Miggo Logo
Miggo Vulnerability Database
CVE-2016-8736

CVE-2016-8736: Apache OpenMeetings RCE

9.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2016-8736
GHSA ID
GHSA-6cpg-3w7f-j67q
EPSS Score
0.90356%
CWE
CWE-502
Published
5/14/2022
Updated
11/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.openmeetings:openmeetings-parentmaven< 3.1.23.1.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability (CVE-2016-8736) is explicitly an RMI deserialization attack. Java RMI uses serialization/deserialization for remote object communication. If the RMI registry is initialized without proper security controls (e.g., a validating ObjectInputFilter or security manager), attackers can send malicious serialized objects to execute arbitrary code. The patched version (3.1.2) likely added validation to the RMI registry setup. The function responsible for binding RMI services (e.g., RMIServiceImpl.bindToRegistry) would be the logical point of vulnerability, as it handles RMI endpoint exposure and deserialization logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** Op*nM**tin*s ***or* *.*.* is vuln*r**l* to R*mot* *o** *x**ution vi* RMI **s*ri*liz*tion *tt**k.

Reasoning

T** vuln*r**ility (*V*-****-****) is *xpli*itly *n RMI **s*ri*liz*tion *tt**k. J*v* RMI us*s s*ri*liz*tion/**s*ri*liz*tion *or r*mot* o*j**t *ommuni**tion. I* t** RMI r**istry is initi*liz** wit*out prop*r s**urity *ontrols (*.*., * `v*li**tin*` O*j*