HP Network Automation RPCServlet Java Object Deserialization RCE
Critical Nessus Plugin ID 95658
SynopsisAn application running on the remote host is affected by a remote code execution vulnerability.
DescriptionThe HP Network Automation application running on the remote host is version 9.1x, 9.2x, or 10.00.x prior to 10.00.021; 10.10.x or 10.11.x prior to 10.11.011; or 10.20.x prior to 10.20.001. It is, therefore, affected by a remote code execution vulnerability in RPCServlet due to improper sanitization of user-supplied input before attempting deserialization of Java objects. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary code.
SolutionApply the appropriate patch according to the vendor advisory.