Vulnerabilities > CVE-2016-2510 - Data Processing Errors vulnerability in multiple products

047910
CVSS 8.1 - HIGH
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
high complexity
beanshell
debian
canonical
CWE-19
nessus

Summary

BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • XML Nested Payloads
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By nesting XML data and causing this data to be continuously self-referential, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization. An attacker's goal is to leverage parser failure to his or her advantage. In most cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it may be possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.230.1].
  • XML Oversized Payloads
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By supplying oversized payloads in input vectors that will be processed by the XML parser, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization, and potentially cause execution of arbitrary code. An attacker's goal is to leverage parser failure to his or her advantage. In many cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it is possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.231.1].
  • XML Client-Side Attack
    Client applications such as web browsers that process HTML data often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.484.1]
  • XML Parser Attack
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.99.1]

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2923-1.NASL
    descriptionAlvaro Munoz and Christian Schneider discovered that BeanShell incorrectly handled deserialization. A remote attacker could possibly use this issue to execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id89778
    published2016-03-09
    reporterUbuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89778
    titleUbuntu 12.04 LTS / 14.04 LTS / 15.10 : bsh vulnerability (USN-2923-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-370.NASL
    descriptionThis update for bsh2 fixes the following issues : - Version update to 2.0b6 boo#967593 CVE-2016-2510 - Upstream developement moved to github - No obvious changelog apart from the above
    last seen2020-06-05
    modified2016-03-21
    plugin id90062
    published2016-03-21
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/90062
    titleopenSUSE Security Update : bsh2 (openSUSE-2016-370)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3504.NASL
    descriptionAlvaro Munoz and Christian Schneider discovered that BeanShell, an embeddable Java source interpreter, could be leveraged to execute arbitrary commands: applications including BeanShell in their classpath are vulnerable to this flaw if they deserialize data from an untrusted source.
    last seen2020-06-01
    modified2020-06-02
    plugin id89694
    published2016-03-07
    reporterThis script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89694
    titleDebian DSA-3504-1 : bsh - security update
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201607-17.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201607-17 (BeanShell: Arbitrary code execution) An application that includes BeanShell on the classpath may be vulnerable if another part of the application uses Java serialization or XStream to deserialize data from an untrusted source. Impact : Remote attackers could execute arbitrary code including shell commands. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id92653
    published2016-08-01
    reporterThis script is Copyright (C) 2016-2017 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/92653
    titleGLSA-201607-17 : BeanShell: Arbitrary code execution
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_9E5BBFFCD8AC11E5B2BD002590263BF5.NASL
    descriptionStian Soiland-Reyes reports : This release fixes a remote code execution vulnerability that was identified in BeanShell by Alvaro Munoz and Christian Schneider. The BeanShell team would like to thank them for their help and contributions to this fix! An application that includes BeanShell on the classpath may be vulnerable if another part of the application uses Java serialization or XStream to deserialize data from an untrusted source. A vulnerable application could be exploited for remote code execution, including executing arbitrary shell commands. This update fixes the vulnerability in BeanShell, but it is worth noting that applications doing such deserialization might still be insecure through other libraries. It is recommended that application developers take further measures such as using a restricted class loader when deserializing. See notes on Java serialization security XStream security and How to secure deserialization from untrusted input without using encryption or sealing.
    last seen2020-06-01
    modified2020-06-02
    plugin id88877
    published2016-02-22
    reporterThis script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/88877
    titleFreeBSD : bsh -- remote code execution vulnerability (9e5bbffc-d8ac-11e5-b2bd-002590263bf5)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-443.NASL
    descriptionA remote code execution vulnerability was found in BeanShell, an embeddable Java source interpreter with object scripting language features. CVE-2016-2510: An application that includes BeanShell on the classpath may be vulnerable if another part of the application uses Java serialization or XStream to deserialize data from an untrusted source. A vulnerable application could be exploited for remote code execution, including executing arbitrary shell commands. For Debian 6
    last seen2020-03-17
    modified2016-03-01
    plugin id89043
    published2016-03-01
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/89043
    titleDebian DLA-443-1 : bsh security update
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-351.NASL
    descriptionThis update for bsh2 fixes the following issues : - CVE-2016-2510: An application that includes BeanShell on the classpath may be vulnerable if another part of the application uses Java serialization or XStream to deserialize data from an untrusted source. Please see https://github.com/beanshell/beanshell/releases/tag/2.0b6 for more information. This update was imported from the SUSE:SLE-12:Update update project.
    last seen2020-06-05
    modified2016-03-17
    plugin id89976
    published2016-03-17
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/89976
    titleopenSUSE Security Update : bsh2 (openSUSE-2016-351)

Redhat

advisories
  • rhsa
    idRHSA-2016:0539
  • rhsa
    idRHSA-2016:0540
  • rhsa
    idRHSA-2016:1135
  • rhsa
    idRHSA-2016:1376
  • rhsa
    idRHSA-2016:2035
  • rhsa
    idRHSA-2019:1545

References