Lexmark Security Advisory:
|Last update:||27 January 2016|
|Public Release Date:||1 February 2016|
Java serialization vulnerability.
Markvision Enterprise contains a vulnerability that allows for unauthenticated remote execution of commands on the MVE server.
Markvision Enterprise is vulnerable to the deserialization bug reported in the Apache Commons Collections Library. This vulnerability allows for the remote command execution from a specially crafted serialized java object with the privilege of the Markvision Enterprise application.
Successful exploitation of this vulnerability can lead to the disclosure of data stored in the Markvision Enterprise, and the ability to execute code on the server hosting Markvision Enterprise.
Vulnerability Scoring Details
|CVSS Base Score:||9.0|
|Access Vector: Network||Confidentiality: Complete|
|Access Complexity: Medium||Integrity: Complete|
|Authentication: None||Availability: Partial|
CVSS scores are calculated in accordance with CVSS version 2.0 (http://www.first.org/cvss/cvss-guide.html).
Lexmark recommends updating the application if you have a vulnerable version, but a workaround is available.
Contact Lexmark Technical Support for instructions on the workaround.
Please visit www.lexmark.com/markvision or contact the Lexmark Technical Support Center at 1-800-359-6275 for additional information.
Software Versions and Fixes
The vulnerability described in this advisory has been fixed in Markvision Enterprise v2.3.0 and all future releases. All releases previous to v2.3.0 are vulnerable.
Obtaining Updated Software
To obtain Markvision Enterprise v2.3.0, please visit www.lexmark.com/markvision.
Exploitation and Public Announcements
Lexmark is not aware of any malicious use of the vulnerability described in this advisory.
Status of this Notice:
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND IS PROVIDED WITHOUT ANY EXPRESS OR IMPLIED GUARANTEE OR WARRANTY WHATSOEVER, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR USE OR PURPOSE.
This advisory is posted on Lexmark’s web site at http://support.lexmark.com/alerts.
Future updates to this document will be on Lexmark’s web site at the same location.
|1.0||27 – January 2016||Initial Public Release|