CVE-2016-2510
published 2016-04-07CVE-2016-2510: BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute…
PriorityP268high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
70.43%
99.3th percentile
BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| beanshell | beanshell | — | — |
| beanshell | beanshell | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | bsh | < bsh 2.0b4-16 (bookworm) | bsh 2.0b4-16 (bookworm) |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/monitor/messagebroker/amf
urlhttps://github.com/pedrib/PoC/blob/master/exploits/tdvPwn.rb
snort
ET EXPLOIT TIBCO Data Virtualization [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TIBCO Data Virtualization <= 8.3 RCE Attempt (CVE-2016-2510)"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/monitor/messagebroker/amf"; nocase; http.request_body; content:"|00 03 00 00 00 01 00 00 00 00 00 00 00 01 11 0A 07 47 6F 72 67 2E 61 70 61 63 68 65 2E 61 78 69 73 32 2E 75 74 69 6C 2E 4D 65 74 61 44 61 74 61 45 6E 74 72 79 7C 99 8B D2 C6 4F B4 E3 00 00 00 02 01 00 00 00|"; fast_pattern; reference:url,github.com/pedrib/PoC/blob/master/exploits/tdvPwn.rb; reference:url,twitter.com/pedrib1337/status/1415862996786548736; reference:cve,2016-2510; classtype:attempted-admin; sid:2033605; rev:1; metadata:attack_target Server, created_at 2021_07_28, cve CVE_2016_2510, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
00 03 00 00 00 01 00 00 00 00 00 00 00 01 11 0A 07 47 6F 72 67 2E 61 70 61 63 68 65 2E 61 78 69 73 32 2E 75 74 69 6C 2E 4D 65 74 61 44 61 74 61 45 6E 74 72 79 7C 99 8B D2 C6 4F B4 E3 00 00 00 02 01 00 00 00
- →Exploit traffic targets HTTP POST requests to the /monitor/messagebroker/amf endpoint with a crafted AMF body containing a serialized org.apache.axis2.util.MetaDataEntry gadget chain payload.
- →The vulnerability is triggered via Java deserialization or XStream deserialization of crafted serialized data involving the XThis.Handler class in BeanShell; monitor inbound deserialization streams for BeanShell class references. ↗
- →A vulnerable application could be exploited for remote code execution, including executing arbitrary shell commands; alert on unexpected child processes spawned from Java application servers. ↗
- ·The vulnerability only manifests if BeanShell (bsh) is present on the classpath AND the application performs Java serialization or XStream deserialization of untrusted data; BeanShell alone is not sufficient. ↗
- ·The Snort/ET rule (sid:2033605) is scoped specifically to TIBCO Data Virtualization <= 8.3 and its /monitor/messagebroker/amf endpoint; other vulnerable applications using BeanShell deserialization will not be caught by this rule alone.
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.1HIGH
vendor_debian8.1HIGH
vendor_oracle8.1HIGH
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Jave APIs (BeanShell) — CVE-2016-2510
vendor_oracle·2020-10-15·CVSS 8.1
CVE-2016-2510 [HIGH] Oracle Oracle Fusion Middleware Risk Matrix: Jave APIs (BeanShell) — CVE-2016-2510
Oracle Oracle Fusion Middleware Risk Matrix: Jave APIs (BeanShell) vulnerability
CVE: CVE-2016-2510
CVSS: 8.1
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuoct2020 (OCT 2020)
Ubuntu
BeanShell vulnerability
vendor_ubuntu·2016-03-08
CVE-2016-2510 BeanShell vulnerability
Title: BeanShell vulnerability
Summary: BeanShell could be made to run programs if it processed specially crafted
input.
Alvaro Muñoz and Christian Schneider discovered that BeanShell incorrectly
handled deserialization. A remote attacker could possibly use this issue
to execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
bsh2: remote code execution via deserialization
vendor_redhat·2016-02-22·CVSS 8.1
CVE-2016-2510 [HIGH] CWE-502 bsh2: remote code execution via deserialization
bsh2: remote code execution via deserialization
BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.
A deserialization flaw allowing remote code execution was found in the BeanShell library. If BeanShell was on the classpath, it could permit code execution if another part of the application deserialized objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the BeanShell library.
Package: BusinessCentral (Red Hat BPM Suite 6) - Affected
Package: jbossas (Red Hat JBoss BRMS 5) - Will not fix
Package: Bus
Debian
CVE-2016-2510: bsh - BeanShell (bsh) before 2.0b6, when included on the classpath by an application t...
vendor_debian·2016·CVSS 8.1
CVE-2016-2510 [HIGH] CVE-2016-2510: bsh - BeanShell (bsh) before 2.0b6, when included on the classpath by an application t...
BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.
Scope: local
bookworm: resolved (fixed in 2.0b4-16)
bullseye: resolved (fixed in 2.0b4-16)
forky: resolved (fixed in 2.0b4-16)
sid: resolved (fixed in 2.0b4-16)
trixie: resolved (fixed in 2.0b4-16)
OSV
Improper Input Validation in BeanShell
osv·2022-05-13
CVE-2016-2510 [HIGH] Improper Input Validation in BeanShell
Improper Input Validation in BeanShell
BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.
GHSA
Improper Input Validation in BeanShell
ghsa·2022-05-13
CVE-2016-2510 [HIGH] CWE-20 Improper Input Validation in BeanShell
Improper Input Validation in BeanShell
BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.
OSV
CVE-2016-2510: BeanShell (bsh) before 2
osv·2016-04-07·CVSS 8.1
CVE-2016-2510 [HIGH] CVE-2016-2510: BeanShell (bsh) before 2
BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.
Suricata
ET EXPLOIT TIBCO Data Virtualization <= 8.3 RCE Attempt (CVE-2016-2510)
suricata·2021-07-28·CVSS 8.1
CVE-2016-2510 [HIGH] ET EXPLOIT TIBCO Data Virtualization <= 8.3 RCE Attempt (CVE-2016-2510)
ET EXPLOIT TIBCO Data Virtualization [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TIBCO Data Virtualization <= 8.3 RCE Attempt (CVE-2016-2510)"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/monitor/messagebroker/amf"; nocase; http.request_body; content:"|00 03 00 00 00 01 00 00 00 00 00 00 00 01 11 0A 07 47 6F 72 67 2E 61 70 61 63 68 65 2E 61 78 69 73 32 2E 75 74 69 6C 2E 4D 65 74 61 44 61 74 61 45 6E 74 72 79 7C 99 8B D2 C6 4F B4 E3 00 00 00 02 01 00 00 00|"; fast_pattern; reference:url,github.com/pedrib/PoC/blob/master/exploits/tdvPwn.rb; reference:url,twitter.com/pedrib1337/status/1415862996786548736; reference:cve,2016-2510; classtype:attempted-admin; sid:2033605; rev:1; metadata:attack_target Server, created_at 2021_07_28, cve CVE_2016_2510, d
No public exploits indexed.
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00056.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00078.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0539.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0540.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2035.htmlhttp://www.debian.org/security/2016/dsa-3504http://www.securityfocus.com/bid/84139http://www.securitytracker.com/id/1035440http://www.ubuntu.com/usn/USN-2923-1https://access.redhat.com/errata/RHSA-2016:1135https://access.redhat.com/errata/RHSA-2016:1376https://access.redhat.com/errata/RHSA-2019:1545https://github.com/beanshell/beanshell/commit/1ccc66bb693d4e46a34a904db8eeff07808d2cedhttps://github.com/beanshell/beanshell/commit/7c68fde2d6fc65e362f20863d868c112a90a9b49https://github.com/beanshell/beanshell/releases/tag/2.0b6https://github.com/frohoff/ysoserial/pull/13https://security.gentoo.org/glsa/201607-17https://www.oracle.com/security-alerts/cpuoct2020.htmlhttps://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdfhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00056.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00078.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0539.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0540.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2035.htmlhttp://www.debian.org/security/2016/dsa-3504http://www.securityfocus.com/bid/84139http://www.securitytracker.com/id/1035440http://www.ubuntu.com/usn/USN-2923-1https://access.redhat.com/errata/RHSA-2016:1135https://access.redhat.com/errata/RHSA-2016:1376https://access.redhat.com/errata/RHSA-2019:1545https://github.com/beanshell/beanshell/commit/1ccc66bb693d4e46a34a904db8eeff07808d2cedhttps://github.com/beanshell/beanshell/commit/7c68fde2d6fc65e362f20863d868c112a90a9b49https://github.com/beanshell/beanshell/releases/tag/2.0b6https://github.com/frohoff/ysoserial/pull/13https://security.gentoo.org/glsa/201607-17https://www.oracle.com/security-alerts/cpuoct2020.htmlhttps://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf
2016-04-07
Published