Software AG webMethods OneData Deserialization Vulnerability

Version 10.11 of webMethods OneData runs an embedded instance of Azul Zulu Java 11.0.15 which hosts a Java RMI registry (listening on TCP port 2099 by default) and two RMI interfaces (listening on a single, dynamically assigned TCP high port). Port 2099 serves as a Java Remote Method Invocation (RMI) registry which allows for remotely loading and processing data via RMI interfaces. An unauthenticated attacker with network connectivity to the RMI registry and RMI interface ports can abuse this functionality to instruct the webMethods OneData application to load a malicious serialized Java object as a parameter to one of the available Java methods presented by the RMI interface. Once deserialized on the vulnerable server, the malicious code runs as whichever operating system account is used to run the software, which in most cases is the local System account on Windows.

N/A

N/A

Software AG webMethods 代码问题漏洞

Software AG webMethods是Software AG公司的一套集成和应用程序开发工具，用于帮助组织实现应用程序集成、数据集成、业务流程管理和应用程序开发等任务。webMethods 旨在帮助企业更好地管理其IT生态系统，提高效率，加速业务流程，并实现数字化转型。 Software AG webMethods 存在安全漏洞。目前尚无此漏洞的相关信息，请随时关注CNNVD或厂商公告。

N/A

N/A