Thank you for your feedback



Lexmark Security Advisory: Markvision Java Serialization Vulnerability (CVE-2016-1487)

Document ID:TE747

Usergroup :External
  Languages  
  Properties  

Solution

Lexmark Security Advisory:

 Revision:  1.0
 Last update:     27 January 2016
 Public Release Date:  1 February 2016

 

Summary

Java serialization vulnerability. 

Markvision Enterprise contains a vulnerability that allows for unauthenticated remote execution of commands on the MVE server.

 

References

CVE: CVE-2016-1487

Apache: CVE-2015-5254
                VU#576313

 

Details 

Markvision Enterprise is vulnerable to the deserialization bug reported in the Apache Commons Collections Library. This vulnerability allows for the remote command execution from a specially crafted serialized java object with the privilege of the Markvision Enterprise application.

 

Impact

Successful exploitation of this vulnerability can lead to the disclosure of data stored in the Markvision Enterprise, and the ability to execute code on the server hosting Markvision Enterprise.

 

Vulnerability Scoring Details

 CVSS Base Score: 9.0

Impact Subscore: 

9.5

Exploitability Subscore:

8.6

 

 Exploitability:  Impact:
 Access Vector:  Network  Confidentiality: Complete
 Access Complexity: Medium  Integrity: Complete
 Authentication: None  Availability: Partial

 CVSS scores are calculated in accordance with CVSS version 2.0 (http://www.first.org/cvss/cvss-guide.html).

 

Workarounds

Lexmark recommends updating the application if you have a vulnerable version, but a workaround is available.
Contact Lexmark Technical Support for instructions on the workaround.

Please visit www.lexmark.com/markvision or contact the Lexmark Technical Support Center at 1-800-359-6275 for additional information. 

 

Software Versions and Fixes

The vulnerability described in this advisory has been fixed in Markvision Enterprise v2.3.0 and all future releases. All releases previous to v2.3.0 are vulnerable. 

 

Obtaining Updated Software

To obtain Markvision Enterprise v2.3.0, please visit www.lexmark.com/markvision.

 

Exploitation and Public Announcements

Lexmark is not aware of any malicious use of the vulnerability described in this advisory.


Status of this Notice:

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND IS PROVIDED WITHOUT ANY EXPRESS OR IMPLIED GUARANTEE OR WARRANTY WHATSOEVER, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR USE OR PURPOSE.

 

Distribution

This advisory is posted on Lexmark’s web site at http://support.lexmark.com/alerts.

Future updates to this document will be on Lexmark’s web site at the same location.

 

Revision History 
 

Revision Date Reason
1.0       27 – January 2016                   Initial Public Release

 



Link:
Please enter the email address you would like to send a copy of this page to.