cbcvebase.
CVE-2016-7065
published 2016-10-13

CVE-2016-7065: The JMX servlet in Red Hat JBoss Enterprise Application Platform (EAP) 4 and 5 allows remote authenticated users to cause a denial of service and possibly…

PriorityP264high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
12.47%
95.7th percentile
The JMX servlet in Red Hat JBoss Enterprise Application Platform (EAP) 4 and 5 allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object.

Affected

2 ranges
VendorProductVersion rangeFixed in
redhatjboss_enterprise_application_platform
redhatjboss_enterprise_application_platform

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://localhost:8080/invoker/JMXInvokerServlet
port8080/TCP
path/invoker/JMXInvokerServlet
filename01_BigString_limited.ser
filename02_SerialDOS_limited.ser
filename03_BigString.ser
filename04_SerialDOS.ser
  • Detect authenticated HTTP POST requests targeting the JMX Invoker Servlet path /invoker/JMXInvokerServlet, particularly those with a serialized Java object body (Content-Type or binary payload starting with Java serialization magic bytes 0xACED0005).
  • Monitor JBoss EAP processes for sustained 100% CPU usage following HTTP POST requests to /invoker/JMXInvokerServlet, which is indicative of a serialization DoS payload being processed.
  • Alert on any inbound network traffic to port 8080/TCP destined for the /invoker/JMXInvokerServlet endpoint on JBoss EAP 4 or 5 servers, as this servlet is exposed by default and is the attack vector.
  • Flag presence of .ser payload files (e.g., 01_BigString_limited.ser, 02_SerialDOS_limited.ser, 03_BigString.ser, 04_SerialDOS.ser) on disk or in HTTP request bodies, as these are the known exploit payloads for this CVE.
  • ·The JMX Invoker Servlet requires authentication by default; however, the vulnerability is still exploitable by any remote authenticated user, so authentication alone is not a sufficient mitigation.
  • ·Red Hat will not issue a fix for this vulnerability in JBoss EAP 4 or 5 due to end-of-life/maintenance status; operators must apply compensating controls (e.g., network-level blocking of port 8080/TCP access to /invoker/JMXInvokerServlet).
  • ·No known remote code execution chain exists at time of disclosure, but the DoS via serialization is confirmed; new gadget chains are discovered regularly and RCE risk should be treated as real.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.