|
|
|||
| Rule General Information |
|---|
| Release Date: | 2017-12-18 | |
| Rule Name: | Red Hat JBoss Application Server doFilter Insecure Deserialization Vulnerability (CVE-2017-12149) | |
| Severity: | ||
| CVE ID: | ||
| Rule Protection Details |
|---|
| Description: | In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data. | |
| Impact: | A remote attacker can exploit the vulnerability by sending a crafted serialized object. Successful attempt can lead to arbitrary code execution in the context of the root user. | |
| Affected OS: | Linux | |
| Reference: | SecurityFocusBID:100591 https://bugzilla.redhat.com/show_bug.cgi?id=1486220 |
|
| Solutions |
|---|
| No information about possible solutions is published. Please use an alternative product to substitude the affected software. |