CVE-2016-8530

Vulnerability

The vulnerability exists in HPE iMC PLAT version 7.2 E0403P06 and earlier. The RedirectServlet.java in the /rptviewer/servlets/redirectviewer endpoint calls readObject on a FileInputStream, allowing deserialization of arbitrary objects. An unauthenticated attacker can control the filename via the parafile parameter, enabling path traversal to read any file [1].

Exploitation

An unauthenticated attacker sends a crafted request to the /rptviewer/servlets/redirectviewer endpoint with a malicious serialized object. The attacker can use path traversal in the parafile parameter to point to a file containing the serialized payload. Since anonymous TFTP is enabled by default, the attacker can upload the malicious file via TFTP and then trigger deserialization. The exploit results in a denial of service due to resource exhaustion or application crash [1].

Impact

Successful exploitation leads to a denial of service, causing the iMC platform to become unavailable. The attacker does not need authentication or prior knowledge of the system. No remote code execution is achieved because the class path lacks useful gadgets, but the denial of service is significant [1].

Mitigation

HPE has released a fixed version in iMC PLAT 7.3 E0504 or later. Upgrade to this version or later to remediate the vulnerability. No other workarounds are mentioned in the available references [1].