cbcvebase.
CVE-2017-12149
published 2017-10-04

CVE-2017-12149: In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of…

PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-06-10
Exploited in the wild
EPSS
90.71%
99.8th percentile
In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.

Affected

9 ranges
VendorProductVersion rangeFixed in
red_hat_incjbossas
redhatjboss_enterprise_application_platform
redhatjboss_enterprise_application_platform
redhatjboss_enterprise_application_platform
redhatjboss_enterprise_application_platform
redhatjboss_enterprise_application_platform
redhatjboss_enterprise_application_platform
redhatjboss_enterprise_application_platform
redhatjboss_enterprise_application_platform

Detection & IOCsextracted from sources · hover to see the quote

url/invoker/JMXInvokerServlet/
url/invoker/EJBInvokerServlet/
url/invoker/readonly
bytes
rO0ABXNyABNqYXZhLnV0aWwuQXJyYXlMaXN0eIHSHZnHYZ0DAAFJAARzaXpleHAAAAACdwQAAAACdAAJZWxlbWVudCAxdAAJZWxlbWVudCAyeA==
  • Detect exploitation attempts by matching HTTP POST requests to the three JBoss invoker endpoints (/invoker/JMXInvokerServlet/, /invoker/EJBInvokerServlet/, /invoker/readonly) with Content-Type: application/octet-stream carrying Java serialized object payloads (magic bytes rO0A).
  • A vulnerable server response will contain both the strings 'JBoss' and 'ClassCastException' (case-insensitive) with HTTP status 200 or 500, indicating the deserialized object was processed.
  • Attackers leverage ysoserial to generate malicious serialized payloads exploiting Apache Commons Collections gadget chains; monitor for ysoserial-generated payloads in POST bodies to the invoker endpoints.
  • Shodan/FOFA exposure hunting: search for JBoss-titled HTTP services using queries http.title:"jboss" or title="jboss" to identify publicly accessible instances.
  • The vulnerable component is the http-invoker.sar; flag any externally accessible deployment of this component on JBoss EAP 5 as high-risk.
  • ·JBoss EAP 6 and 7 are NOT affected because they do not ship the HTTP invoker component; detection rules should be scoped to EAP 5 instances only.
  • ·The vulnerability is exploitable only when the http-invoker.sar component is publicly accessible; instances with network-level access controls restricting the invoker contexts are not directly exploitable.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.