CVE-2017-12149

Red Hat JBoss Application Server Remote Code Execution Vulnerability

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

Act

*SSVC

Descriptions

In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.

En Jboss Application Server tal y como se distribuye con Red Hat Enterprise Application Platform 5.2, se ha descubierto que el método doFilter en el ReadOnlyAccessFilter del invocador HTTP no restringe las clases para las que realiza la deserialización y, por lo tanto, permite que un atacante ejecute código arbitrario mediante datos serializados manipulados.

It was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization. This allows an attacker to execute arbitrary code via crafted serialized data.

Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This asynchronous patch is a security update for JBoss invoker in Red Hat JBoss Enterprise Application Platform 5.2.0. Issues addressed include a code execution vulnerability.

The JBoss Application Server, shipped with Red Hat Enterprise Application Platform 5.2, allows an attacker to execute arbitrary code via crafted serialized data.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Act

Exploitation

Active

Automatable

Yes

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2017-08-01 CVE Reserved
2017-10-04 CVE Published
2017-11-22 First Exploit
2021-12-10 Exploited in Wild
2022-06-10 KEV Due Date
2025-02-07 CVE Updated
2025-03-18 EPSS Updated

CWE

CWE-502: Deserialization of Untrusted Data

CAPEC

References (16)

URL	Tag	Source
http://www.securityfocus.com/bid/100591	Broken Link
https://github.com/gottburgm/Exploits/tree/master/CVE-2017-12149	Third Party Advisory

URL	Date	SRC
https://packetstorm.news/files/id/181026	2024-09-01
https://github.com/sevck/CVE-2017-12149	2017-11-22
https://github.com/1337g/CVE-2017-12149	2017-12-23
https://github.com/jreppiks/CVE-2017-12149	2019-08-22
https://github.com/JesseClarkND/CVE-2017-12149	2024-04-30
https://github.com/VVeakee/CVE-2017-12149	2022-04-16
https://github.com/yunxu1/jboss-_CVE-2017-12149	2024-12-03
https://github.com/Xcatolin/jboss-deserialization	2022-12-19
https://github.com/MrE-Fog/jboss-_CVE-2017-12149	2023-08-06
https://github.com/zesnd/cve-2017-12149	2024-12-21

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2018:1607	2024-07-24
https://access.redhat.com/errata/RHSA-2018:1608	2024-07-24
https://bugzilla.redhat.com/show_bug.cgi?id=1486220	2018-05-17
https://access.redhat.com/security/cve/CVE-2017-12149	2018-05-17

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				-		text-only		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				5.0.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.0.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				5.0.1 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.0.1"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				5.1.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.1.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				5.1.1 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.1.1"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				5.1.2 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.1.2"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				5.2.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.2.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				5.2.1 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.2.1"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				5.2.2 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.2.2"		-		Affected