CVE-2016-4368

Q: What is the severity of CVE-2016-4368?

CVE-2016-4368 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary commands on affected HPE Universal CMDB and Universal Discovery systems by sending a specially crafted serialized Java object. The flaw exists in the Apache Commons Collections library used by these products, enabling remote code execution without authentication. Organizations running HPE Universal CMDB 10.0-10.21, Universal CMDB Configuration Manager 10.0-10.21, or Universal Discovery 10.0-10.21 are affected.

9.8 CRITICAL

Remote Code Execution Deserialization

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary commands on affected HPE Universal CMDB and Universal Discovery systems by sending a specially crafted serialized Java object. The flaw exists in the Apache Commons Collections library used by these products, enabling remote code execution without authentication. Organizations running HPE Universal CMDB 10.0-10.21, Universal CMDB Configuration Manager 10.0-10.21, or Universal Discovery 10.0-10.21 are affected.

💻 Affected Systems

Products:

HPE Universal CMDB
HPE Universal CMDB Configuration Manager
HPE Universal Discovery

Versions: 10.0 through 10.21

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All installations within the affected version range are vulnerable regardless of configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands with system privileges, potentially leading to data theft, lateral movement, or deployment of ransomware.

🟠

Likely Case

Remote code execution leading to installation of backdoors, credential harvesting, or deployment of cryptocurrency miners on vulnerable systems.

🟢

If Mitigated

Limited impact if systems are patched, network segmentation is in place, and proper monitoring detects exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

This vulnerability leverages the well-known Apache Commons Collections deserialization vulnerability (CVE-2015-4852) and has publicly available exploit code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.22 or later

Vendor Advisory: https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05164408

Restart Required: Yes

Instructions:

1. Download the patch from HPE Support Center. 2. Apply the patch following HPE's installation instructions. 3. Restart the affected services. 4. Verify the patch was successfully applied.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to vulnerable systems using firewalls or network segmentation.

WAF Rules

all

Implement Web Application Firewall rules to block serialized Java object payloads.

🧯 If You Can't Patch

Immediately isolate vulnerable systems from the internet and restrict internal network access.
Implement strict network monitoring and alerting for any attempts to exploit this vulnerability.

🔍 How to Verify

Check if Vulnerable:

Check the product version via the administration console or configuration files. If version is between 10.0 and 10.21 inclusive, the system is vulnerable.

Check Version:

Check the product documentation for version verification commands specific to your installation.

Verify Fix Applied:

Verify the product version is 10.22 or later after applying the patch.

📡 Detection & Monitoring

Log Indicators:

Unusual Java deserialization errors in application logs
Unexpected process execution from the application server
Suspicious network connections originating from the application server

Network Indicators:

HTTP requests containing serialized Java objects to vulnerable endpoints
Outbound connections from the application server to unknown external IPs

SIEM Query:

Search for: (event_source="HPE UCMDB" OR event_source="HPE UD") AND (error_message CONTAINS "deserialization" OR process_execution="unexpected")

📊 Metadata

CVE ID: CVE-2016-4368

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-20

Published: June 8, 2016

Last Updated: April 12, 2025

🔗 References

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05164408 Vendor Advisory
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05164408 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Universal Cmbd Configuration Manager by Hp

Universal Cmbd Configuration Manager by Hp

Universal Cmbd Configuration Manager by Hp

Universal Cmbd Configuration Manager by Hp

Universal Cmbd Configuration Manager by Hp

Universal Cmbd Configuration Manager by Hp

Universal Cmbd Foundation by Hp

Universal Cmbd Foundation by Hp

Universal Cmbd Foundation by Hp

Universal Cmbd Foundation by Hp

Universal Cmbd Foundation by Hp

Universal Cmbd Foundation by Hp

Universal Discovery by Hp

Universal Discovery by Hp

Universal Discovery by Hp

Universal Discovery by Hp

Universal Discovery by Hp

Universal Discovery by Hp

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Segmentation

WAF Rules

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities