NetIQ Sentinel Java Object Deserialization RCE
Critical Nessus Plugin ID 90602
SynopsisThe remote NetIQ Sentinel server is affected by a remote code execution vulnerability
DescriptionThe remote Novell NetIQ Sentinel server is affected by a remote code execution vulnerability due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons Collections (ACC) library. An unauthenticated, remote attacker can exploit this, by sending a specially crafted serialized Java object via the RMI interface, to execute arbitrary code with the privileges of the application.
SolutionUpgrade to NetIQ Sentinel version 7.4.1 or later. Alternatively, contact the vendor for a workaround.