Bird_banner_small4
HPE Operations Orchestration backwards-compatibility beanutils Insecure Deserialization
TSL ID TSL20170905-08
CVE ID(s) CVE-2017-8994
Severity Critical
Description

An insecure deserialization vulnerability has been reported in HPE Operations Orchestration. The vulnerability is due to the incomplete fix for deserialization of untrusted data in backwards-compatibility servlets.

A remote, unauthenticated attacker can exploit this vulnerability by sending crafted serialized data to the target application. Successful exploitation could result in arbitrary code execution in the context of the SYSTEM.

The vendor, HPE, has released the following advisory regarding this vulnerability:

https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn03767en_us

Affected Products
  • HP Operations Orchestration prior to 10.80
CVSS Score Base 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C):
  • Access vector is NETWORK
  • Access complexity is LOW
  • Level of authentication required is NONE
  • Impact of this vulnerability on data confidentiality is COMPLETE
  • Impact of this vulnerability on data integrity is COMPLETE
  • Impact of this vulnerability on data availability is COMPLETE
Temporal 7.4 (E:U/RL:OF/RC:C):
  • The exploitability level of this vulnerability is UNPROVEN
  • The remediation level of this vulnerability is OFFICIAL FIX
  • The report confidence level of this vulnerability is CONFIRMED
Identifiers
ZDI
References https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn03767en_us
https://www.tenable.com/security/research/tra-2017-25
Related Threats