SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Red Hat JBoss Vendors:   Red Hat
JBoss Data Virtualization Object Deserialization FlawLets Remote Users Execute Arbitrary Code on the Target System
SecurityTracker Alert ID:  1034815
SecurityTracker URL:  http://securitytracker.com/id/1034815
CVE Reference:   CVE-2015-3253   (Links to External Site)
Date:  Jan 26 2016
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in Red Hat JBoss Data Virtualization. A remote user can execute arbitrary code on the target system.

A remote user can send a specially crafted data to trigger an object serialization error and execute arbitrary code on the target system.

The vulnerability resides in the MethodClosure method in the Apache Groovy component.

Impact:   A remote user can execute arbitrary code on the target system.
Solution:   Red Hat has issued a fix.

The Red Hat advisory is available at:

https://rhn.redhat.com/errata/RHSA-2016-0066.html

Vendor URL:  rhn.redhat.com/errata/RHSA-2016-0066.html (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Red Hat Enterprise)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Feb 3 2016 (Red Hat Issues Fix for JBoss Operations Network) JBoss Data Virtualization Object Deserialization FlawLets Remote Users Execute Arbitrary Code on the Target System
Red Hat has issued a fix for JBoss Operations Network for Red Hat Enterprise Linux.
Apr 20 2016 (Oracle Issues Fix for Oracle WebCenter Sites) JBoss Data Virtualization Object Deserialization FlawLets Remote Users Execute Arbitrary Code on the Target System
Oracle has issued a fix for Oracle Fusion Middleware/Oracle WebCenter Sites.
Jul 1 2016 (Red Hat Issues Fix) JBoss Data Virtualization Object Deserialization FlawLets Remote Users Execute Arbitrary Code on the Target System
Red Hat has issued a fix for Red Hat Enterprise Linux.
Jul 20 2016 (Oracle Issues Fix for Oracle Health Sciences Applications) JBoss Data Virtualization Object Deserialization FlawLets Remote Users Execute Arbitrary Code on the Target System
Oracle has issued a fix for Oracle Health Sciences Applications.
Jul 20 2016 (Oracle Issues Fix for Oracle Retail Applications) JBoss Data Virtualization Object Deserialization FlawLets Remote Users Execute Arbitrary Code on the Target System
Oracle has issued a fix for Oracle Retail Applications.



 Source Message Contents

Subject:  [RHSA-2016:0066-01] Moderate: Red Hat JBoss Data Virtualization 6.2.0 security update

LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQpIYXNoOiBTSEExCgo9PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT0KICAgICAgICAgICAgICAgICAgIFJlZCBIYXQgU2VjdXJpdHkgQWR2aXNvcnkKClN5bm9wc2lz
OiAgICAgICAgICBNb2RlcmF0ZTogUmVkIEhhdCBKQm9zcyBEYXRhIFZpcnR1YWxpemF0aW9uIDYu
Mi4wIHNlY3VyaXR5IHVwZGF0ZQpBZHZpc29yeSBJRDogICAgICAgUkhTQS0yMDE2OjAwNjYtMDEK
UHJvZHVjdDogICAgICAgICAgIFJlZCBIYXQgSkJvc3MgRGF0YSBWaXJ0dWFsaXphdGlvbgpBZHZp
c29yeSBVUkw6ICAgICAgaHR0cHM6Ly9yaG4ucmVkaGF0LmNvbS9lcnJhdGEvUkhTQS0yMDE2LTAw
NjYuaHRtbApJc3N1ZSBkYXRlOiAgICAgICAgMjAxNi0wMS0yNQpDVkUgTmFtZXM6ICAgICAgICAg
Q1ZFLTIwMTUtMzI1MyAKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09CgoxLiBTdW1tYXJ5OgoKUmVkIEhhdCBKQm9zcyBE
YXRhIFZpcnR1YWxpemF0aW9uIDYuMi4wIHVwZGF0ZSAyLCB3aGljaCBmaXhlcyBvbmUgc2VjdXJp
dHkKaXNzdWUgYW5kIHZhcmlvdXMgYnVncywgaXMgbm93IGF2YWlsYWJsZSBmcm9tIHRoZSBSZWQg
SGF0IEN1c3RvbWVyIFBvcnRhbC4KClJlZCBIYXQgUHJvZHVjdCBTZWN1cml0eSBoYXMgcmF0ZWQg
dGhpcyB1cGRhdGUgYXMgaGF2aW5nIE1vZGVyYXRlIHNlY3VyaXR5CmltcGFjdC4gQSBDb21tb24g
VnVsbmVyYWJpbGl0eSBTY29yaW5nIFN5c3RlbSAoQ1ZTUykgYmFzZSBzY29yZSwgd2hpY2gKZ2l2
ZXMgYSBkZXRhaWxlZCBzZXZlcml0eSByYXRpbmcsIGlzIGF2YWlsYWJsZSBmcm9tIHRoZSBDVkUg
bGluayBpbiB0aGUKUmVmZXJlbmNlcyBzZWN0aW9uLgoKMi4gRGVzY3JpcHRpb246CgpSZWQgSGF0
IEpCb3NzIERhdGEgVmlydHVhbGl6YXRpb24gaXMgYSBsZWFuIGRhdGEgaW50ZWdyYXRpb24gc29s
dXRpb24gdGhhdApwcm92aWRlcyBlYXN5LCByZWFsLXRpbWUsIGFuZCB1bmlmaWVkIGRhdGEgYWNj
ZXNzIGFjcm9zcyBkaXNwYXJhdGUgc291cmNlcwp0byBtdWx0aXBsZSBhcHBsaWNhdGlvbnMgYW5k
IHVzZXJzLiBKQm9zcyBEYXRhIFZpcnR1YWxpemF0aW9uIG1ha2VzIGRhdGEKc3ByZWFkIGFjcm9z
cyBwaHlzaWNhbGx5IGRpc3RpbmN0IHN5c3RlbXPigJRzdWNoIGFzIG11bHRpcGxlIGRhdGFiYXNl
cywgWE1MCmZpbGVzLCBhbmQgZXZlbiBIYWRvb3Agc3lzdGVtc+KAlGFwcGVhciBhcyBhIHNldCBv
ZiB0YWJsZXMgaW4gYSBsb2NhbApkYXRhYmFzZS4KClRoaXMgdXBkYXRlIHNlcnZlcyBhcyBhIGN1
bXVsYXRpdmUgdXBncmFkZSBmb3IgUmVkIEhhdCBKQm9zcyBEYXRhClZpcnR1YWxpemF0aW9uIDYu
Mi4wLiBJdCBpbmNsdWRlcyB2YXJpb3VzIGJ1ZyBmaXhlcywgd2hpY2ggYXJlIGxpc3RlZCBpbgp0
aGUgUkVBRE1FIGZpbGUgaW5jbHVkZWQgd2l0aCB0aGUgcGF0Y2ggZmlsZXMuCgpUaGUgZm9sbG93
aW5nIHNlY3VyaXR5IGlzc3VlIGlzIGFsc28gZml4ZWQgd2l0aCB0aGlzIHJlbGVhc2U6CgpBIGZs
YXcgd2FzIGRpc2NvdmVyZWQgaW4gdGhlIHdheSBhcHBsaWNhdGlvbnMgdXNpbmcgR3Jvb3Z5IHVz
ZWQgdGhlCnN0YW5kYXJkIEphdmEgc2VyaWFsaXphdGlvbiBtZWNoYW5pc20uIEEgcmVtb3RlIGF0
dGFja2VyIGNvdWxkIHVzZSBhCnNwZWNpYWxseSBjcmFmdGVkIHNlcmlhbGl6ZWQgb2JqZWN0IHRo
YXQgd291bGQgZXhlY3V0ZSBjb2RlIGRpcmVjdGx5IHdoZW4KZGVzZXJpYWxpemVkLiBBbGwgYXBw
bGljYXRpb25zIHdoaWNoIHJlbHkgb24gc2VyaWFsaXphdGlvbiBhbmQgZG8gbm90Cmlzb2xhdGUg
dGhlIGNvZGUgd2hpY2ggZGVzZXJpYWxpemVzIG9iamVjdHMgYXJlIHN1YmplY3QgdG8gdGhpcwp2
dWxuZXJhYmlsaXR5LiAoQ1ZFLTIwMTUtMzI1MykKCkFsbCB1c2VycyBvZiBSZWQgSGF0IEpCb3Nz
IERhdGEgVmlydHVhbGl6YXRpb24gNi4yLjAgYXMgcHJvdmlkZWQgZnJvbSB0aGUKUmVkIEhhdCBD
dXN0b21lciBQb3J0YWwgYXJlIGFkdmlzZWQgdG8gYXBwbHkgdGhpcyB1cGRhdGUuCgozLiBTb2x1
dGlvbjoKClRoZSBSZWZlcmVuY2VzIHNlY3Rpb24gb2YgdGhpcyBlcnJhdHVtIGNvbnRhaW5zIGEg
ZG93bmxvYWQgbGluayAoeW91IG11c3QKbG9nIGluIHRvIGRvd25sb2FkIHRoZSB1cGRhdGUpLiBC
ZWZvcmUgYXBwbHlpbmcgdGhlIHVwZGF0ZSwgYmFjayB1cCB5b3VyCmV4aXN0aW5nIFJlZCBIYXQg
SkJvc3MgRGF0YSBWaXJ0dWFsaXphdGlvbiBpbnN0YWxsYXRpb24gKGluY2x1ZGluZyBpdHMKZGF0
YWJhc2VzLCBhcHBsaWNhdGlvbnMsIGNvbmZpZ3VyYXRpb24gZmlsZXMsIGFuZCBzbyBvbikuCgpO
b3RlIHRoYXQgaXQgaXMgcmVjb21tZW5kZWQgdG8gaGFsdCB0aGUgUmVkIEhhdCBKQm9zcyBEYXRh
IFZpcnR1YWxpemF0aW9uCnNlcnZlciBieSBzdG9wcGluZyB0aGUgSkJvc3MgQXBwbGljYXRpb24g
U2VydmVyIHByb2Nlc3MgYmVmb3JlIGluc3RhbGxpbmcKdGhpcyB1cGRhdGUsIGFuZCB0aGVuIGFm
dGVyIGluc3RhbGxpbmcgdGhlIHVwZGF0ZSwgcmVzdGFydCB0aGUgUmVkIEhhdApKQm9zcyBEYXRh
IFZpcnR1YWxpemF0aW9uIHNlcnZlciBieSBzdGFydGluZyB0aGUgSkJvc3MgQXBwbGljYXRpb24g
U2VydmVyCnByb2Nlc3MuCgo0LiBCdWdzIGZpeGVkIChodHRwczovL2J1Z3ppbGxhLnJlZGhhdC5j
b20vKToKCjEyNDM5MzQgLSBDVkUtMjAxNS0zMjUzIGdyb292eTogcmVtb3RlIGV4ZWN1dGlvbiBv
ZiB1bnRydXN0ZWQgY29kZSBpbiBjbGFzcyBNZXRob2RDbG9zdXJlCgo1LiBSZWZlcmVuY2VzOgoK
aHR0cHM6Ly9hY2Nlc3MucmVkaGF0LmNvbS9zZWN1cml0eS9jdmUvQ1ZFLTIwMTUtMzI1MwpodHRw
czovL2FjY2Vzcy5yZWRoYXQuY29tL3NlY3VyaXR5L3VwZGF0ZXMvY2xhc3NpZmljYXRpb24vI21v
ZGVyYXRlCmh0dHBzOi8vYWNjZXNzLnJlZGhhdC5jb20vamJvc3NuZXR3b3JrL3Jlc3RyaWN0ZWQv
bGlzdFNvZnR3YXJlLmh0bWw/cHJvZHVjdD1kYXRhLnNlcnZpY2VzLnBsYXRmb3JtJmRvd25sb2Fk
VHlwZT1zZWN1cml0eVBhdGNoZXMmdmVyc2lvbj02LjIuMAoKNi4gQ29udGFjdDoKClRoZSBSZWQg
SGF0IHNlY3VyaXR5IGNvbnRhY3QgaXMgPHNlY2FsZXJ0QHJlZGhhdC5jb20+LiBNb3JlIGNvbnRh
Y3QKZGV0YWlscyBhdCBodHRwczovL2FjY2Vzcy5yZWRoYXQuY29tL3NlY3VyaXR5L3RlYW0vY29u
dGFjdC8KCkNvcHlyaWdodCAyMDE2IFJlZCBIYXQsIEluYy4KLS0tLS1CRUdJTiBQR1AgU0lHTkFU
VVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjEKCmlEOERCUUZXcHFEU1hsU0FnMlVOV0lJUkFpY25B
SjlSa3lYVVpaL2VlaWdEbDZuUHJiMTdHWHBmZEFDZ2tweEcKSmNURU5PWDEzMXlONEdaVFFKMC9r
K0k9Cj1TVktPCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQoKCi0tClJIU0EtYW5ub3VuY2Ug
bWFpbGluZyBsaXN0ClJIU0EtYW5ub3VuY2VAcmVkaGF0LmNvbQpodHRwczovL3d3dy5yZWRoYXQu
Y29tL21haWxtYW4vbGlzdGluZm8vcmhzYS1hbm5vdW5jZQ==
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC