Vulnerability Description
In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Jboss Enterprise Application Platform | - |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/100591Broken LinkThird Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2018:1607Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1608Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1486220Issue Tracking
- https://github.com/gottburgm/Exploits/tree/master/CVE-2017-12149Third Party Advisory
- http://www.securityfocus.com/bid/100591Broken LinkThird Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2018:1607Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1608Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1486220Issue Tracking
- https://github.com/gottburgm/Exploits/tree/master/CVE-2017-12149Third Party Advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-US Government Resource
FAQ
What is CVE-2017-12149?
CVE-2017-12149 is a vulnerability with a CVSS score of 9.8 (CRITICAL). In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes...
How severe is CVE-2017-12149?
CVE-2017-12149 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2017-12149?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Jboss Enterprise Application Platform.