CVE-2015-9246 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2015-9246?

CVE-2015-9246 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary code on Skybox Platform servers without authentication by uploading a malicious WAR archive containing a JSP file. The exploit targets the software update service endpoint, affecting all Skybox Platform installations before version 7.5.201.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Skybox Platform servers without authentication by uploading a malicious WAR archive containing a JSP file. The exploit targets the software update service endpoint, affecting all Skybox Platform installations before version 7.5.201.

💻 Affected Systems

Products:

Skybox Platform

Versions: All versions before 7.5.201

Operating Systems: Linux (based on path references)

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability affects the default installation with the software update service enabled.

📦 What is this software?

Skybox Platform by Skyboxsecurity

View all CVEs affecting Skybox Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to install backdoors, steal sensitive data, pivot to internal networks, or deploy ransomware across the organization.

🟠

Likely Case

Attackers gain full control of the Skybox Platform server, potentially accessing network security data, modifying configurations, and using the system as a foothold for lateral movement.

🟢

If Mitigated

If properly segmented and monitored, impact could be limited to the Skybox server itself with minimal data exposure.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication, making internet-facing instances extremely vulnerable to automated attacks.

🏢 Internal Only: HIGH - Even internally deployed instances are at significant risk from insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The advisory includes technical details sufficient for exploitation. The attack requires only HTTP access and file upload capability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.5.201 or later

Vendor Advisory: https://www.skyboxsecurity.com/

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Download Skybox Platform version 7.5.201 or later from vendor portal. 3. Follow vendor upgrade documentation to apply the update. 4. Restart all Skybox services. 5. Verify the update was successful.

🔧 Temporary Workarounds

Disable Software Update Service

linux

Temporarily disable the vulnerable CollectorSoftwareUpdate endpoint

# Modify JBoss configuration to disable the service
# Consult Skybox documentation for specific service disablement procedures

Network Access Control

linux

Restrict access to the vulnerable endpoint using firewall rules

iptables -A INPUT -p tcp --dport 80 -m string --string '/skyboxview-softwareupdate/services/CollectorSoftwareUpdate' --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string '/skyboxview-softwareupdate/services/CollectorSoftwareUpdate' --algo bm -j DROP

🧯 If You Can't Patch

Isolate the Skybox Platform server in a dedicated network segment with strict inbound/outbound firewall rules
Implement web application firewall (WAF) rules to block requests containing WAR file uploads or JSP execution attempts

🔍 How to Verify

Check if Vulnerable:

Check Skybox Platform version via admin interface or by examining installed packages. Versions below 7.5.201 are vulnerable.

Check Version:

grep -i version /opt/skyboxview/version.txt || skybox-cli --version

Verify Fix Applied:

Confirm version is 7.5.201 or higher and test that WAR file uploads to /skyboxview-softwareupdate/services/CollectorSoftwareUpdate are properly rejected.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /skyboxview-softwareupdate/services/CollectorSoftwareUpdate with WAR file content
Unusual file creation in /opt/skyboxview/thirdparty/jboss/server/web/work/jboss.web/localhost/
Unexpected JSP compilation or execution events

Network Indicators:

HTTP traffic to the software update endpoint with file upload patterns
Outbound connections from Skybox server to suspicious external IPs post-exploitation

SIEM Query:

source="skybox_logs" AND (uri_path="/skyboxview-softwareupdate/services/CollectorSoftwareUpdate" OR file_path="*jboss.web/localhost*")

📊 Metadata

CVE ID: CVE-2015-9246

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-20

Published: January 12, 2018

Last Updated: November 21, 2024

🔗 References

https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20151210-0_Skybox_Platform_Multiple_Vulnerabilities_v10.txt Exploit,Third Party Advisory
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20151210-0_Skybox_Platform_Multiple_Vulnerabilities_v10.txt Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2015-9246, you might also want to check these: