Bird_banner_small4
ManageEngine Applications Manager Apache Commons Collections Insecure Deserialization
TSL ID TSL20170406-08
CVE ID(s) CVE-2016-9498
Severity Moderate
Description

An insecure deserialization vulnerability exists in ManageEngine Applications Manager. This vulnerability is due to the inclusion of the vulnerable version of Apache Commons Collections library in the classpath combined with insecure deserialization.

A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted message to the RMI service running on port 11099/TCP. Successful exploitation can result in arbitrary code execution in the security context of the RMI service.

The vendor, ManageEngine, has released a new version of the product:

https://www.manageengine.com/products/applications_manager/release-notes.html

Affected Products
  • ManageEngine Applications Manager 13.2 prior to build 13200
CVSS Score Base 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P):
  • Access vector is NETWORK
  • Access complexity is LOW
  • Level of authentication required is NONE
  • Impact of this vulnerability on data confidentiality is PARTIAL
  • Impact of this vulnerability on data integrity is PARTIAL
  • Impact of this vulnerability on data availability is PARTIAL
Temporal 5.5 (E:U/RL:OF/RC:C):
  • The exploitability level of this vulnerability is UNPROVEN
  • The remediation level of this vulnerability is OFFICIAL FIX
  • The report confidence level of this vulnerability is CONFIRMED
References http://seclists.org/fulldisclosure/2017/Apr/9
https://www.manageengine.com/products/applications_manager/release-notes.html
Related Threats