Short Name |
APP:REDHAT-JBOSS-DG-HOTROD-ID |
---|---|
Severity |
Major |
Recommended |
Yes |
Recommended Action |
Drop |
Category |
APP |
Keywords |
Red Hat JBoss Data Grid Hotrod Client Insecure Deserialization |
Release Date |
2018/03/12 |
Update Number |
3045 |
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vmx-17.4+, vsrx-12.1+, vsrx3bsd-18.2+ |
This signature detects attempts to exploit a known vulnerability in the Hotrod client that ships with Red Hat JBoss Data Grid. Successful exploitation can result in arbitrary code execution in the security context of the vulnerable client.
It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.