CVE-2016-7065
published 2016-10-13CVE-2016-7065: The JMX servlet in Red Hat JBoss Enterprise Application Platform (EAP) 4 and 5 allows remote authenticated users to cause a denial of service and possibly…
PriorityP264high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
12.47%
95.7th percentile
The JMX servlet in Red Hat JBoss Enterprise Application Platform (EAP) 4 and 5 allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| redhat | jboss_enterprise_application_platform | — | — |
| redhat | jboss_enterprise_application_platform | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect authenticated HTTP POST requests targeting the JMX Invoker Servlet path /invoker/JMXInvokerServlet, particularly those with a serialized Java object body (Content-Type or binary payload starting with Java serialization magic bytes 0xACED0005). ↗
- →Monitor JBoss EAP processes for sustained 100% CPU usage following HTTP POST requests to /invoker/JMXInvokerServlet, which is indicative of a serialization DoS payload being processed. ↗
- →Alert on any inbound network traffic to port 8080/TCP destined for the /invoker/JMXInvokerServlet endpoint on JBoss EAP 4 or 5 servers, as this servlet is exposed by default and is the attack vector. ↗
- →Flag presence of .ser payload files (e.g., 01_BigString_limited.ser, 02_SerialDOS_limited.ser, 03_BigString.ser, 04_SerialDOS.ser) on disk or in HTTP request bodies, as these are the known exploit payloads for this CVE. ↗
- ·The JMX Invoker Servlet requires authentication by default; however, the vulnerability is still exploitable by any remote authenticated user, so authentication alone is not a sufficient mitigation. ↗
- ·Red Hat will not issue a fix for this vulnerability in JBoss EAP 4 or 5 due to end-of-life/maintenance status; operators must apply compensating controls (e.g., network-level blocking of port 8080/TCP access to /invoker/JMXInvokerServlet). ↗
- ·No known remote code execution chain exists at time of disclosure, but the DoS via serialization is confirmed; new gadget chains are discovered regularly and RCE risk should be treated as real. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4pfh-2w89-vqv4: The JMX servlet in Red Hat JBoss Enterprise Application Platform (EAP) 4 and 5 allows remote authenticated users to cause a denial of service and poss
ghsa_unreviewed·2022-05-17
CVE-2016-7065 [HIGH] CWE-502 GHSA-4pfh-2w89-vqv4: The JMX servlet in Red Hat JBoss Enterprise Application Platform (EAP) 4 and 5 allows remote authenticated users to cause a denial of service and poss
The JMX servlet in Red Hat JBoss Enterprise Application Platform (EAP) 4 and 5 allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object.
Red Hat
JBoss EAP 5 JMX servlet deserializes Java objects sent via HTTP
vendor_redhat·2016-10-07·CVSS 8.8
CVE-2016-7065 [HIGH] CWE-502 JBoss EAP 5 JMX servlet deserializes Java objects sent via HTTP
JBoss EAP 5 JMX servlet deserializes Java objects sent via HTTP
The JMX servlet in Red Hat JBoss Enterprise Application Platform (EAP) 4 and 5 allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object.
Package: jbossas (Red Hat JBoss Enterprise Application Platform 4) - Will not fix
Package: jbossas (Red Hat JBoss Enterprise Application Platform 5) - Will not fix
Package: jbossas (Red Hat JBoss SOA Platform 4) - Will not fix
Package: jbossas (Red Hat JBoss SOA Platform 5) - Will not fix
No detection rules found.
arXiv
An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities
arxiv_fulltext·2022-08-17
An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities
An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities
[Imen Sayar]Imen Sayar^
[email protected]
University of Toulouse
Blagnac
France
31070
^ Part of this research was conducted when Imen Sayar was at the University of Luxembourg
[Alexandre Bartel]Alexandre Bartel^*
[email protected]
Umeå University
MIT-Huset
Umeå
Sweden
^*Part of this research was conducted when Alexandre Bartel was at the University of Luxembourg and the University of Copenhagen.
Eric Bodden
[email protected]
Paderborn University
Paderborn
Germany
Yves Le Traon
[email protected]
University of Luxembourg
6, rue Richard Coudenhove-Kalergi
Kirchberg Campus
Luxembourg
L-1359
## Abstract
Nowadays, an increasing number of applications uses deserializatio
Bugzilla
CVE-2016-7065 JBoss EAP 5 JMX servlet deserializes Java objects sent via HTTP
bugzilla·2016-10-07·CVSS 8.8
CVE-2016-7065 [HIGH] CVE-2016-7065 JBoss EAP 5 JMX servlet deserializes Java objects sent via HTTP
CVE-2016-7065 JBoss EAP 5 JMX servlet deserializes Java objects sent via HTTP
JBoss EAP 4 and 5 JMX servlet is exposed on port 8080/TCP with authentication by default. The communication employs serialized Java objects, encapsulated in HTTP requests and responses.
The server deserializes these objects. This behavior can be exploited to cause a denial of service and potentially execute arbitrary code.
Discussion:
Acknowledgments:
Name: Federico Dotta (Mediaservice.net), Maurizio Agazzini (Mediaservice.net)
http://seclists.org/fulldisclosure/2016/Nov/143http://www.securityfocus.com/bid/93462https://bugzilla.redhat.com/show_bug.cgi?id=1382534https://www.exploit-db.com/exploits/40842/http://seclists.org/fulldisclosure/2016/Nov/143http://www.securityfocus.com/bid/93462https://bugzilla.redhat.com/show_bug.cgi?id=1382534https://www.exploit-db.com/exploits/40842/
2016-10-13
Published