Fluid Attacks Database

Description

It was discovered that the RMI server implementation in the JMX component in OpenJDK did not restrict which classes can be deserialized when deserializing authentication credentials. A remote, unauthenticated attacker able to connect to a JMX port could possibly use this flaw to trigger deserialization flaws.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rpm rhel7	java-1.7.0-openjdk	<1:1.7.0.101-2.6.6.1.el7_2	1:1.7.0.101-2.6.6.1.el7_2
rpm rhel7	java-1.8.0-openjdk	<1:1.8.0.91-0.b14.el7_2	1:1.8.0.91-0.b14.el7_2
rpm rhel5	java-1.6.0-openjdk	<1:1.6.0.39-1.13.11.0.el5_11	1:1.6.0.39-1.13.11.0.el5_11
rpm rhel5	java-1.7.0-openjdk	<1:1.7.0.101-2.6.6.1.el5_11	1:1.7.0.101-2.6.6.1.el5_11
rpm rhel6	java-1.6.0-openjdk	<1:1.6.0.39-1.13.11.0.el6_7	1:1.6.0.39-1.13.11.0.el6_7
rpm rhel7	java-1.6.0-openjdk	<1:1.6.0.39-1.13.11.0.el7_2	1:1.6.0.39-1.13.11.0.el7_2
rpm rhel6	java-1.7.0-openjdk	<1:1.7.0.101-2.6.6.1.el6_7	1:1.7.0.101-2.6.6.1.el6_7
rpm rhel6	java-1.8.0-openjdk	<1:1.8.0.91-0.b14.el6_7	1:1.8.0.91-0.b14.el6_7

Aliases

1. CVE-2016-34272. NVD-2016-34273. OSV-2016-3427

References

1. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-3427