It was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization. This allows an attacker to execute arbitrary code via crafted serialized data.
Find out more about CVE-2017-12149 from the MITRE CVE dictionary dictionary and NIST NVD.
Red Hat JBoss Enterprise Application Platform 6 and 7 do not ship the http invoker so they are not affected.
| CVSS3 Base Score | 9.8 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | High |
| Availability Impact | High |
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat JBoss EAP 5 | RHSA-2018:1608 | 2018-05-17 |
| Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server (jbossas) | RHSA-2018:1607 | 2018-05-17 |
| Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server (jbossas) | RHSA-2018:1607 | 2018-05-17 |
| Platform | Package | State |
|---|---|---|
| Red Hat JBoss EAP 7 | jbossas | Not affected |
| Red Hat JBoss EAP 6 | jbossas | Not affected |
Secure the access to the entire http-invoker contexts by adding <url-pattern>/*</url-pattern> to the security-constraints in the web.xml file of the http-invoker.sar.The users who do not wish to use the http-invoker.sar can remove it.
Vulmon