|
Original release date: 15 September 2017
Update date: 27 September 2017
CVE ID
CVE-2017-10932
CVSS 3.0 Base Score
9.8 Critical (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Product
NR8000 Series
Affected Versions
All versions prior to V12.17.20
Description
All versions prior to V12.17.20 of the ZTE Microwave NR8000 series products - NR8120, NR8120A, NR8120, NR8150, NR8250, NR8000 TR and NR8950 are the applications of C/S architecture using the Java RMI service in which the servers use the Apache Commons Collections (ACC) library that may result in Java deserialization vulnerabilities. An unauthenticated remote attacker can exploit the vulnerabilities by sending a crafted RMI request to execute arbitrary code on the target host.
Workaround
Ensure that all exposed ports used by the server, including the RMI registry port, are firewalled from any untrusted IP address.
Resolution
Users may upgrade or change to new versions after V12.17.20.
Credit
Thanks to Zhang Jinxin for reporting the security issues to ZTE PSIRT.
References
CVE-2015-6420 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6420)
CVE-2015-4852 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4852)
CVE-2015-7450 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7450)
CVE-2015-8103 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8103)
Update Records
15 September 2017, initial.
27 September 2017, CVE ID assigned.
ZTE PSIRT
If you need to feedback or report security vulnerabilities related to ZTE products, or get ZTE product security incident response service and vulnerability information, please contact ZTE PSIRT: psirt@zte.com.cn, PGP key ID:FF095577.
|