cbcvebase.
CVE-2016-1997
published 2016-03-22

CVE-2016-1997: HPE Operations Orchestration 10.x before 10.51 and Operations Orchestration content before 1.7.0 allow remote attackers to execute arbitrary commands via a…

PriorityP266critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
6.69%
93.1th percentile
HPE Operations Orchestration 10.x before 10.51 and Operations Orchestration content before 1.7.0 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.

Affected

10 ranges
VendorProductVersion rangeFixed in
hpoperations_orchestration
hpoperations_orchestration
hpoperations_orchestration
hpoperations_orchestration
hpoperations_orchestration
hpoperations_orchestration
hpoperations_orchestration
hpoperations_orchestration
hpoperations_orchestration
hpoperations_orchestration_content<= 1.5.3

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://[target]:8080/oo/backwards-compatibility/wsExecutionBridgeService
path/oo/backwards-compatibility/wsExecutionBridgeService
pathC:\Users\Public
port8080
  • Monitor for HTTP POST requests to the /oo/backwards-compatibility/wsExecutionBridgeService endpoint, which is the deserialization sink exploited by this CVE.
  • The vulnerable endpoint uses HttpInvokerServiceExporter and ObjectInputStream.readObject(), making it susceptible to crafted serialized Java object payloads; inspect inbound traffic to this path for Java serialization magic bytes (0xACED0005).
  • Exploitation chains include BeanUtils1, Spring1, and Spring2 gadget chains (not Apache Commons Collections); detection should not rely solely on Commons Collections gadget signatures.
  • Post-exploitation artifact: look for pseudo-randomly named files created under C:\Users\Public that are short-lived (~30 seconds), as well as directories named beanutils_exploit, spring1_exploit, and spring2_exploit under the same path.
  • The DiskFileItem class is involved in the exploit chain; monitor for its instantiation or serialization in Java deserialization traffic.
  • ·The exploit does NOT use Apache Commons Collections gadget chains despite the CVE description referencing that library; detections based solely on Commons Collections gadget signatures will miss this exploit.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.