Description
It was found that the Karaf container used by Red Hat JBoss Fuse 6.x, and Red Hat JBoss A-MQ 6.x, deserializes objects passed to MBeans via JMX operations. An attacker could use this flaw to execute remote code on the server as the user running the Java Virtual Machine if the target MBean contain deserialization gadgets in its classpath.
References (2)
Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/94513
Issue Tracking, Mitigation, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8648
Scores
CVSS v3
7.2
EPSS
0.0200
EPSS Percentile
78.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-502
Status
published
Products (2)
redhat/jboss_a-mq
6.0.0
redhat/jboss_fuse
6.0.0
Published
Aug 01, 2018
Tracked Since
Feb 18, 2026