Lexmark Security Advisory:
| Revision: | 1.0 |
| Last update: | 27 January 2016 |
| Public Release Date: | 1 February 2016 |
Summary
Java serialization vulnerability.
Markvision Enterprise contains a vulnerability that allows for unauthenticated remote execution of commands on the MVE server.
References
CVE: CVE-2016-1487
Apache: CVE-2015-5254 VU#576313
Details
Markvision Enterprise is vulnerable to the deserialization bug reported in the Apache Commons Collections Library. This vulnerability allows for the remote command execution from a specially crafted serialized java object with the privilege of the Markvision Enterprise application.
Impact
Successful exploitation of this vulnerability can lead to the disclosure of data stored in the Markvision Enterprise, and the ability to execute code on the server hosting Markvision Enterprise.
Vulnerability Scoring Details
| CVSS Base Score: | 9.0 |
Impact Subscore: | 9.5 |
Exploitability Subscore: | 8.6 |
| Exploitability: | Impact: |
| Access Vector: Network | Confidentiality: Complete |
| Access Complexity: Medium | Integrity: Complete |
| Authentication: None | Availability: Partial |
CVSS scores are calculated in accordance with CVSS version 2.0 (http://www.first.org/cvss/cvss-guide.html).
Workarounds
Lexmark recommends updating the application if you have a vulnerable version, but a workaround is available. Contact Lexmark Technical Support for instructions on the workaround.
Please visit www.lexmark.com/markvision or contact the Lexmark Technical Support Center at 1-800-359-6275 for additional information.
Software Versions and Fixes
The vulnerability described in this advisory has been fixed in Markvision Enterprise v2.3.0 and all future releases. All releases previous to v2.3.0 are vulnerable.
Obtaining Updated Software
To obtain Markvision Enterprise v2.3.0, please visit www.lexmark.com/markvision.
Exploitation and Public Announcements
Lexmark is not aware of any malicious use of the vulnerability described in this advisory.
Status of this Notice:
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND IS PROVIDED WITHOUT ANY EXPRESS OR IMPLIED GUARANTEE OR WARRANTY WHATSOEVER, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR USE OR PURPOSE.
Distribution
This advisory is posted on Lexmark’s web site at http://support.lexmark.com/alerts.
Future updates to this document will be on Lexmark’s web site at the same location.
Revision History
| Revision | Date | Reason |
| 1.0 | 27 – January 2016 | Initial Public Release |
LEGACY ID: TE747