Java/Jboss Deserialization RCE CVE-2017-12149 Scanner

Details
Stay Up To Date
Asset Type

DOMAIN,IP

Need Membership

Yes

Asset Verify

Yes

API Support

Yes

Estimate Time (Second)

15

Java/Jboss Deserialization RCE CVE-2017-12149 Scanner Detail

Deserialization of untrusted data in Java/Jboss allows remote attackers to execute arbitrary code.

In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.

Some Advice for Common Problems

  • You need to apply related fixes.
  • Sanitize all parameters received as input from the user.

Community Discussions

Need a Full Assesment?

Get help from professional hackers. Learn about our penetration test service now!

Request Pentest Service