CVE-2019-16112
published 2020-05-13CVE-2019-16112: TylerTech Eagle 2018.3.11 deserializes untrusted user input, resulting in remote code execution via a crafted Java object to the…
PriorityP268high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
11.39%
95.5th percentile
TylerTech Eagle 2018.3.11 deserializes untrusted user input, resulting in remote code execution via a crafted Java object to the recorder/ServiceManager?service=tyler.empire.settings.SettingManager URI.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tylertech | eagle | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP POST requests to the vulnerable endpoint /recorder/ServiceManager with the query parameter service=tyler.empire.settings.SettingManager, which is the attack vector for this Java deserialization RCE. ↗
- →Alert on HTTP POST requests to /recorder/ServiceManager with Content-Type: application/octet-stream, as the exploit delivers a zlib-compressed Java serialized payload in the request body. ↗
- →The exploit uses the ysoserial CommonsCollections6 gadget chain; inspect POST body to /recorder/ServiceManager for zlib-compressed Java serialized objects (magic bytes 0xAC 0xED after decompression). ↗
- →The exploit targets an unauthenticated endpoint; monitor for POST requests to /recorder/ServiceManager from unauthenticated sessions carrying binary/octet-stream bodies. ↗
- →Spawned processes will run under the Tomcat service account; monitor for unexpected child processes of the Tomcat JVM process as a post-exploitation indicator. ↗
- ·The vulnerable application version is specifically 2018.3.11; ensure version fingerprinting is part of the detection/triage workflow. ↗
- ·The exploit was tested on Windows 2012; detection rules targeting process lineage (Tomcat spawning cmd.exe/powershell.exe) should account for Windows-based deployments. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2020-05-13
Published