CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2017-12149

CVSS 9.8v3.1pub. 2017-10-04upd. 2026-04-21

In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Red Hat Jboss Enterprise Application Platform

    APP
    Redhat
    5.0.05.0.15.1.05.1.15.1.25.2.05.2.15.2.2

CISA KEV — detailsi

Vendori
Red Hat
Producti
JBoss Application Server
Added to KEVi
December 10, 2021
Remediation deadline (US Federal)i
June 10, 2022(overdue)
Ransomwarei
Active ransomware campaigns exploit this vulnerability
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

The JBoss Application Server, shipped with Red Hat Enterprise Application Platform 5.2, allows an attacker to execute arbitrary code via crafted serialized data.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
☠️WYKORZYSTYWANE W RANSOMWARECISA DEADLINE: 10 czerwca 2022
Tags
RCEDeserialization
CWE
References

Related vulnerabilities

CVE-2025-12543CRITICAL9.6PL ✓ten sam produkt

Brak walidacji nagłówka Host w serwerze Undertow HTTP

CVE-2019-14887CRITICAL9.1ten sam produkt

A flaw was found when an OpenSSL security provider is used with Wildfly, the 'enabled-protocols' value in the ...

CVE-2019-14892CRITICAL9.8ten sam produkt

A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would perm...

CVE-2019-20444CRITICAL9.1ten sam produkt

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpr...

CVE-2019-20445CRITICAL9.1ten sam produkt

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Con...