WebSphere Application Server (WAS) Community Edition 3.0.0.3 | CVE-2013-1777 | http://geronimo.apache.org/downloads.html | Remote exploits can be prevented by hiding the naming (1099) and JMX (9999) ports behind a firewall or binding the ports to a local network interface. | Add instruction Thread.currentThread().setContext ClassLoader(getClass().getClassLoader()); in class JMXConnector and other instructions in the class JMXSecureConnector (patch in http://svn.apache.org/viewvc?view=revision&sortby=date&revision=1458113) | | X | |
Jboss RichFaces (Jboss-RF) 3.x \(\lt =\) 3.3.3 and 4.x \(\lt =\) 4.3.2 | CVE-2013-2165 | https://richfaces.jboss.org/download/archive.html | A flaw in the way JBoss RichFaces handled deserialization allowing a remote attacker to trigger the execution of the deserialization methods in any serializable class deployed on the server. | Create a whitelist of classes that are available to participate in the RichFaces resource deserialisation process https://www.bleathem.ca/blog/richfaces-security-advisory-cve-2013-2165/ and https://codewhitesec.blogspot.com/2018/05/poor-richfaces.html | | X | |
Android \(\lt\) 5.0.0 | CVE-2014-7911 | https://android.googlesource.com/?format=HTML | luni/src/main/java/java/io/ ObjectInputStream.java in the java.io.ObjectInputStream implementation does not verify that deserialization will result in an object that met the requirements for serialization, which allows attackers to execute arbitrary code via a crafted finalize method for a serialized object in an ArrayMap Parcel within an intent sent to system_service, as demonstrated by the finalize method of android.os.BinderProxy | Add some checks that the class being deserialized matches the type information (enum, serializable, externalizable) held in the stream. Delayed static initialization of classes until the type of the class has been validated against the stream content in some cases. (see https://android.googlesource.com/platform/libcore/+/738c833d38d41f8f76eb7e77ab39add82b1ae1e2%5E%21/#F0 and https://android.googlesource.com/platform/libcore/+/738c833d38d41f8f76eb7e77ab39add82b1ae1e2) | | X | |
Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 | CVE-2014-9757 | https://www.atlassian.com/software/bamboo/download-archives | The Ignite Realtime Smack XMPP API, as used in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0, allows remote configured XMPP servers to execute arbitrary Java code via serialized data in an XMPP message | The origin of the attack is the Smack library used in Bamboo. The patched version Bamboo 5.10.0 uses an updated version of the smack library in which a lot of modifications are brought: removing some classes (like Connection, Chat, ConnectionManager), modify the class XMPPConnection into an Interface, etc. (Patch obtained doing the diff between the version 5.9.7 and 5.10.0 of Bamboo, and more precisely the smack library). | | X | |
Atlassian Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 | CVE-2015-6576 | https://www.atlassian.com/software/bamboo/download-archives | Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execute arbitrary Java code via an unspecified resource. | Removes the deserializeObject method from the DeliverMessageServlet vulnerable class. | | X | |
Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 | CVE-2015-8360 | https://www.atlassian.com/software/bamboo/download-archives | An unspecified resource in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 allows remote attackers to execute arbitrary Java code via serialized data to the JMS port. | Use of black and white lists for serialization (patch obtained using the diff between the versions 5.10.0 and 5.9.7: there are two files serialization-blacklist.list and serialization-whitelist.list in the path “atlassian-bamboo-5.10.0/atlassian-bamboo/WEB-INF/classes”) | | X | |
Jenkins \(\lt\) 1.638 and LTS \(\lt\) 1.625.2 | CVE-2015-8103 | https://github.com/jenkinsci/jenkins https://wiki.jenkins.io/display/JENKINS/Jenkins+CLI | The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object | Unknown patch. Mitigation: remove/disable the CLI support inside of the running Jenkins server (https://www.jenkins.io/blog/2015/11/06/mitigating-unauthenticated-remote-code-execution-0-day-in-jenkins-cli/) | | X | |
VMware vRealize Orchestrator 6.x, vCenter Orchestrator 5.x, vRealize Operations 6.x, vCenter Operations 5.x, and vCenter Application Discovery Manager (vADM) 7.x | CVE-2015-6934 | https://docs.vmware.com/en/vRealize-Orchestrator/7.6/rn/VMware-vRealize-Orchestrator-76-Release-Notes.html | Remote attackers can execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library | Replace the Commons collections library by the commons-collections-3.2.2.jar in the dependencies of the mentioned products (see https://kb.vmware.com/s/article/2141244 and https://kb.vmware.com/s/article/2141244) | | X | |
Adobe Experience Manager (Adobe-EM) 5.6.1, 6.0.0, and 6.1.0 | CVE-2016-0958 | No | Adobe Experience Manager 5.6.1, 6.0.0, and 6.1.0 might allow remote attackers to have an unspecified impact via a crafted serialized Java object. | Unknown patch | | X | |
Hazelcast \(\lt\) 3.11 | CVE-2016-10750 | https://github.com/hazelcast/hazelcast | A flaw was found in the cluster join procedure in Hazelcast. This flaw allows an attacker to gain remote code execution via Java deserialization. | Add class names blacklisting and whitelisting by defining the following system properties: hazelcast.serialization.filter.enabled, hazelcast.serialization.filter.blacklist .classes, hazelcast.serialization.filter .blacklist.packages, hazelcast.serialization.filter.whitelist .classes and hazelcast.serialization .filter.whitelist.packages (see https://docs.hazelcast.org/docs/3.10.5/manual/html-single/index.html#untrusted-deserialization-protection) | | X | |
Apache OFBiz 12.04.x \(\lt\) 12.04.06 and 13.07.x \(\lt\) 13.07.03 | CVE-2016-2170 | http://archive.apache.org/dist/ofbiz/ | Remote attackers can execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library | Update commons collections to 4.1 and Comment out RMI related code (see https://issues.apache.org/jira/browse/OFBIZ-6942, https://markmail.org/message/nh6csf4fun5n6e23 and https://issues.apache.org/jira/browse/OFBIZ-6726) | | X | |
SolarWinds Virtualization Manager \(\lt =\) 6.3.1 | CVE-2016-3642 | No | The vulnerability exists due to the deserialization of untrusted data in the RMI service running on port 1099/TCP. A remote attacker can execute operating system commands as an unprivileged user | Inaccessible patch (it is mentioned that there is a hotfix in https://packetstormsecurity.com/files/137486/Solarwinds-Virtualization-Manager-6.3.1-Java-Deserialization.html and https://seclists.org/fulldisclosure/2016/Jun/29 but no more details are given) | | X | |
HP Network Node Manager i (HP-NNMi) Software 10.00, 10.01 (patch1), 10.01 (patch 2), 10.10 | CVE-2016-4398 | No | A vulnerability in Apache Commons Collections for handling Java object deserialization was addressed by HPE Network Node Manager i (NNMi) Software. The vulnerability could be remotely exploited to allow remote code execution. | Unknown patch | | X | |
Apache Wicket 6.x \(\lt\) 6.25.0 and 1.5.x \(\lt\) 1.5.17 | CVE-2016-6793 | https://archive.apache.org/dist/wicket/ | The DiskFileItem class in Apache Wicket allows remote attackers to cause a denial of service (infinite loop) and write to, move, and delete files with the permissions of DiskFileItem, and if running on a Java VM before 1.3.1, execute arbitrary code via a crafted serialized Java object. | Change the class DiskFileItem: add a check instruction Files.checkFileName(tempDir.getPath()) in the method getTempFile() of the patched version (patch obtained by doing the diff between the 6.24.0 and 6.25.0 versions) | | X | |
Red Hat JBoss Enterprise Application Platform (Jboss-EAP) 4 and 5 | CVE-2016-7065 | https://developers.redhat.com/products/eap/download | JBoss EAP 4 and 5 JMX servlet is exposed on port 8080/TCP with authentication by default. The communication employs serialized Java objects, encapsulated in HTTP requests and responses. The server deserializes these objects. This behavior can be exploited to cause a denial of service and potentially execute arbitrary code | Red Hat does not fix the issue because JBoss EAP 4 is out of maintenance support and JBoss EAP 5 is close to the end of its maintenance period (see https://seclists.org/fulldisclosure/2016/Nov/143 and https://seclists.org/fulldisclosure/2016/Nov/143) | | X | |
Soffid IAM \(\lt\) 1.7.5 | CVE-2017-9363 | https://github.com/SoffidIAM/console | Untrusted Java serialization in Soffid IAM console before 1.7.5 allowing remote attackers to achieve arbitrary remote code execution via a crafted authentication request | Disable two features in the class servlet.SignatureReceiver via throwing two exceptions new ServletException(“Disabled feature”); and new UiException(“Disabled feature”); (see https://github.com/SoffidIAM/console/commit/8e9e7c9e537acfc2a245fbbeb41a143b5b4f7230#diff-544c1cb1ac64f2f62b6b326bd0b1b6addc17f19416878d319d3643e302a043b7) | | X | |
ZTE ZXIPTV-EPG \(\lt\) V5.09.02.02T4 | CVE-2017-10934 | No | This product uses the Java RMI service in which the servers use the Apache Commons Collections (ACC) library that may result in Java deserialization vulnerabilities. An unauthenticated remote attacker can exploit the vulnerabilities by sending a crafted RMI request to execute arbitrary code on the target host | Unknown patch. Workaround: Ensure that all exposed ports used by the server, including the RMI registry port, are firewalled from any untrusted IP address. (see http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1008682) | | X | |
Akka versions \(\lt =\) 2.4.16 and 2.5-M1 | CVE-2017-1000034 | https://mvnrepository.com/artifact/com.typesafe.akka/akka-actor_2.12 | An attacker that can connect to an ActorSystem exposed via Akka Remote over TCP can gain remote code execution capabilities in the context of the JVM process that runs the ActorSystem under some conditions (JavaSerializer is enabled (default in Akka 2.4.x), etc.) | The system is configured with disabled Java serializer: using DisabledJavaSerializer instead of JavaSerializer (see the file reference.conf for explanation). Additional protection can be achieved when running in an untrusted network by enabling TLS with mutual authentication. https://doc.akka.io/docs/akka/2.4/security/2017-02-10-java-serialization.html, https://akka.io/blog/news/2017/02/10/akka-2.4.17-released and https://doc.akka.io/docs/akka/2.4/scala/remoting.html#remote-tls-scala | | X | |
Cisco Unity Express (Cisco-UE) \(\lt\) release 9.0.6 | CVE-2018-15381 | No | A remote user can create specially crafted content that, when loaded by the target user, will trigger a Java deserialization flaw and execute arbitrary code on the target user’s system. The code will run with root privileges. | Workaround: this vulnerability can be exploited over TCP port 1099. The CUE does not need this port to be open externally and may be blocked to protect against remote exploitation of this vulnerability. An administrator can configure an access control list that blocks all traffic with a destination port of TCP/1099 from reaching the CUE. (see https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-cue) | | X | |
Apache Storm versions 1.1.0 to 1.2.2 | CVE-2018-11779 | https://archive.apache.org/dist/storm/ | When the user is using the storm-kafka-client or storm-kafka modules, it is possible to cause the Storm UI daemon to deserialize user provided bytes into a Java class. | Update implementation of serializable classes in v1.2.3: remove the indirect call to readObject from getSetComponentObject method (using the diff between the vulnerable 1.2.2 version and the non vulnerable 1.2.3 version) | | X | |
Jenkins Pipeline supporting APIs Plugin \(\lt =\) 2.17 | CVE-2018-1000058 | https://updates.jenkins.io/download/plugins/workflow-support/ | Methods related to Java deserialization like readResolve implemented in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code. This could be exploited e.g. by regular Jenkins users with the permission to configure Pipelines in Jenkins, or by trusted committers to repositories containing Jenkinsfiles. | Adding sandboxing: reinforcement of the class RiverWriter using a try/catch bloc in which the serialization is carried out inside a GroovySandbox.runInSandbox() method. The class RiverReader is also strengthen by performing the deserialization inside a sandbox presented by an inner class SandboxedUnmarshaller. The patch s found using the diff between the 2.17 (vulnerable) and 2.18 (patched) versions. | | X | |
Log4j | CVE-2019-17571 | https://github.com/apache/log4j | A vulnerable SocketServer class may lead to the deserialization of untrusted data allowing an attacker to remotely execute arbitrary code when combined with a deserialization gadget | Add class filtering to AbstractSocketServer: this allows a whitelist of class names to be specified to configure which classes are allowed to be deserialized in both TcpSocketServer and UdpSocketServer (link: https://git-wip-us.apache.org/repos/asf?p=logging-log4j2.git;h=5dcc192) | | X | |
JetBrains TeamCity before 2019.1.4 | CVE-2019-18364 | https://www.jetbrains.com/fr-fr/teamcity/download/other.html | Insecure Java Deserialization could potentially allow remote code execution | Unknown patch (researching patch exceeds time limit) | | X | |
Apache Dubbo 2.7.0 before 2.7.5, 2.6.0 before 2.6.8, and 2.5.x versions | CVE-2019-17564 | https://github.com/apache/dubbo | An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. | The patched version does not support outdated http-invoker rpc protocol anymore (see https://github.com/apache/dubbo/commit/9b18fe228971eaeca9b87d7b7e95df1c2a8ff91b and https://github.com/apache/dubbo/releases/tag/dubbo-2.7.5) | | X | |
Apache Ofbiz from 16.11.01 to 16.11.05 | CVE-2019-0189 | https://archive.apache.org/dist/ofbiz/ | This issue is exposed by the “webtools/control/httpService” URL, and uses Java deserialization to perform code execution. In the HttpEngine, the value of the request parameter serviceContext is passed to the deserialize method of XmlSerializer. | Improve ObjectInputStream class and redefine it as a new class SafeObjectInputStream in which there is an added whitelist. Also add objects from org.apache.commons.fileupload (namely DiskFileItem and FileItemHeadersImpl) as non-serializable in this class SafeObjectInputStream (see the diff between the two versions 16.11.05 and 16.11.06. See also https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;a=blob;f=framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java;h=d50cfbf11fc4d3b5855c53cb38a6cde7e101dc83;hb=3f60efb) | | X | |
Apache Tapestry | CVE-2019-0195 | https://downloads.apache.org/tapestry/ | Manipulating classpath asset file URLs, an attacker could guess the path to a known file in the classpath and have it downloaded. It is possible to download arbitrary class files from the classpath by providing a crafted asset file URL. An attacker is able to download the file AppModule.class by requesting the URL “http://localhost:8080/assets/something/services/AppModule.class ” which contains an HMAC secret key. | The fix for that bug was a blacklist filter that checks if the URL ends with ”.class”, ”.properties” or ”.xml”. However, it is proven that this blacklist solution can simply be bypassed by appending a “/” at the end of the URL: “http://localhost:8080/assets/something/services/AppModule.class/ ” (source: https://lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751@%3Cusers.tapestry.apache.org%3E) | | X | |
Apache Tomcat | CVE-2020-9484 | https://github.com/apache/tomcat | Deserialization flaw in session persistence storage FileStore leading to remote code execution | Update the class FileStore with some checks (patch in https://github.com/apache/tomcat/commit/bb33048e3f9b4f2b70e4da2e6c4e34ca89023b1b) | | X | |
OpenNMS Horizon \(\lt\) 26.0.1 and Meridian before 2018.1.19 and 2019 before 2019.1.7 | CVE-2020-12760 | https://github.com/OpenNMS/opennms/releases/tag/opennms-26.0.1-1 | The ActiveMQ channel configuration allowed for arbitrary deserialization of Java objects leading to remote code execution for any authenticated channel user regardless of its assigned permissions | Remove a parameter after stopping the use of serialized object messages in a file applicationContext-daemon.xml: <property name=”trustAllPackages” value=”true”/> (see https://github.com/OpenNMS/opennms/pull/2983 and https://github.com/OpenNMS/opennms/pull/2983/files/e21fc14ce355533493da0db815bd81a66e291382) https://github.com/davidhalter/parso/issues/75#) | | X | |
IBM Maximo Asset Management 7.6.0 and 7.6.1 | CVE-2020-4521 | https://github.com/nishi2go/maximo-docker | IBM Maximo Asset Management could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization in Java. By sending specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system | Inaccessible patch (when connecting to https://www.ibm.com/support/pages/node/6332587 an error message (“No applicable IBM support agreement found for one or more of the products you selected”) appears) | | X | |
Cisco Security Manager (Cisco-SM) | CVE-2020-27131 | No | Multiple vulnerabilities in the Java deserialization function that is used by Cisco Security Manager could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. These vulnerabilities are due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit these vulnerabilities by sending a malicious serialized Java object to a specific listener on an affected system. A successful exploit could allow the attacker to execute arbitrary commands on the device with the privileges of NT AUTHORITY/SYSTEM on the Windows target host. Cisco has not released software updates that address these vulnerabilities | Unknown patch | | X | |
Taoensso Nippy \(\lt\) 2.14.2 | CVE-2020-24164 | https://github.com/ptaoussanis/nippy | A deserialization flaw is present in Taoensso Nippy before 2.14.2. In some circumstances, it is possible for an attacker to create a malicious payload that, when deserialized, will allow arbitrary code to be executed. This occurs because there is automatic use of the Java Serializable interface: Nippy introduced a feature to allow the automatic use of Java’s Serializable interface as a fallback for types that Nippy didn’t support via its own Freezable protocol. | Use a predicate (fn allow-class? [class-name]) fn that can be assigned to ”*freeze-serializable-allowlist*” and/or ”*thaw-serializable-allowlist*”. This predicate is used to record information about which classes have been using Nippy’s Serializable support in the user’s environment (see http://ptaoussanis.github.io/nippy/taoensso.nippy.html#var-allow-and-record-any-serializable-class-unsafe) | | X | |
Apache Tapestry 4 | CVE-2020-17531 | https://github.com/apache/tapestry4 | Apache Tapestry 4 will attempt to deserialize the “sp” parameter even before invoking the page’s validate method, leading to deserialization without authentication | Apache Tapestry 4 reached end of life in 2008 and no update to address this issue is released (the upgrade to the latest Apache Tapestry 5 version is necessary) (see https://lists.apache.org/thread.html/r700a6aa234dbff0555d4187bdc8274d7e4c0afbf35b9a3457f09ee76%40%3Cusers.tapestry.apache.org%3E) and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17531) | | X | |
Gradle Enterprise Maven Extension | CVE-2020-15777 | https://mvnrepository.com/artifact/com.gradle/gradle-enterprise-maven-extension | The extension uses a socket connection to send serialized Java objects. Deserialization is not restricted to an allow-list, thus allowing an attacker to achieve code execution via a malicious deserialization gadget chain. The socket is not bound exclusively to localhost. The port this socket is assigned to is randomly selected and is not intentionally exposed to the public (either by design or documentation). This could potentially be used to achieve remote code execution and local privilege escalation. | Add an allow-list in a class ValidatingObjectInputStream (patch obtained by doing the diff between the vulnerable 1.5.3 and the non-vulnerable 1.6 versions) | | X | |
Apache Camel Netty (Camel-Netty) | CVE-2020-11973 | https://github.com/apache/camel/tree/main/components/camel-netty | Apache Camel RabbitMQ enables Java deserialization, by default, without any means of disabling which can lead to arbitrary code being executed. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability | Disable object serialization: only Strings are allowed to be serialized by default, anything else will only be serialized with a custom encoder/decoder (https://github.com/apache/camel/pull/3537) | | X | |
Apache Camel RabbitMQ (Camel-RabbitMQ) 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 | CVE-2020-11972 | https://github.com/apache/camel | Apache Camel RabbitMQ enables Java deserialization, by default, without any means of disabling which can lead to arbitrary code being executed. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability | Disable RabbitMQ Java serialization by default. It can be re-enabled using a parameter ”allowMessageBodySerialization” in a class RabbitMQEndpoint (see https://github.com/zregvart/camel/commit/c15ed20d92b5c920e9e55fe584f8e412b23f14f6) | | X | |
Emissary 6.4.0 | CVE-2021-32634 | https://github.com/NationalSecurityAgency/emissary | Unsafe Deserialization of post-authenticated requests to the WorkSpaceClientEnqueue.action REST endpoint. | Remove unsafe serialization from PayloadUtil. Remove the class WorkBundle from the list of serializable classes, remove some classes like MoveToAction and MoveToAdapter. Replace the ObjectInputStream by DataInputStream (https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-m5qf-gfmp-7638 | | X | |
Apache Dubbo prior to 2.6.9 and 2.7.9 | CVE-2021-30179 | https://github.com/apache/dubbo | Apache Dubbo by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection API to make the final call. The signature for the invoke or invokeAsync methods is Ljava/lang/String;[Ljava/lang/String;[Ljava/ lang/Object; where the first argument is the name of the method to invoke, the second one is an array with the parameter types for the method being invoked and the third one is an array with the actual call arguments | Native Java deserialization will not be activated defaultly. If user still wants use it, set dubbo.security.serialize.generic.native -java-enable as true in environment. An embedded serialization block list is introduced in dubbo-common/src/main/resources/security /serialize.blockedlist. (see https://github.com/apache/dubbo/releases/tag/dubbo-2.7.10) | | X | |
Apache OFBiz | CVE-2021-29200 | https://github.com/apache/ofbiz-framework | An unauthenticated user can perform an RCE attack | Update UtilObject class. Restrict unauthorized deserialisations to java.rmi instead of java.rmi.server. (patch in https://issues.apache.org/jira/browse/OFBIZ-12216 and https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=1bc8a20) | | X | |
| CVE-2021-26295 | https://github.com/apache/ofbiz-framework | An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz | The code fix is to “blacklist” RMI server to prevent it from being exploited. (see https://issues.apache.org/jira/browse/OFBIZ-12167 and https://lists.apache.org/thread.html/r0d97a3b7a14777b9e9e085b483629d2774343c4723236d1c73f43ff0@%3Cdev.ofbiz.apache.org%3E | | X | |
McAfee Database Security (DBSec) \(\lt\) 4.8.2 | CVE-2021-23895 | No | A remote authenticated attacker can create a reverse shell with administrator privileges on the DBSec server via carefully constructed Java serialized object sent to the DBSec server | Unknown patch | | X | |
| CVE-2021-23894 | No | A remote unauthenticated attacker can create a reverse shell with administrator privileges on the DBSec server via carefully constructed Java serialized object sent to the DBSec server. | Unknown patch | | X | |