Java SE 8 FAILED
- 4.2.1 on Java SE 6 / 7
- 4.2.1 on Java SE 8 FAILED
- 4.2.3 on Java SE 6 / 7
- 4.2.3 on Java SE 8 FAILED
Repeatability: Infinite
References: [โhttp://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/โ, โhttps://access.redhat.com/security/cve/CVE-2015-7501โ, โhttps://access.redhat.com/solutions/2045023โ]
CVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7501
Related
