Detections
Analytics

Zend Server Java Bridge Arbitrary Java Code Execution

critical Nessus Plugin ID 53533

Language:

Synopsis

The remote service has a code execution vulnerability.

Description

Zend Server Java Bridge, a service that lets PHP applications use Java code, has an arbitrary code execution vulnerability. The service accepts requests to execute Java code without authentication.

A remote, unauthenticated attacker could exploit this to execute arbitrary Java code.

Solution

Apply the hofix provided by the vendor.

If the hotfix is already applied, ensure access to the service is restricted using the 'zend.javamw.ip' system property.

See Also

https://www.zerodayinitiative.com/advisories/ZDI-11-113/

https://seclists.org/bugtraq/2011/Mar/277

http://www.nessus.org/u?0c9a77c7

Plugin Details

Severity: Critical

ID: 53533

File Name: zend_server_java_bridge_code_exec.nasl

Version: 1.11

Type: remote

Family: Misc.

Published: 4/22/2011

Updated: 11/15/2018

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Patch Publication Date: 3/24/2011

Vulnerability Publication Date: 3/24/2011

Exploitable With

Metasploit (Zend Server Java Bridge Arbitrary Java Code Execution)

Reference Information

BID: 47060