Vulnerabilities > CVE-2016-8648 - Deserialization of Untrusted Data vulnerability in Redhat Jboss A-Mq and Jboss Fuse

CVSS 7.2 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

HIGH

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

redhat

CWE-502

NVD

Published: 2018-08-01

Updated: 2023-02-12

Summary

It was found that the Karaf container used by Red Hat JBoss Fuse 6.x, and Red Hat JBoss A-MQ 6.x, deserializes objects passed to MBeans via JMX operations. An attacker could use this flaw to execute remote code on the server as the user running the Java Virtual Machine if the target MBean contain deserialization gadgets in its classpath.

Vulnerable Configurations

Part	Description	Count
Application	Redhat Redhat Jboss A MQ 6.0.0 Redhat Jboss Fuse 6.0.0	2

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8648
http://www.securityfocus.com/bid/94513