cbcvebase.
CVE-2019-16112
published 2020-05-13

CVE-2019-16112: TylerTech Eagle 2018.3.11 deserializes untrusted user input, resulting in remote code execution via a crafted Java object to the…

PriorityP268high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
11.39%
95.5th percentile
TylerTech Eagle 2018.3.11 deserializes untrusted user input, resulting in remote code execution via a crafted Java object to the recorder/ServiceManager?service=tyler.empire.settings.SettingManager URI.

Affected

1 ranges
VendorProductVersion rangeFixed in
tylertecheagle

Detection & IOCsextracted from sources · hover to see the quote

url/recorder/ServiceManager?service=tyler.empire.settings.SettingManager
path/recorder/ServiceManager
commandjava -jar ysoserial.jar CommonsCollections6 "<cmd>"
  • Detect HTTP POST requests to the vulnerable endpoint /recorder/ServiceManager with the query parameter service=tyler.empire.settings.SettingManager, which is the attack vector for this Java deserialization RCE.
  • Alert on HTTP POST requests to /recorder/ServiceManager with Content-Type: application/octet-stream, as the exploit delivers a zlib-compressed Java serialized payload in the request body.
  • The exploit uses the ysoserial CommonsCollections6 gadget chain; inspect POST body to /recorder/ServiceManager for zlib-compressed Java serialized objects (magic bytes 0xAC 0xED after decompression).
  • The exploit targets an unauthenticated endpoint; monitor for POST requests to /recorder/ServiceManager from unauthenticated sessions carrying binary/octet-stream bodies.
  • Spawned processes will run under the Tomcat service account; monitor for unexpected child processes of the Tomcat JVM process as a post-exploitation indicator.
  • ·The vulnerable application version is specifically 2018.3.11; ensure version fingerprinting is part of the detection/triage workflow.
  • ·The exploit was tested on Windows 2012; detection rules targeting process lineage (Tomcat spawning cmd.exe/powershell.exe) should account for Windows-based deployments.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.