CVE-2017-12149
Published: 04 October 2017
Summary
CVE-2017-12149 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Redhat Jboss Enterprise Application Platform. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and CM-7 (Least Functionality).
Deeper analysis
The vulnerability is a deserialization flaw (CWE-502) in the doFilter method of the ReadOnlyAccessFilter within the HTTP Invoker component of JBoss Application Server as shipped with Red Hat Enterprise Application Platform 5.2. The method performs deserialization without restricting the classes that can be processed, enabling attackers to supply malicious serialized payloads.
An unauthenticated remote attacker can exploit the issue over the network by sending crafted serialized data to the affected HTTP Invoker endpoint, resulting in arbitrary code execution on the server with full confidentiality, integrity, and availability impact as reflected in the CVSS 9.8 score.
Red Hat has published errata RHSA-2018:1607 and RHSA-2018:1608 that address the flaw, along with a Bugzilla entry documenting the root cause. Public exploit code targeting the vulnerability has been made available.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2017-3733
Vulnerability details
In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an…
more
attacker to execute arbitrary code via crafted serialized data.
- CWE(s)
- KEV Date Added
- 10 December 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all input (including serialized objects) to reject untrusted or unauthorized classes before deserialization occurs in the HTTP Invoker filter.
Requires mechanisms to detect and block malicious code payloads that would be executed after unsafe deserialization of attacker-supplied objects.
Requires disabling or restricting non-essential services such as the unauthenticated HTTP Invoker endpoint that exposes the vulnerable deserialization path.