Red Hat JBoss Operations Network Java Object Deserialization RCE

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote JBoss Operations Network server is affected by a remote
code execution vulnerability

Description :

The remote Red Hat JBoss Operations Network server is affected by a
remote code execution vulnerability due to unsafe deserialize calls of
unauthenticated Java objects to the Jython library. An
unauthenticated, remote attacker can exploit this, by sending
specially crafted Java objects to the HTTP interface, to execute
arbitrary code on the target host.

See also :

https://www.tenable.com/security/research/tra-2016-22
https://access.redhat.com/security/cve/cve-2016-3737

Solution :

Red Hat has released JBoss Operations Network 3.3 Update 06 to address
this issue; however, Tenable Research has confirmed that the update
did not resolve the issue. To mitigate this issue, users should enable
agent authentication.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.3
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Family: Misc.

Nessus Plugin ID: 91487 ()

Bugtraq ID: 90430

CVE ID: CVE-2016-3737

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now