SB2017011206 - Remote code execution in HPE Operations Orchestration
Published: January 12, 2017
Security Bulletin ID
SB2017011206
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Deserialization of untrusted data (CVE-ID: CVE-2016-8519)
The vulnerability allows a remote attacker to execute arbitrary code on vulnerable system.
The vulnerability exists due to incorrect validation of user-supplied data within the wsExecutionBridgeService servlet when performing deserialization. A remote attacker can send a specially crafted request to vulnerable service and execute arbitrary code on the target system with privileges of the current process.
Successful exploitation of this vulnerability may allow an attacker co compromise vulnerable system.
Remediation
Install update from vendor's website.