10
CVSSv2

CVE-2016-3427

Published: 21/04/2016 Updated: 08/09/2020
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
CVSS v3 Base Score: 9 | Impact Score: 6 | Exploitability Score: 2.2
VMScore: 894
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote malicious users to affect confidentiality, integrity, and availability via vectors related to JMX.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

oracle jdk 1.8.0

oracle jre 1.8.0

oracle jrockit r28.3.9

oracle jre 1.6.0

oracle jdk 1.6.0

oracle jdk 1.7.0

oracle jre 1.7.0

Vendor Advisories

It was discovered that the RMI server implementation in the JMX component in OpenJDK did not restrict which classes can be deserialized when deserializing authentication credentials A remote, unauthenticated attacker able to connect to a JMX port could possibly use this flaw to trigger deserialization flaws ...
Several security issues were fixed in OpenJDK 7 ...
Several security issues were fixed in OpenJDK 6 ...
vCenter Server 60 on Windows without workaround of KB 2145343 vCenter Server 60 on Linux (VCSA) prior to 600b vCenter Server 55 prior to 55 U3d (on Windows), 55 U3 (VCSA) vCenter Server 51 prior to 51 U3b vCenter Server 50 prior to 50 U3e   vCloud Director prior to 8011 vCloud Director prior to 5651 vCloud Director prior to 556 ...
Arch Linux Security Advisory ASA-201611-22 ========================================== Severity: High Date : 2016-11-23 CVE-ID : CVE-2016-6816 CVE-2016-8735 Package : tomcat6 Type : multiple issues Remote : Yes Link : wikiarchlinuxorg/indexphp/CVE Summary ======= The package tomcat6 before version 6048-1 is vulnerable to m ...
Several security issues were fixed in OpenJDK 8 ...
Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in breakouts of the Java sandbox, denial of service or information disclosure For the stable distribution (jessie), these problems have been fixed in version 7u101-266-1~deb8u1 We recommend that you upgrade your openjdk-7 packages ...
Debian Bug report logs - #845393 CVE-2016-9774: privilege escalation via upgrade Package: tomcat8; Maintainer for tomcat8 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Source for tomcat8 is src:tomcat8 (PTS, buildd, popcon) Reported by: Paul Szabo <paulszabo@sydneyeduau> Date: Tue, 22 ...
Debian Bug report logs - #845385 CVE-2016-9775: privilege escalation via removal Package: tomcat8; Maintainer for tomcat8 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Source for tomcat8 is src:tomcat8 (PTS, buildd, popcon) Reported by: Paul Szabo <paulszabo@sydneyeduau> Date: Tue, 22 ...
Multiple flaws were discovered in the Serialization and Hotspot components in OpenJDK An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions (CVE-2016-0686 , CVE-2016-0687 ) It was discovered that the RMI server implementation in the JMX component in OpenJDK did not restrict which classes can ...
It was discovered that the ObjectInputStream class in the Serialization component of OpenJDK failed to properly ensure thread consistency when deserializing serialized input An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions (CVE-2016-0686 ) It was discovered that the Hotspot component of OpenJDK did n ...
Synopsis Important: Red Hat JBoss Web Server security and enhancement update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Web ServerRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System ...
Synopsis Moderate: java-171-ibm security update Type/Severity Security Advisory: Moderate Topic An update for java-171-ibm is now available for Red HatSatellite 57 and Red Hat Satellite 56Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Sc ...
It was discovered that the ObjectInputStream class in the Serialization component of OpenJDK failed to properly ensure thread consistency when deserializing serialized input An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions (CVE-2016-0686 ) It was discovered that the Hotspot component of OpenJDK did n ...
Oracle Solaris Third Party Bulletin - January 2017 Description The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Up ...
Oracle Critical Patch Update Advisory - April 2016 Description A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory ...
Oracle Linux Bulletin - April 2016 Description The Oracle Linux Bulletin lists all CVEs that had been resolved and announced in Oracle Linux Security Advisories (ELSA) in the last one month prior to the release of the bulletin Oracle Linux Bulletins are published on the same day as Oracle Critical Patch Updates are release ...
IBM Java SDK is used by IBM Netezza Analytics for NPS IBM Netezza Analytics for NPS has addressed the applicable CVEs by upgrading IBM Java SDK to version 80-615 ...

Github Repositories

A tool that helps you attacking unprotected JMX endpoints

Beanshooter Beanshooter is a command line tool written in Java, which helps to identify common vulnerabilities on JMX endpoints JMX stands for Java Management Extensions and can be used to monitor and configure the Java Virtual Machine from remote Applications like tomcat or JBoss are often installed together with a JMX instance, which enables server administrators to monito

JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server and others Java Platforms, Frameworks, Applications, etc Requirements Python >= 27x urllib3 ipaddress Installation on Linux\Mac To install the latest version of JexBoss, please use the

JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server and others Java Platforms, Frameworks, Applications, etc Requirements Python >= 27x urllib3 ipaddress Installation on Linux\Mac To install the latest version of JexBoss, please use the

JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server and others Java Platforms, Frameworks, Applications, etc Requirements Python >= 27x urllib3 ipaddress Installation on Linux\Mac To install the latest version of JexBoss, please use the

JexBoss: Jboss (and Java Deserialization Vulnerabilities) verify and EXploitation Tool

JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server and others Java Platforms, Frameworks, Applications, etc Requirements Python >= 27x urllib3 ipaddress Installation on Linux\Mac To install the latest version of JexBoss, please use the

JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server and others Java Platforms, Frameworks, Applications, etc Requirements Python >= 27x urllib3 ipaddress Installation on Linux\Mac To install the latest version of JexBoss, please use the

JexBoss: Jboss (and Java Deserialization Vulnerabilities) verify and EXploitation Tool

JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server and others Java Platforms, Frameworks, Applications, etc Requirements Python >= 27x urllib3 ipaddress Installation on Linux\Mac To install the latest version of JexBoss, please use the

JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server and others Java Platforms, Frameworks, Applications, etc Requirements Python >= 27x urllib3 ipaddress Installation on Linux\Mac To install the latest version of JexBoss, please use the

Jok3r v3 BETA 2 - Network and Web Pentest Automation Framework

Jok3r v3 beta Network & Web Pentest Automation Framework wwwjok3r-frameworkcomWARNING: Project is still in version 3 BETA It is still under active development and bugs might be present Many tests are going on: see githubcom/koutto/jok3r/blob/master/tests/TESTSrst Ideas, bug reports, contributions are welcome ! Overview Features Demos Architecture

Jok3r v3 beta Network & Web Pentest Automation Framework wwwjok3r-frameworkcomWARNING: Project is still in version 3 BETA It is still under active development and bugs might be present Many tests are going on: see githubcom/koutto/jok3r/blob/master/tests/TESTSrst Ideas, bug reports, contributions are welcome ! Overview Features Demos Architecture

Java-Deserialization-Cheat-Sheet A cheat sheet for pentesters and researchers about deserialization vulnerabilities in various Java (JVM) serialization libraries Please, use #javadeser hash tag for tweets Table of content Java Native Serialization (binary) Overview Main talks & presentations & docs Payload generators Exploits Detect Vulnerable apps (without

The cheat sheet about Java Deserialization vulnerabilities

Java-Deserialization-Cheat-Sheet A cheat sheet for pentesters and researchers about deserialization vulnerabilities in various Java (JVM) serialization libraries Please, use #javadeser hash tag for tweets Table of content Java Native Serialization (binary) Overview Main talks & presentations & docs Payload generators Exploits Detect Vulnerable apps (without

Compiled dataset of Java deserialization CVEs

Java-Deserialization-CVEs This is a dataset of CVEs related to Java Deserialization Since existing CVE databases do not allow for granular searches by vulnerability type and language, this list was compiled by manually searching the NIST NVD CVE database with different queries If you notice any discrepancies, contributions are very welcome! CVE ID Year CVSS 3/31 risk CV

References

NVD-CWE-noinfohttp://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-05/msg00040.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-05/msg00039.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0702.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-05/msg00059.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-05/msg00042.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0701.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-05/msg00058.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0723.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0708.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0716.htmlhttps://security.gentoo.org/glsa/201606-18http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.htmlhttps://access.redhat.com/errata/RHSA-2016:1430http://www.securityfocus.com/bid/86421http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00061.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-06/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-05/msg00067.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1039.htmlhttps://kc.mcafee.com/corporate/index?page=content&id=SB10159http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00021.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0676.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0675.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-05/msg00012.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-05/msg00026.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0679.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-05/msg00022.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0677.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-05/msg00009.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0678.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0651.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0650.htmlhttp://www.ubuntu.com/usn/USN-2972-1http://www.ubuntu.com/usn/USN-2963-1http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00006.htmlhttp://www.ubuntu.com/usn/USN-2964-1http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00027.htmlhttp://www.debian.org/security/2016/dsa-3558http://www.securitytracker.com/id/1035596http://www.securitytracker.com/id/1037331https://security.netapp.com/advisory/ntap-20160420-0001/https://access.redhat.com/errata/RHSA-2017:1216https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r5f48b16573a11fdf0b557cc3d1d71423ecde8ee771c29f32334fa948@%3Cdev.cassandra.apache.org%3Ehttps://lists.apache.org/thread.html/rc3abf40b06c511d5693baf707d6444bf7745e6a1e343e6f530a12258@%3Cuser.cassandra.apache.org%3Ehttp://www.openwall.com/lists/oss-security/2020/08/31/1https://github.com/qtc-de/beanshooterhttps://nvd.nist.govhttps://www.securityfocus.com/bid/86421http://tools.cisco.com/security/center/viewAlert.x?alertId=44733https://usn.ubuntu.com/2964-1/