CVE-2017-7504
published 2017-05-19CVE-2017-7504: HTTPServerILServlet.java in JMS over HTTP Invocation Layer of the JbossMQ implementation, which is enabled by default in Red Hat Jboss Application Server <=…
PriorityP184critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
29.32%
97.9th percentile
HTTPServerILServlet.java in JMS over HTTP Invocation Layer of the JbossMQ implementation, which is enabled by default in Red Hat Jboss Application Server <= Jboss 4.X does not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized data.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| red_hat_inc | jboss | — | — |
| redhat | jboss_enterprise_application_platform | <= 4.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/jbossmq-httpil/HTTPServerILServlet
bytes
|AC ED 00|
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT JBOSS Deserialization Attempt Inbound (CVE-2017-7504)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/jbossmq-httpil/HTTPServerILServlet"; fast_pattern; http.request_body; content:"|AC ED 00|"; reference:url,www.programmersought.com/article/1033574325/; reference:cve,2017-7504; classtype:attempted-admin; sid:2033985; rev:1; metadata:attack_target Server, created_at 2021_09_17, cve CVE_2017_7504, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →Look for inbound HTTP POST requests targeting the /jbossmq-httpil/HTTPServerILServlet endpoint, which is the vulnerable JMS over HTTP Invocation Layer servlet.
- →The Java serialization magic bytes 0xAC 0xED 0x00 in the HTTP request body indicate a serialized Java object being submitted, which is the exploit payload delivery mechanism.
- →The vulnerable component jbossmq-httpil.sar is enabled by default on JBoss 4.x; its presence on internet-facing servers should be treated as a high-risk exposure. ↗
- →The exploit does not require authentication; any remote attacker can POST crafted serialized data to the servlet endpoint to achieve RCE. ↗
- ·The vulnerable endpoint is enabled by default in JBoss 4.x; defenders should verify whether jbossmq-httpil.sar is deployed and accessible, even on systems not intentionally running JMS over HTTP. ↗
- ·Red Hat does not provide patches for JBoss 4.x as it is end-of-life; mitigation must rely on network-level controls or removal of the jbossmq-httpil.sar deployment. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gwfp-fq3q-j3f2: HTTPServerILServlet
ghsa_unreviewed·2022-05-13
CVE-2017-7504 [CRITICAL] CWE-502 GHSA-gwfp-fq3q-j3f2: HTTPServerILServlet
HTTPServerILServlet.java in JMS over HTTP Invocation Layer of the JbossMQ implementation, which is enabled by default in Red Hat Jboss Application Server <= Jboss 4.X does not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized data.
VulnCheck
Red Hat JBoss Application Server Deserialization of Untrusted Data
vulncheck·2017·CVSS 9.8
CVE-2017-7504 [CRITICAL] Red Hat JBoss Application Server Deserialization of Untrusted Data
Red Hat JBoss Application Server Deserialization of Untrusted Data
HTTPServerILServlet.java in JMS over HTTP Invocation Layer of the JbossMQ implementation, which is enabled by default in Red Hat Jboss Application Server <= Jboss 4.X does not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized data.
Affected: Red Hat JBoss Application Server
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated; https://www.secureworks.com/research/gold-melody-profile-of-an-initial-access-broker; https://thehacker
Suricata
ET EXPLOIT JBOSS Deserialization Attempt Inbound (CVE-2017-7504)
suricata·2021-09-17·CVSS 9.8
CVE-2017-7504 [CRITICAL] ET EXPLOIT JBOSS Deserialization Attempt Inbound (CVE-2017-7504)
ET EXPLOIT JBOSS Deserialization Attempt Inbound (CVE-2017-7504)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT JBOSS Deserialization Attempt Inbound (CVE-2017-7504)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/jbossmq-httpil/HTTPServerILServlet"; fast_pattern; http.request_body; content:"|AC ED 00|"; reference:url,www.programmersought.com/article/1033574325/; reference:cve,2017-7504; classtype:attempted-admin; sid:2033985; rev:1; metadata:attack_target Server, created_at 2021_09_17, cve CVE_2017_7504, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name
No public exploits indexed.
HackerOne
Java Deserialization RCE via JBoss on card.starbucks.in
hackerone·2017-05-22·CVSS 9.8
[CRITICAL] Java Deserialization RCE via JBoss on card.starbucks.in
Java Deserialization RCE via JBoss on card.starbucks.in
The researcher discovered that a Starbucks online system running on the domain `http://card.starbucks.in/` performs deserialization of java objects that are submitted by users on a specific path belonging to JBOSSMQ without sanitizing/validating the data. As a result, an attacker can inject a malicious java object capable of running a command on the system during the deserialization process. We have immediately taken necassary mesures to patch this vulnerability and the researcher responsibly disclosed it to RedHat as well. This was assigned [CVE-2017-7504](https://access.redhat.com/security/cve/cve-2017-7504)
Bugzilla
CVE-2017-7504 jboss: JbossMQ HTTP Invocation Layer deserialization vulnerability
bugzilla·2017-05-16·CVSS 9.8
CVE-2017-7504 [CRITICAL] CVE-2017-7504 jboss: JbossMQ HTTP Invocation Layer deserialization vulnerability
CVE-2017-7504 jboss: JbossMQ HTTP Invocation Layer deserialization vulnerability
HTTPServerILServlet.java in JMS over HTTP Invocation Layer of the JbossMQ implementation (jbossmq-httpil.sar, which is enabled by default in Red Hat Jboss Applicatino Server <= Jboss 4.X) does not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized data.
Discussion:
Acknowledgments:
Name: Joao Filho Matos Figueiredo
---
Statement:
JBoss 4.x is not supported by Red Hat
2017-05-19
Published
Exploited in the wild