SB2016101312 - Multiple vulnerabilities in JBoss Enterprise Application Platform

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Deserialization of Untrusted Data (CVE-ID: CVE-2016-9585)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

Red Hat JBoss EAP version 5 is vulnerable to a deserialization of untrusted data in the JMX endpoint when deserializes the credentials passed to it. An attacker could exploit this vulnerability resulting in a denial of service attack.

2) Deserialization of Untrusted Data (CVE-ID: CVE-2016-7065)

The vulnerability allows a remote authenticated user to execute arbitrary code.

The JMX servlet in Red Hat JBoss Enterprise Application Platform (EAP) 4 and 5 allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object.

Remediation

Install update from vendor's website.

References

• http://www.securityfocus.com/bid/94932
• https://bugzilla.redhat.com/show_bug.cgi?id=1404528
• http://seclists.org/fulldisclosure/2016/Nov/143
• http://www.securityfocus.com/bid/93462
• https://bugzilla.redhat.com/show_bug.cgi?id=1382534
• https://www.exploit-db.com/exploits/40842/