Main Vulnerability Database SB2017102014

SB2017102014 - Privilege escalation in Apache James

Published: October 20, 2017 Updated: February 25, 2020

Security Bulletin ID SB2017102014

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Deserialization of Untrusted Data (CVE-ID: CVE-2017-12628)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to insecure input validation when processing serialized data within the JMX server, bundled with Apache James. A local user can pass specially crafted data to the JMX socket and execute arbitrary code on the target system with elevated privileges.

Remediation

Install update from vendor's website.

References

http://www.securityfocus.com/bid/101532
https://www.mail-archive.com/server-user@james.apache.org/msg15633.html