ID CVE-2016-2510
Summary BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.
References
Vulnerable Configurations
  • cpe:2.3:a:beanshell:beanshell:2.0b5
    cpe:2.3:a:beanshell:beanshell:2.0b5
  • Debian Linux 7.0
    cpe:2.3:o:debian:debian_linux:7.0
  • Debian Linux 8.0 (Jessie)
    cpe:2.3:o:debian:debian_linux:8.0
  • Canonical Ubuntu Linux 12.04 LTS
    cpe:2.3:o:canonical:ubuntu_linux:12.04:-:-:-:lts
  • Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:14.04:-:-:-:lts
  • Canonical Ubuntu Linux 15.10
    cpe:2.3:o:canonical:ubuntu_linux:15.10
CVSS
Base: 6.8 (as of 07-06-2016 - 14:02)
Impact:
Exploitability:
CWE CWE-19
CAPEC
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • XML Nested Payloads
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By nesting XML data and causing this data to be continuously self-referential, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization. An attacker's goal is to leverage parser failure to his or her advantage. In most cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it may be possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.230.1].
  • XML Oversized Payloads
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By supplying oversized payloads in input vectors that will be processed by the XML parser, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization, and potentially cause execution of arbitrary code. An attacker's goal is to leverage parser failure to his or her advantage. In many cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it is possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.231.1].
  • XML Client-Side Attack
    Client applications such as web browsers that process HTML data often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.484.1]
  • XML Parser Attack
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.99.1]
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-351.NASL
    description This update for bsh2 fixes the following issues : - CVE-2016-2510: An application that includes BeanShell on the classpath may be vulnerable if another part of the application uses Java serialization or XStream to deserialize data from an untrusted source. Please see https://github.com/beanshell/beanshell/releases/tag/2.0b6 for more information. This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2016-10-13
    plugin id 89976
    published 2016-03-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89976
    title openSUSE Security Update : bsh2 (openSUSE-2016-351)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2923-1.NASL
    description Alvaro Munoz and Christian Schneider discovered that BeanShell incorrectly handled deserialization. A remote attacker could possibly use this issue to execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 89778
    published 2016-03-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89778
    title Ubuntu 12.04 LTS / 14.04 LTS / 15.10 : bsh vulnerability (USN-2923-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3504.NASL
    description Alvaro Munoz and Christian Schneider discovered that BeanShell, an embeddable Java source interpreter, could be leveraged to execute arbitrary commands: applications including BeanShell in their classpath are vulnerable to this flaw if they deserialize data from an untrusted source.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 89694
    published 2016-03-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89694
    title Debian DSA-3504-1 : bsh - security update
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201607-17.NASL
    description The remote host is affected by the vulnerability described in GLSA-201607-17 (BeanShell: Arbitrary code execution) An application that includes BeanShell on the classpath may be vulnerable if another part of the application uses Java serialization or XStream to deserialize data from an untrusted source. Impact : Remote attackers could execute arbitrary code including shell commands. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2017-10-02
    plugin id 92653
    published 2016-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92653
    title GLSA-201607-17 : BeanShell: Arbitrary code execution
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_9E5BBFFCD8AC11E5B2BD002590263BF5.NASL
    description Stian Soiland-Reyes reports : This release fixes a remote code execution vulnerability that was identified in BeanShell by Alvaro Munoz and Christian Schneider. The BeanShell team would like to thank them for their help and contributions to this fix! An application that includes BeanShell on the classpath may be vulnerable if another part of the application uses Java serialization or XStream to deserialize data from an untrusted source. A vulnerable application could be exploited for remote code execution, including executing arbitrary shell commands. This update fixes the vulnerability in BeanShell, but it is worth noting that applications doing such deserialization might still be insecure through other libraries. It is recommended that application developers take further measures such as using a restricted class loader when deserializing. See notes on Java serialization security XStream security and How to secure deserialization from untrusted input without using encryption or sealing.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 88877
    published 2016-02-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88877
    title FreeBSD : bsh -- remote code execution vulnerability (9e5bbffc-d8ac-11e5-b2bd-002590263bf5)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-370.NASL
    description This update for bsh2 fixes the following issues : - Version update to 2.0b6 boo#967593 CVE-2016-2510 - Upstream developement moved to github - No obvious changelog apart from the above
    last seen 2018-09-02
    modified 2016-10-13
    plugin id 90062
    published 2016-03-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90062
    title openSUSE Security Update : bsh2 (openSUSE-2016-370)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-443.NASL
    description A remote code execution vulnerability was found in BeanShell, an embeddable Java source interpreter with object scripting language features. CVE-2016-2510: An application that includes BeanShell on the classpath may be vulnerable if another part of the application uses Java serialization or XStream to deserialize data from an untrusted source. A vulnerable application could be exploited for remote code execution, including executing arbitrary shell commands. For Debian 6 'Squeeze', these problems have been fixed in version 2.0b4-12+deb6u1. We recommend that you upgrade your bsh packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-06
    plugin id 89043
    published 2016-03-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89043
    title Debian DLA-443-1 : bsh security update
redhat via4
advisories
  • rhsa
    id RHSA-2016:0539
  • rhsa
    id RHSA-2016:0540
  • rhsa
    id RHSA-2016:1135
  • rhsa
    id RHSA-2016:1376
  • rhsa
    id RHSA-2016:2035
refmap via4
bid 84139
confirm
debian DSA-3504
gentoo GLSA-201607-17
misc
sectrack 1035440
suse
  • openSUSE-SU-2016:0788
  • openSUSE-SU-2016:0833
ubuntu USN-2923-1
Last major update 02-12-2016 - 22:25
Published 07-04-2016 - 16:59
Last modified 04-02-2019 - 13:20
Back to Top