⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2022-06-10.

CVE-2017-12149Deserialization of Untrusted Data in Redhat Jboss Enterprise Application Platform

CWE-502Deserialization of Untrusted Data17 documents14 sources
Severity
9.8CRITICALNVD
EPSS
94.3%
top 0.06%
CISA KEV
KEVRansomware
Added 2021-12-10
Due 2022-06-10
Exploit
Exploited in wild
Active exploitation observed
Affected products
2
RED HAT INC JbossasRedhat Jboss Enterprise Application Platform
Timeline
PublishedOct 4
KEV addedDec 10
KEV dueJun 10
Latest updateMay 29
CISA Required Action: Apply updates per vendor instructions.

Description

In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

CVEListV5red_hat_inc/jbossasn/a

🔴Vulnerability Details

3
GHSA
GHSA-j5r3-wq62-8gp5: In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 52022-05-14
CVEList
CVE-2017-12149: In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 52017-10-04
VulnCheck
Red Hat JBoss Application Server Remote Code Execution Vulnerability2017

💥Exploits & PoCs

2
Nuclei
Jboss Application Server - Remote Code Execution
Metasploit
JBoss Vulnerability Scanner

🔍Detection Rules

1
Suricata
ET EXPLOIT Jboss RCE (CVE-2017-12149)2021-06-09

📋Vendor Advisories

2
CISA
Red Hat JBoss Application Server Remote Code Execution Vulnerability2021-12-10
Red Hat
jbossas: Arbitrary code execution via unrestricted deserialization in ReadOnlyAccessFilter of HTTP Invoker.2017-08-30

🕵️Threat Intelligence

6
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys2022-02-23
Tenable
May Vulnerability of the Month: Java Deserialization Everywhere2018-05-18
Tenable
May Vulnerability of the Month: Java Deserialization Everywhere2018-05-18
Greynoiseio
Battling Ransomware One Tag At A Time
Greynoiseio
NoiseLetter January 2024

📄Research Papers

1
arXiv
PentestAgent: Incorporating LLM Agents to Automated Penetration Testing2025-05-29

💬Community

1
Bugzilla
CVE-2017-12149 jbossas: Arbitrary code execution via unrestricted deserialization in ReadOnlyAccessFilter of HTTP Invoker.2017-08-29
CVE-2017-12149 — Deserialization of Untrusted Data | cvebase