Vulnerabilities > CVE-2016-2510 - Data Processing Errors vulnerability in multiple products
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 4 | |
| OS | 2 | |
| OS | 3 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- XML Nested Payloads Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By nesting XML data and causing this data to be continuously self-referential, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization. An attacker's goal is to leverage parser failure to his or her advantage. In most cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it may be possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.230.1].
- XML Oversized Payloads Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By supplying oversized payloads in input vectors that will be processed by the XML parser, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization, and potentially cause execution of arbitrary code. An attacker's goal is to leverage parser failure to his or her advantage. In many cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it is possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.231.1].
- XML Client-Side Attack Client applications such as web browsers that process HTML data often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.484.1]
- XML Parser Attack Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.99.1]
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2923-1.NASL description Alvaro Munoz and Christian Schneider discovered that BeanShell incorrectly handled deserialization. A remote attacker could possibly use this issue to execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 89778 published 2016-03-09 reporter Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/89778 title Ubuntu 12.04 LTS / 14.04 LTS / 15.10 : bsh vulnerability (USN-2923-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-370.NASL description This update for bsh2 fixes the following issues : - Version update to 2.0b6 boo#967593 CVE-2016-2510 - Upstream developement moved to github - No obvious changelog apart from the above last seen 2020-06-05 modified 2016-03-21 plugin id 90062 published 2016-03-21 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/90062 title openSUSE Security Update : bsh2 (openSUSE-2016-370) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3504.NASL description Alvaro Munoz and Christian Schneider discovered that BeanShell, an embeddable Java source interpreter, could be leveraged to execute arbitrary commands: applications including BeanShell in their classpath are vulnerable to this flaw if they deserialize data from an untrusted source. last seen 2020-06-01 modified 2020-06-02 plugin id 89694 published 2016-03-07 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/89694 title Debian DSA-3504-1 : bsh - security update NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201607-17.NASL description The remote host is affected by the vulnerability described in GLSA-201607-17 (BeanShell: Arbitrary code execution) An application that includes BeanShell on the classpath may be vulnerable if another part of the application uses Java serialization or XStream to deserialize data from an untrusted source. Impact : Remote attackers could execute arbitrary code including shell commands. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 92653 published 2016-08-01 reporter This script is Copyright (C) 2016-2017 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/92653 title GLSA-201607-17 : BeanShell: Arbitrary code execution NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_9E5BBFFCD8AC11E5B2BD002590263BF5.NASL description Stian Soiland-Reyes reports : This release fixes a remote code execution vulnerability that was identified in BeanShell by Alvaro Munoz and Christian Schneider. The BeanShell team would like to thank them for their help and contributions to this fix! An application that includes BeanShell on the classpath may be vulnerable if another part of the application uses Java serialization or XStream to deserialize data from an untrusted source. A vulnerable application could be exploited for remote code execution, including executing arbitrary shell commands. This update fixes the vulnerability in BeanShell, but it is worth noting that applications doing such deserialization might still be insecure through other libraries. It is recommended that application developers take further measures such as using a restricted class loader when deserializing. See notes on Java serialization security XStream security and How to secure deserialization from untrusted input without using encryption or sealing. last seen 2020-06-01 modified 2020-06-02 plugin id 88877 published 2016-02-22 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/88877 title FreeBSD : bsh -- remote code execution vulnerability (9e5bbffc-d8ac-11e5-b2bd-002590263bf5) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-443.NASL description A remote code execution vulnerability was found in BeanShell, an embeddable Java source interpreter with object scripting language features. CVE-2016-2510: An application that includes BeanShell on the classpath may be vulnerable if another part of the application uses Java serialization or XStream to deserialize data from an untrusted source. A vulnerable application could be exploited for remote code execution, including executing arbitrary shell commands. For Debian 6 last seen 2020-03-17 modified 2016-03-01 plugin id 89043 published 2016-03-01 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89043 title Debian DLA-443-1 : bsh security update NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-351.NASL description This update for bsh2 fixes the following issues : - CVE-2016-2510: An application that includes BeanShell on the classpath may be vulnerable if another part of the application uses Java serialization or XStream to deserialize data from an untrusted source. Please see https://github.com/beanshell/beanshell/releases/tag/2.0b6 for more information. This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2016-03-17 plugin id 89976 published 2016-03-17 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89976 title openSUSE Security Update : bsh2 (openSUSE-2016-351)
Redhat
| advisories |
|
References
- https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf
- https://github.com/beanshell/beanshell/commit/1ccc66bb693d4e46a34a904db8eeff07808d2ced
- https://github.com/frohoff/ysoserial/pull/13
- https://github.com/beanshell/beanshell/releases/tag/2.0b6
- https://github.com/beanshell/beanshell/commit/7c68fde2d6fc65e362f20863d868c112a90a9b49
- http://www.debian.org/security/2016/dsa-3504
- http://rhn.redhat.com/errata/RHSA-2016-0540.html
- http://rhn.redhat.com/errata/RHSA-2016-0539.html
- https://access.redhat.com/errata/RHSA-2016:1135
- http://www.securityfocus.com/bid/84139
- https://security.gentoo.org/glsa/201607-17
- http://www.securitytracker.com/id/1035440
- http://www.ubuntu.com/usn/USN-2923-1
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00056.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00078.html
- https://access.redhat.com/errata/RHSA-2016:1376
- http://rhn.redhat.com/errata/RHSA-2016-2035.html
- https://access.redhat.com/errata/RHSA-2019:1545
- https://www.oracle.com/security-alerts/cpuoct2020.html