Cyber Resilience

CVE-2017-12149

CriticalCISA KEVActive ExploitationEUVD ExploitedRansomware-linkedRCE

Published: 04 October 2017

Published
04 October 2017
Modified
21 April 2026
KEV Added
10 December 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9429 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-12149 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Redhat Jboss Enterprise Application Platform. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and CM-7 (Least Functionality).

Deeper analysis

The vulnerability is a deserialization flaw (CWE-502) in the doFilter method of the ReadOnlyAccessFilter within the HTTP Invoker component of JBoss Application Server as shipped with Red Hat Enterprise Application Platform 5.2. The method performs deserialization without restricting the classes that can be processed, enabling attackers to supply malicious serialized payloads.

An unauthenticated remote attacker can exploit the issue over the network by sending crafted serialized data to the affected HTTP Invoker endpoint, resulting in arbitrary code execution on the server with full confidentiality, integrity, and availability impact as reflected in the CVSS 9.8 score.

Red Hat has published errata RHSA-2018:1607 and RHSA-2018:1608 that address the flaw, along with a Bugzilla entry documenting the root cause. Public exploit code targeting the vulnerability has been made available.

EU & UK References

Vulnerability details

In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an…

more

attacker to execute arbitrary code via crafted serialized data.

CWE(s)
KEV Date Added
10 December 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

redhat
jboss enterprise application platform
5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.1.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all input (including serialized objects) to reject untrusted or unauthorized classes before deserialization occurs in the HTTP Invoker filter.

preventdetect

Requires mechanisms to detect and block malicious code payloads that would be executed after unsafe deserialization of attacker-supplied objects.

prevent

Requires disabling or restricting non-essential services such as the unauthenticated HTTP Invoker endpoint that exposes the vulnerable deserialization path.

References