CVE-2016-8519
published 2018-02-15CVE-2016-8519: A remote code execution vulnerability in HPE Operations Orchestration Community edition and Enterprise edition prior to v10.70 was found.
PriorityP269critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
28.05%
97.9th percentile
A remote code execution vulnerability in HPE Operations Orchestration Community edition and Enterprise edition prior to v10.70 was found.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hewlett_packard_enterprise | operations_orchestration | — | — |
| hewlett_packard_enterprise | operations_orchestration | — | — |
| hp | operations_orchestration | < 10.70 | 10.70 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for HTTP POST requests to the endpoint /oo/backwards-compatibility/wsExecutionBridgeService, which is the attack vector for this Java deserialization RCE vulnerability. ↗
- →The vulnerability is exploitable via Java deserialization through endpoints using HttpInvokerServiceExporter (original) or the incomplete-fix SecureHttpInvokerServiceExporter; inspect deserialized payloads for non-RemoteInvocation root objects or malicious objects embedded in RemoteInvocation attributes map. ↗
- →An exploitable Apache Commons BeanUtils library is present on the classpath; detect gadget-chain payloads associated with Apache Commons BeanUtils in deserialized HTTP POST bodies to the affected endpoint. ↗
- →The bypass of LookAheadObjectInputStream works by embedding arbitrary serializable objects inside the RemoteInvocation attributes map; the firstTime flag only validates the first deserialized class, so subsequent nested objects are unchecked. ↗
- ·The incomplete fix (SecureHttpInvokerServiceExporter / LookAheadObjectInputStream) only validates the first deserialized class via the firstTime boolean flag; all subsequent nested objects within the RemoteInvocation are deserialized without class verification, leaving the fix bypassable. ↗
- ·The vulnerability affects HPE Operations Orchestration Community and Enterprise editions prior to v10.70; the partial fix was introduced in 10.60 but is insufficient. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
http://www.securityfocus.com/bid/95225http://www.securitytracker.com/id/1037552https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c05361944https://www.tenable.com/security/research/tra-2017-05http://www.securityfocus.com/bid/95225http://www.securitytracker.com/id/1037552https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c05361944https://www.tenable.com/security/research/tra-2017-05
2018-02-15
Published