CVE-2016-1997
published 2016-03-22CVE-2016-1997: HPE Operations Orchestration 10.x before 10.51 and Operations Orchestration content before 1.7.0 allow remote attackers to execute arbitrary commands via a…
PriorityP266critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
6.69%
93.1th percentile
HPE Operations Orchestration 10.x before 10.51 and Operations Orchestration content before 1.7.0 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | operations_orchestration | — | — |
| hp | operations_orchestration | — | — |
| hp | operations_orchestration | — | — |
| hp | operations_orchestration | — | — |
| hp | operations_orchestration | — | — |
| hp | operations_orchestration | — | — |
| hp | operations_orchestration | — | — |
| hp | operations_orchestration | — | — |
| hp | operations_orchestration | — | — |
| hp | operations_orchestration_content | <= 1.5.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for HTTP POST requests to the /oo/backwards-compatibility/wsExecutionBridgeService endpoint, which is the deserialization sink exploited by this CVE. ↗
- →The vulnerable endpoint uses HttpInvokerServiceExporter and ObjectInputStream.readObject(), making it susceptible to crafted serialized Java object payloads; inspect inbound traffic to this path for Java serialization magic bytes (0xACED0005). ↗
- →Exploitation chains include BeanUtils1, Spring1, and Spring2 gadget chains (not Apache Commons Collections); detection should not rely solely on Commons Collections gadget signatures. ↗
- →Post-exploitation artifact: look for pseudo-randomly named files created under C:\Users\Public that are short-lived (~30 seconds), as well as directories named beanutils_exploit, spring1_exploit, and spring2_exploit under the same path. ↗
- →The DiskFileItem class is involved in the exploit chain; monitor for its instantiation or serialization in Java deserialization traffic. ↗
- ·The exploit does NOT use Apache Commons Collections gadget chains despite the CVE description referencing that library; detections based solely on Commons Collections gadget signatures will miss this exploit. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
2016-03-22
Published