CVE-2017-12149
published 2017-10-04CVE-2017-12149: In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of…
PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-06-10
Exploited in the wild
EPSS
90.71%
99.8th percentile
In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| red_hat_inc | jbossas | — | — |
| redhat | jboss_enterprise_application_platform | — | — |
| redhat | jboss_enterprise_application_platform | — | — |
| redhat | jboss_enterprise_application_platform | — | — |
| redhat | jboss_enterprise_application_platform | — | — |
| redhat | jboss_enterprise_application_platform | — | — |
| redhat | jboss_enterprise_application_platform | — | — |
| redhat | jboss_enterprise_application_platform | — | — |
| redhat | jboss_enterprise_application_platform | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
rO0ABXNyABNqYXZhLnV0aWwuQXJyYXlMaXN0eIHSHZnHYZ0DAAFJAARzaXpleHAAAAACdwQAAAACdAAJZWxlbWVudCAxdAAJZWxlbWVudCAyeA==
- →Detect exploitation attempts by matching HTTP POST requests to the three JBoss invoker endpoints (/invoker/JMXInvokerServlet/, /invoker/EJBInvokerServlet/, /invoker/readonly) with Content-Type: application/octet-stream carrying Java serialized object payloads (magic bytes rO0A). ↗
- →A vulnerable server response will contain both the strings 'JBoss' and 'ClassCastException' (case-insensitive) with HTTP status 200 or 500, indicating the deserialized object was processed. ↗
- →Attackers leverage ysoserial to generate malicious serialized payloads exploiting Apache Commons Collections gadget chains; monitor for ysoserial-generated payloads in POST bodies to the invoker endpoints. ↗
- →Shodan/FOFA exposure hunting: search for JBoss-titled HTTP services using queries http.title:"jboss" or title="jboss" to identify publicly accessible instances. ↗
- →The vulnerable component is the http-invoker.sar; flag any externally accessible deployment of this component on JBoss EAP 5 as high-risk. ↗
- ·JBoss EAP 6 and 7 are NOT affected because they do not ship the HTTP invoker component; detection rules should be scoped to EAP 5 instances only. ↗
- ·The vulnerability is exploitable only when the http-invoker.sar component is publicly accessible; instances with network-level access controls restricting the invoker contexts are not directly exploitable. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j5r3-wq62-8gp5: In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5
ghsa_unreviewed·2022-05-14
CVE-2017-12149 [CRITICAL] CWE-502 GHSA-j5r3-wq62-8gp5: In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5
In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.
VulnCheck
Red Hat JBoss Application Server Remote Code Execution Vulnerability
vulncheck·2017·CVSS 9.8
CVE-2017-12149 [CRITICAL] CWE-502 Red Hat JBoss Application Server Remote Code Execution Vulnerability
Red Hat JBoss Application Server Remote Code Execution Vulnerability
The JBoss Application Server, shipped with Red Hat Enterprise Application Platform 5.2, allows an attacker to execute arbitrary code via crafted serialized data.
Affected: Red Hat JBoss Application Server
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2017-12149; https://www.lacework.com/blog/elf-of-the-month-new-lucky-ransomware-sample/; https://cyware.com/news/satan-ransomware-an-overview-of-the-ransomwares-variants-and-exploits-35acecd3; https://www.alibabacloud.com/blog/8220-mining-group-now-uses-rootkit-to-hide-its-miners_595055; https://web.archive.org/web/20220227045141/https://risksen
CISA
Red Hat JBoss Application Server Remote Code Execution Vulnerability
cisa·2021-12-10·CVSS 9.8
CVE-2017-12149 [CRITICAL] CWE-502 Red Hat JBoss Application Server Remote Code Execution Vulnerability
Vulnerability: Red Hat JBoss Application Server Remote Code Execution Vulnerability
Affected: Red Hat JBoss Application Server
The JBoss Application Server, shipped with Red Hat Enterprise Application Platform 5.2, allows an attacker to execute arbitrary code via crafted serialized data.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2017-12149
Remediation Due Date: 2022-06-10
Red Hat
jbossas: Arbitrary code execution via unrestricted deserialization in ReadOnlyAccessFilter of HTTP Invoker.
vendor_redhat·2017-08-30·CVSS 9.8
CVE-2017-12149 [CRITICAL] CWE-502 jbossas: Arbitrary code execution via unrestricted deserialization in ReadOnlyAccessFilter of HTTP Invoker.
jbossas: Arbitrary code execution via unrestricted deserialization in ReadOnlyAccessFilter of HTTP Invoker.
In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.
It was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization. This allows an attacker to execute arbitrary code via crafted serialized data.
Statement: Red Hat JBoss Enterprise Application Platform 6 and 7 do not ship the http invoker so they are not affected.
Mitigation: Se
Suricata
ET EXPLOIT Jboss RCE (CVE-2017-12149)
suricata·2021-06-09·CVSS 9.8
CVE-2017-12149 [CRITICAL] ET EXPLOIT Jboss RCE (CVE-2017-12149)
ET EXPLOIT Jboss RCE (CVE-2017-12149)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Jboss RCE (CVE-2017-12149)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/invoker/readonly"; fast_pattern; http.request_body; content:"java.util.HashSet"; reference:cve,2017-12149; reference:url,github.com/gottburgm/Exploits/blob/master/CVE-2017-12149/CVE_2017_12149.pl#L180; classtype:attempted-admin; sid:2033118; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_09, cve CVE_2017_12149, deployment Perimeter, confidence Medium, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_06_09;)
Nuclei
Jboss Application Server - Remote Code Execution
nuclei·CVSS 9.8
CVE-2017-12149 [CRITICAL] Jboss Application Server - Remote Code Execution
Jboss Application Server - Remote Code Execution
Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2 is susceptible to a remote code execution vulnerability because the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization, thus allowing an attacker to execute arbitrary code via crafted serialized data.
Template:
id: CVE-2017-12149
info:
name: Jboss Application Server - Remote Code Execution
author: fopina,s0obi
severity: critical
description: Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2 is susceptible to a remote code execution vulnerability because the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classe
Metasploit
JBoss Vulnerability Scanner
metasploit
JBoss Vulnerability Scanner
JBoss Vulnerability Scanner
This module scans a JBoss instance for a few vulnerabilities.
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Tenable
May Vulnerability of the Month: Java Deserialization Everywhere
blogs_tenable·2018-05-18·CVSS 9.8
[CRITICAL] May Vulnerability of the Month: Java Deserialization Everywhere
Blog / Research
Subscribe
# May Vulnerability of the Month: Java Deserialization Everywhere
Tenable Research
May 18, 2018
3 Min Read
Every month, we ask our researchers to nominate a vulnerability of the month. Novelty, sophistication or just plain weirdness are some of the potential criteria for selecting a vulnerability of the month. After the nominations are collected, the candidates are shortlisted and voted on by our 70-plus-member research organization, combining the total experience and knowledge of Tenable Research to identify the vulnerability of the month.
### Background
On the heels of a failed patch to another Java deserialization vulnerability in Oracle WebLogic Servers, the research team voted to highlight a Red Hat JBoss vulnerability this month. CVE-2017-12149 is ano
Tenable
May Vulnerability of the Month: Java Deserialization Everywhere
blogs_tenable·2018-05-18
May Vulnerability of the Month: Java Deserialization Everywhere
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Greynoiseio
Battling Ransomware One Tag At A Time
blogs_greynoiseio
Battling Ransomware One Tag At A Time
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
NoiseLetter January 2024
blogs_greynoiseio
NoiseLetter January 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
Malicious Tag Roundup (Jul 19-Aug 2, 2021)
blogs_greynoiseio·CVSS 10.0
[CRITICAL] Malicious Tag Roundup (Jul 19-Aug 2, 2021)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bugzilla
CVE-2017-12149 jbossas: Arbitrary code execution via unrestricted deserialization in ReadOnlyAccessFilter of HTTP Invoker.
bugzilla·2017-08-29·CVSS 9.8
CVE-2017-12149 [CRITICAL] CVE-2017-12149 jbossas: Arbitrary code execution via unrestricted deserialization in ReadOnlyAccessFilter of HTTP Invoker.
CVE-2017-12149 jbossas: Arbitrary code execution via unrestricted deserialization in ReadOnlyAccessFilter of HTTP Invoker.
It was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.
Discussion:
Acknowledgments:
Name: Joao F M Figueiredo
---
Mitigation:
Secure the access to the entire http-invoker contexts by adding /* to the security-constraints in the web.xml file of the http-invoker.sar.The users who do not wish to use the http-invoker.sar can remove it.
---
Statement:
Red Hat JBoss Enterprise Application Platform 6 and 7 do not ship the http invoker so they are not affected.
---
(In reply to Bharti Kun
arXiv
PentestAgent: Incorporating LLM Agents to Automated Penetration Testing
arxiv_fulltext·2025-05-29
PentestAgent: Incorporating LLM Agents to Automated Penetration Testing
PentestAgent: Incorporating LLM Agents to Automated Penetration Testing
Xiangmin Shen
Northwestern University
Evanston
Illinois
USA
[email protected]
Both authors contributed equally to this work.
Lingzhi Wang
Northwestern University
Evanston
Illinois
USA
[email protected]
[1]
Zhenyuan Li
Zhejiang University
Hangzhou
Zhejiang
China
[email protected]
Yan Chen
Northwestern University
Evanston
Illinois
USA
[email protected]
Wencheng Zhao
Ant Group
Hangzhou
Zhejiang
China
[email protected]
Dawei Sun
Ant Group
Hangzhou
Zhejiang
China
[email protected]
Jiashui Wang
Zhejiang University
Hangzhou
Zhejiang
China
[email protected]
Wei Ruan
Zhejiang University
Hangzhou
Zhejiang
China
[email protected]
Shen et al.
## Abstract
http://www.securityfocus.com/bid/100591https://access.redhat.com/errata/RHSA-2018:1607https://access.redhat.com/errata/RHSA-2018:1608https://bugzilla.redhat.com/show_bug.cgi?id=1486220https://github.com/gottburgm/Exploits/tree/master/CVE-2017-12149http://www.securityfocus.com/bid/100591https://access.redhat.com/errata/RHSA-2018:1607https://access.redhat.com/errata/RHSA-2018:1608https://bugzilla.redhat.com/show_bug.cgi?id=1486220https://github.com/gottburgm/Exploits/tree/master/CVE-2017-12149https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-12149
2017-10-04
Published
2021-12-10
Added to CISA KEV
Exploited in the wild