CVE-2016-4000
Arbitrary Code Execution vulnerability in jython-standalone (Maven)
What is CVE-2016-4000 About?
This vulnerability in Jython before 2.7.1rc1 allows for arbitrary code execution through a crafted serialized PyFunction object. By providing a malicious object, attackers can execute commands on the system. Exploitation is moderately complex, as it requires knowledge of Jython's serialization mechanisms.
Affected Software
- org.python:jython-standalone
- <2.7.1
- org.python:jython
- <2.7.1-rc1
Technical Details
Jython versions before 2.7.1rc1 are susceptible to arbitrary code execution. This flaw arises from insecure deserialization of Python objects. An attacker can craft a malicious PyFunction object, serialize it, and then provide this serialized object to an application that deserializes it using the vulnerable Jython version. During the deserialization process, the crafted object can trigger the execution of arbitrary code within the context of the application running Jython.
What is the Impact of CVE-2016-4000?
Successful exploitation may allow attackers to execute arbitrary code with the privileges of the vulnerable application, potentially leading to full system compromise.
What is the Exploitability of CVE-2016-4000?
Exploitation typically involves a moderate level of complexity, requiring knowledge of the application's serialization points and the ability to inject crafted serialized objects. This is often a remote vulnerability, but local access to the process accepting serialized objects could also be an attack vector. No authentication might be technically required if the serialization stream is directly exposed, but typically some form of authenticated interaction or specific application logic exposure would be needed. The primary prerequisite is an application built with vulnerable Jython that deserializes untrusted PyFunction objects. The risk increases if the application publicly exposes endpoints that deserialize objects, such as in RMI or similar remote communication protocols.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2016-4000?
Available Upgrade Options
- org.python:jython-standalone
- <2.7.1 → Upgrade to 2.7.1
- org.python:jython
- <2.7.1-rc1 → Upgrade to 2.7.1-rc1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- https://lists.apache.org/thread.html/0919ec1db20b1022f22b8e78f355667df74d6142b463ff17d03ad533@%3Cdevnull.infra.apache.org%3E
- https://security.gentoo.org/glsa/201710-28
- https://hg.python.org/jython/rev/d06e29d100c0
- https://nvd.nist.gov/vuln/detail/CVE-2016-4000
- http://bugs.jython.org/issue2454
What are Similar Vulnerabilities to CVE-2016-4000?
Similar Vulnerabilities: CVE-2015-4852 , CVE-2017-3241 , CVE-2017-10001 , CVE-2017-10271 , CVE-2020-2555
