cbcvebase.
CVE-2017-7504
published 2017-05-19

CVE-2017-7504: HTTPServerILServlet.java in JMS over HTTP Invocation Layer of the JbossMQ implementation, which is enabled by default in Red Hat Jboss Application Server <=…

PriorityP184critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
29.32%
97.9th percentile
HTTPServerILServlet.java in JMS over HTTP Invocation Layer of the JbossMQ implementation, which is enabled by default in Red Hat Jboss Application Server <= Jboss 4.X does not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized data.

Affected

2 ranges
VendorProductVersion rangeFixed in
red_hat_incjboss
redhatjboss_enterprise_application_platform<= 4.0

Detection & IOCsextracted from sources · hover to see the quote

url/jbossmq-httpil/HTTPServerILServlet
pathjbossmq-httpil.sar
bytes
|AC ED 00|
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT JBOSS Deserialization Attempt Inbound (CVE-2017-7504)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/jbossmq-httpil/HTTPServerILServlet"; fast_pattern; http.request_body; content:"|AC ED 00|"; reference:url,www.programmersought.com/article/1033574325/; reference:cve,2017-7504; classtype:attempted-admin; sid:2033985; rev:1; metadata:attack_target Server, created_at 2021_09_17, cve CVE_2017_7504, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Look for inbound HTTP POST requests targeting the /jbossmq-httpil/HTTPServerILServlet endpoint, which is the vulnerable JMS over HTTP Invocation Layer servlet.
  • The Java serialization magic bytes 0xAC 0xED 0x00 in the HTTP request body indicate a serialized Java object being submitted, which is the exploit payload delivery mechanism.
  • The vulnerable component jbossmq-httpil.sar is enabled by default on JBoss 4.x; its presence on internet-facing servers should be treated as a high-risk exposure.
  • The exploit does not require authentication; any remote attacker can POST crafted serialized data to the servlet endpoint to achieve RCE.
  • ·The vulnerable endpoint is enabled by default in JBoss 4.x; defenders should verify whether jbossmq-httpil.sar is deployed and accessible, even on systems not intentionally running JMS over HTTP.
  • ·Red Hat does not provide patches for JBoss 4.x as it is end-of-life; mitigation must rely on network-level controls or removal of the jbossmq-httpil.sar deployment.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.