Java/Jboss Deserialization RCE CVE-2017-12149 Scanner

Stay Up To Date
Asset Type


Need Membership


Asset Verify


API Support


Estimate Time (Second)


Java/Jboss Deserialization RCE CVE-2017-12149 Scanner Detail

Deserialization of untrusted data in Java/Jboss allows remote attackers to execute arbitrary code.

In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.

Some Advice for Common Problems

  • You need to apply related fixes.
  • Sanitize all parameters received as input from the user.

Need a Full Assessment?

Get help from professional hackers. Learn about our penetration test service now!

Request Pentest Service