CVE-2017-12149

CVE-2017-12149 is a critical-severity vulnerability in Redhat Jboss Enterprise Application Platform with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-12-10). The underlying weakness is classified as CWE-502.

Key facts

Description

In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.

CVE-2017-12149: JBoss HTTP Invoker Deserialization Remote Code Execution

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2017-12149
CWE CWE-502: Deserialization of Untrusted Data
CVSS v3 9.8 (CRITICAL)
CVSS v2 7.5 (HIGH)
EPSS 90.71%
CISA KEV Listed (2021-12-10)
Published 2017-10-04
Last Modified 2026-06-17

Summary

JBoss Application Server, as shipped with Red Hat Enterprise Application Platform (EAP) 5.2, contains a critical deserialization vulnerability in the HTTP Invoker's ReadOnlyAccessFilter. The doFilter method deserializes arbitrary Java objects from incoming HTTP requests without class restriction, allowing an unauthenticated remote attacker to execute arbitrary code by submitting a crafted serialized payload.

Background

JBoss EAP 5.x includes an HTTP Invoker service that exposes EJB beans over HTTP via servlet filters. The ReadOnlyAccessFilter was intended to provide a read-only interface to JNDI and EJB invocation endpoints. However, the underlying deserialization mechanism trusts the class types embedded within the serialized stream, a classic anti-pattern in Java remote communication frameworks predating modern secure-coding standards.

Root Cause

CWE-502: Deserialization of Untrusted Data

The root cause lies in the doFilter implementation within ReadOnlyAccessFilter, which passes attacker-controlled input directly into Java's native deserialization framework (ObjectInputStream). No class whitelist, look-ahead deserialization, or type-checking is performed. Consequently, any class available on the application classpath can be instantiated and its methods invoked during deserialization. Attackers leverage "gadget chains" — sequences of existing classes whose readObject, finalize, or other methods perform dangerous side effects — to achieve arbitrary code execution.

Impact

Metric Value Interpretation
Attack Vector Network Exploitable over any routable TCP/IP path
Attack Complexity Low No special conditions or race conditions required
Privileges Required None Fully unauthenticated
User Interaction None No victim action needed
Scope Unchanged Impact limited to the vulnerable component
Confidentiality High Full data disclosure possible
Integrity High Full data and system modification possible
Availability High System availability can be fully compromised

The CVSS v3.1 score of 9.8 (CRITICAL) and CVSS v2 score of 7.5 (HIGH) reflect that this is an unauthenticated, network-exploitable remote code execution (RCE) vulnerability with trivial complexity. Given that the HTTP Invoker is often exposed to internal networks (and sometimes the internet) for remote EJB access, the attack surface is significant.

Exploitation Walkthrough

Ethics Caveat: The following description is provided for defensive purposes only — to aid detection, understanding, and remediation. The information is derived from public advisories and is already widely documented. Do not use this knowledge to attack systems without explicit authorization.

From a defender's perspective, exploitation follows this generic pattern:

  1. Reconnaissance: The attacker identifies a reachable JBoss HTTP Invoker endpoint, typically at paths such as /invoker/JMXInvokerServlet or /invoker/EJBInvokerServlet.
  2. Payload Crafting: Using publicly available gadget chains compatible with the target's classpath (e.g., Commons Collections, Groovy, or JBoss-specific libraries), the attacker constructs a serialized Java object whose deserialization triggers a chain of method calls culminating in OS command execution.
  3. Delivery: The crafted payload is sent as the HTTP POST body to the invoker endpoint with a content type of application/x-java-serialized-object.
  4. Execution: The server deserializes the payload, the gadget chain executes, and the attacker gains remote shell access or equivalent control.

Because no authentication is required and the attack complexity is low, automated exploitation is prevalent. The high EPSS score confirms active, widespread exploitation in the wild.

Affected and Patched Versions

Affected Products:

  • Red Hat JBoss Enterprise Application Platform 5.0.0
  • Red Hat JBoss Enterprise Application Platform 5.0.1
  • Red Hat JBoss Enterprise Application Platform 5.1.0
  • Red Hat JBoss Enterprise Application Platform 5.1.1
  • Red Hat JBoss Enterprise Application Platform 5.1.2
  • Red Hat JBoss Enterprise Application Platform 5.2.0
  • Red Hat JBoss Enterprise Application Platform 5.2.1
  • Red Hat JBoss Enterprise Application Platform 5.2.2
  • Red Hat JBoss Enterprise Application Platform text-only variant

Patches:
Red Hat released security errata to address this vulnerability. Administrators should apply the updates referenced in RHSA-2018:1607 and RHSA-2018:1608. Specific patch versions are available through the Red Hat Customer Portal.

Remediation

  1. Upgrade: Apply the latest patches from Red Hat via RHSA-2018:1607 and RHSA-2018:1608. If you are running JBoss EAP 5.x, migrate to a supported version (EAP 7.x or later) which removes the vulnerable HTTP Invoker entirely in favor of modern remoting protocols.
  2. Remove or Disable the HTTP Invoker: If the HTTP Invoker is not required for business operations, remove the invoker servlets and filters from web.xml or undeploy the invoker applications.
  3. Network Segmentation: Restrict access to JBoss management and invoker endpoints to authorized administrative hosts only. Never expose these interfaces to the public internet.
  4. Input Filtering: Implement a reverse proxy or Web Application Firewall (WAF) rule to block HTTP POST requests with Content-Type: application/x-java-serialized-object reaching the invoker endpoints.
  5. Compensating Controls: If patching is delayed, consider using a JVM agent or runtime application self-protection (RASP) tool that monitors and blocks dangerous deserialization operations.

Detection

  • Network Signatures: Monitor for unsolicited POST requests to /invoker/* paths containing large binary payloads with Java serialization magic bytes (0xAC 0xED 0x00 0x05 at the start of the body).
  • Host Signatures: Unexpected child processes spawned by the JBoss JVM (e.g., /bin/sh, cmd.exe, powershell.exe) or outbound network connections from the application server process.
  • Log Indicators: Abnormal errors in JBoss logs related to ClassNotFoundException or ObjectInputStream failures following invoker access may indicate failed exploitation attempts.
  • Vulnerability Scanning: Use authenticated and unauthenticated scanners that specifically test for Java deserialization on JBoss HTTP Invoker endpoints.

Assessment

This vulnerability is a textbook example of CWE-502 and remains highly relevant years after disclosure. With an EPSS score of 0.90713 (90.71% probability of exploitation) and a 0.99791 percentile, it sits in the top fraction of a percent of all CVEs by observed exploitation likelihood. Its inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog (added 2021-12-10) and the EU Exploited Vulnerabilities Database confirms that threat actors routinely weaponize it.

Key Lessons:

  1. Deserialization is a critical trust boundary. Any code path that deserializes untrusted input must implement strict type whitelisting or adopt safer serialization formats (e.g., JSON with schema validation).
  2. Legacy middleware ages dangerously. JBoss EAP 5.x reached end-of-life years ago; organizations running unsupported application servers accumulate unpatched critical flaws. Maintaining an accurate asset inventory and lifecycle plan is essential.

References

Frequently asked questions

What is CVE-2017-12149?
In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.
How severe is CVE-2017-12149?
CVE-2017-12149 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2017-12149 being actively exploited?
Yes. CVE-2017-12149 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-12-10, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2017-12149?
CVE-2017-12149 primarily affects Redhat Jboss Enterprise Application Platform. In total, 9 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2017-12149?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2017-12149 have an EU (EUVD) identifier?
Yes. CVE-2017-12149 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2017-3733. It is also flagged as exploited in the EUVD (since 2021-12-10).
When was CVE-2017-12149 published?
CVE-2017-12149 was published on 2017-10-04 and last updated on 2026-06-17.

References

Affected products (9)

More vulnerabilities in Redhat Jboss Enterprise Application Platform

All CVEs affecting Redhat Jboss Enterprise Application Platform →

Other CWE-502 (Deserialization of Untrusted Data) vulnerabilities

Browse all CWE-502 (Deserialization of Untrusted Data) vulnerabilities →