CVE-2016-8648
moderate-risk
Published 2018-08-01
It was found that the Karaf container used by Red Hat JBoss Fuse 6.x, and Red Hat JBoss A-MQ 6.x, deserializes objects passed to MBeans via JMX operations. An attacker could use this flaw to execute remote code on the server as the user running the Java Virtual Machine if the target MBean contain deserialization gadgets in its classpath.
Do I need to act?
-
0.51% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.2/10
High
NETWORK
/ LOW complexity
Affected Products (2)
Affected Vendors
References (4)
Third Party Advisory
http://www.securityfocus.com/bid/94513
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8648
Third Party Advisory
http://www.securityfocus.com/bid/94513
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8648
35
/ 100
moderate-risk
Severity
26/34 · High
Exploitability
2/34 · Minimal
Exposure
7/34 · Low