Vulnerability Description
ManageEngine Applications Manager 12 and 13 before build 13200, allows unserialization of unsafe Java objects. The vulnerability can be exploited by remote user without authentication and it allows to execute remote code compromising the application as well as the operating system. As Application Manager's RMI registry is running with privileges of system administrator, by exploiting this vulnerability an attacker gains highest privileges on the underlying operating system.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zohocorp | Manageengine Applications Manager | 12.0 |
Related Weaknesses (CWE)
References
- http://seclists.org/fulldisclosure/2017/Apr/9Mailing ListThird Party Advisory
- https://www.manageengine.com/products/applications_manager/security-updates/secuVendor Advisory
- https://www.securityfocus.com/bid/97394/Third Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2017/Apr/9Mailing ListThird Party Advisory
- https://www.manageengine.com/products/applications_manager/security-updates/secuVendor Advisory
- https://www.securityfocus.com/bid/97394/Third Party AdvisoryVDB Entry
FAQ
What is CVE-2016-9498?
CVE-2016-9498 is a vulnerability with a CVSS score of 9.8 (CRITICAL). ManageEngine Applications Manager 12 and 13 before build 13200, allows unserialization of unsafe Java objects. The vulnerability can be exploited by remote user without authentication and it allows to...
How severe is CVE-2016-9498?
CVE-2016-9498 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2016-9498?
Check the references section above for vendor advisories and patch information. Affected products include: Zohocorp Manageengine Applications Manager.