Apache TomEE 1.x < 1.7.4 / 7.x < 7.0.0-M3 Multiple RCE

critical Nessus Network Monitor Plugin ID 9323

Synopsis

The remote web server is running Apache TomEE.

Description

The remote web server is running Apache TomEE 1.x prior to 1.7.4 or 7.x prior to 7.0.0-M3 and is affected by two RCE vulnerabilities :

- A flaw exists in 'EjbObjectInputStream' that is triggered during the deserialization of Java serialized input in the binary stream. This may allow a remote attacker to execute arbitrary code. (CVE-2015-8581)
- A flaw in the EJBd protocol that is triggered during the deserialization of crafted Java Objects. This may allow a remote attacker to execute arbitrary code. Exploitation requires that EJBd is enabled on an instance (the default setting) (CVE-2016-0779)

Solution

Upgrade Apache TomEE to version 7.0.0-M3. If version 7.x cannot be obtained, version 1.7.4 is also patched for this issue.

See Also

http://tomee.apache.org/security/tomee.html

Plugin Details

Severity: Critical

ID: 9323

Family: Web Servers

Published: 5/24/2016

Updated: 3/6/2019

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:apache:tomee

Patch Publication Date: 3/7/2016

Vulnerability Publication Date: 3/1/2016

Reference Information

CVE: CVE-2015-8581, CVE-2016-0779

BID: 84422