CVE-2017-7504Deserialization of Untrusted Data in Redhat Jboss Enterprise Application Platform

CWE-502Deserialization of Untrusted Data7 documents7 sources
Severity
9.8CRITICALNVD
EPSS
90.3%
top 0.40%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Redhat Jboss Enterprise Application PlatformRED HAT INC Jboss
Timeline
PublishedMay 19
Latest updateMay 13

Description

HTTPServerILServlet.java in JMS over HTTP Invocation Layer of the JbossMQ implementation, which is enabled by default in Red Hat Jboss Application Server <= Jboss 4.X does not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized data.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

CVEListV5red_hat_inc/jboss4.x

🔴Vulnerability Details

3
GHSA
GHSA-gwfp-fq3q-j3f2: HTTPServerILServlet2022-05-13
CVEList
CVE-2017-7504: HTTPServerILServlet2017-05-19
VulnCheck
Red Hat JBoss Application Server Deserialization of Untrusted Data2017

🔍Detection Rules

1
Suricata
ET EXPLOIT JBOSS Deserialization Attempt Inbound (CVE-2017-7504)2021-09-17

💬Community

2
HackerOne
Java Deserialization RCE via JBoss on card.starbucks.in2017-05-22
Bugzilla
CVE-2017-7504 jboss: JbossMQ HTTP Invocation Layer deserialization vulnerability2017-05-16
CVE-2017-7504 — Deserialization of Untrusted Data | cvebase