CVE-2017-12149
CVE-2017-12149 is a critical-severity vulnerability in Redhat Jboss Enterprise Application Platform with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-12-10). The underlying weakness is classified as CWE-502.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 7.5
- EPSS exploit prediction: 91% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-12-10)
- EU (EUVD) id: EUVD-2017-3733
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-12-10)
- Weakness: CWE-502
- Affected product: Redhat Jboss Enterprise Application Platform
- Published:
- Last modified:
Description
In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.
CVE-2017-12149: JBoss HTTP Invoker Deserialization Remote Code Execution
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2017-12149 |
| CWE | CWE-502: Deserialization of Untrusted Data |
| CVSS v3 | 9.8 (CRITICAL) |
| CVSS v2 | 7.5 (HIGH) |
| EPSS | 90.71% |
| CISA KEV | Listed (2021-12-10) |
| Published | 2017-10-04 |
| Last Modified | 2026-06-17 |
Summary
JBoss Application Server, as shipped with Red Hat Enterprise Application Platform (EAP) 5.2, contains a critical deserialization vulnerability in the HTTP Invoker's ReadOnlyAccessFilter. The doFilter method deserializes arbitrary Java objects from incoming HTTP requests without class restriction, allowing an unauthenticated remote attacker to execute arbitrary code by submitting a crafted serialized payload.
Background
JBoss EAP 5.x includes an HTTP Invoker service that exposes EJB beans over HTTP via servlet filters. The ReadOnlyAccessFilter was intended to provide a read-only interface to JNDI and EJB invocation endpoints. However, the underlying deserialization mechanism trusts the class types embedded within the serialized stream, a classic anti-pattern in Java remote communication frameworks predating modern secure-coding standards.
Root Cause
CWE-502: Deserialization of Untrusted Data
The root cause lies in the doFilter implementation within ReadOnlyAccessFilter, which passes attacker-controlled input directly into Java's native deserialization framework (ObjectInputStream). No class whitelist, look-ahead deserialization, or type-checking is performed. Consequently, any class available on the application classpath can be instantiated and its methods invoked during deserialization. Attackers leverage "gadget chains" — sequences of existing classes whose readObject, finalize, or other methods perform dangerous side effects — to achieve arbitrary code execution.
Impact
| Metric | Value | Interpretation |
|---|---|---|
| Attack Vector | Network | Exploitable over any routable TCP/IP path |
| Attack Complexity | Low | No special conditions or race conditions required |
| Privileges Required | None | Fully unauthenticated |
| User Interaction | None | No victim action needed |
| Scope | Unchanged | Impact limited to the vulnerable component |
| Confidentiality | High | Full data disclosure possible |
| Integrity | High | Full data and system modification possible |
| Availability | High | System availability can be fully compromised |
The CVSS v3.1 score of 9.8 (CRITICAL) and CVSS v2 score of 7.5 (HIGH) reflect that this is an unauthenticated, network-exploitable remote code execution (RCE) vulnerability with trivial complexity. Given that the HTTP Invoker is often exposed to internal networks (and sometimes the internet) for remote EJB access, the attack surface is significant.
Exploitation Walkthrough
Ethics Caveat: The following description is provided for defensive purposes only — to aid detection, understanding, and remediation. The information is derived from public advisories and is already widely documented. Do not use this knowledge to attack systems without explicit authorization.
From a defender's perspective, exploitation follows this generic pattern:
- Reconnaissance: The attacker identifies a reachable JBoss HTTP Invoker endpoint, typically at paths such as
/invoker/JMXInvokerServletor/invoker/EJBInvokerServlet. - Payload Crafting: Using publicly available gadget chains compatible with the target's classpath (e.g., Commons Collections, Groovy, or JBoss-specific libraries), the attacker constructs a serialized Java object whose deserialization triggers a chain of method calls culminating in OS command execution.
- Delivery: The crafted payload is sent as the HTTP POST body to the invoker endpoint with a content type of
application/x-java-serialized-object. - Execution: The server deserializes the payload, the gadget chain executes, and the attacker gains remote shell access or equivalent control.
Because no authentication is required and the attack complexity is low, automated exploitation is prevalent. The high EPSS score confirms active, widespread exploitation in the wild.
Affected and Patched Versions
Affected Products:
- Red Hat JBoss Enterprise Application Platform 5.0.0
- Red Hat JBoss Enterprise Application Platform 5.0.1
- Red Hat JBoss Enterprise Application Platform 5.1.0
- Red Hat JBoss Enterprise Application Platform 5.1.1
- Red Hat JBoss Enterprise Application Platform 5.1.2
- Red Hat JBoss Enterprise Application Platform 5.2.0
- Red Hat JBoss Enterprise Application Platform 5.2.1
- Red Hat JBoss Enterprise Application Platform 5.2.2
- Red Hat JBoss Enterprise Application Platform text-only variant
Patches:
Red Hat released security errata to address this vulnerability. Administrators should apply the updates referenced in RHSA-2018:1607 and RHSA-2018:1608. Specific patch versions are available through the Red Hat Customer Portal.
Remediation
- Upgrade: Apply the latest patches from Red Hat via RHSA-2018:1607 and RHSA-2018:1608. If you are running JBoss EAP 5.x, migrate to a supported version (EAP 7.x or later) which removes the vulnerable HTTP Invoker entirely in favor of modern remoting protocols.
- Remove or Disable the HTTP Invoker: If the HTTP Invoker is not required for business operations, remove the invoker servlets and filters from
web.xmlor undeploy the invoker applications. - Network Segmentation: Restrict access to JBoss management and invoker endpoints to authorized administrative hosts only. Never expose these interfaces to the public internet.
- Input Filtering: Implement a reverse proxy or Web Application Firewall (WAF) rule to block HTTP POST requests with
Content-Type: application/x-java-serialized-objectreaching the invoker endpoints. - Compensating Controls: If patching is delayed, consider using a JVM agent or runtime application self-protection (RASP) tool that monitors and blocks dangerous deserialization operations.
Detection
- Network Signatures: Monitor for unsolicited POST requests to
/invoker/*paths containing large binary payloads with Java serialization magic bytes (0xAC 0xED 0x00 0x05at the start of the body). - Host Signatures: Unexpected child processes spawned by the JBoss JVM (e.g.,
/bin/sh,cmd.exe,powershell.exe) or outbound network connections from the application server process. - Log Indicators: Abnormal errors in JBoss logs related to
ClassNotFoundExceptionorObjectInputStreamfailures following invoker access may indicate failed exploitation attempts. - Vulnerability Scanning: Use authenticated and unauthenticated scanners that specifically test for Java deserialization on JBoss HTTP Invoker endpoints.
Assessment
This vulnerability is a textbook example of CWE-502 and remains highly relevant years after disclosure. With an EPSS score of 0.90713 (90.71% probability of exploitation) and a 0.99791 percentile, it sits in the top fraction of a percent of all CVEs by observed exploitation likelihood. Its inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog (added 2021-12-10) and the EU Exploited Vulnerabilities Database confirms that threat actors routinely weaponize it.
Key Lessons:
- Deserialization is a critical trust boundary. Any code path that deserializes untrusted input must implement strict type whitelisting or adopt safer serialization formats (e.g., JSON with schema validation).
- Legacy middleware ages dangerously. JBoss EAP 5.x reached end-of-life years ago; organizations running unsupported application servers accumulate unpatched critical flaws. Maintaining an accurate asset inventory and lifecycle plan is essential.
References
- http://www.securityfocus.com/bid/100591
- https://access.redhat.com/errata/RHSA-2018:1607
- https://access.redhat.com/errata/RHSA-2018:1608
- https://bugzilla.redhat.com/show_bug.cgi?id=1486220
- https://github.com/gottburgm/Exploits/tree/master/CVE-2017-12149
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-12149
Frequently asked questions
- What is CVE-2017-12149?
- In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.
- How severe is CVE-2017-12149?
- CVE-2017-12149 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2017-12149 being actively exploited?
- Yes. CVE-2017-12149 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-12-10, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2017-12149?
- CVE-2017-12149 primarily affects Redhat Jboss Enterprise Application Platform. In total, 9 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2017-12149?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2017-12149 have an EU (EUVD) identifier?
- Yes. CVE-2017-12149 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2017-3733. It is also flagged as exploited in the EUVD (since 2021-12-10).
- When was CVE-2017-12149 published?
- CVE-2017-12149 was published on 2017-10-04 and last updated on 2026-06-17.
References
- http://www.securityfocus.com/bid/100591
- https://access.redhat.com/errata/RHSA-2018:1607
- https://access.redhat.com/errata/RHSA-2018:1608
- https://bugzilla.redhat.com/show_bug.cgi?id=1486220
- https://github.com/gottburgm/Exploits/tree/master/CVE-2017-12149
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-12149
Affected products (9)
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:-:*:*:*:text-only:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.2.2:*:*:*:*:*:*:*
More vulnerabilities in Redhat Jboss Enterprise Application Platform
- CVE-2018-14721 — Critical (CVSS 10.0): FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF)…
- CVE-2019-14892 — Critical (CVSS 9.8): A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit…
- CVE-2019-17531 — Critical (CVSS 9.8): A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is…
- CVE-2019-17267 — Critical (CVSS 9.8): A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to…
- CVE-2019-10212 — Critical (CVSS 9.8): A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an…
- CVE-2019-16943 — Critical (CVSS 9.8): A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is…
All CVEs affecting Redhat Jboss Enterprise Application Platform →
Other CWE-502 (Deserialization of Untrusted Data) vulnerabilities
- CVE-2026-41104 — Critical (CVSS 10.0): Deserialization of untrusted data in Microsoft Planetary Computer Pro allows an unauthorized attacker to disclose…
- CVE-2026-43633 — Critical (CVSS 10.0): HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a…
- CVE-2026-33819 — Critical (CVSS 10.0): Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.
- CVE-2026-20131 — Critical (CVSS 10.0): A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could…
- CVE-2026-25632 — Critical (CVSS 10.0): EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water…
- CVE-2025-14931 — Critical (CVSS 10.0): Hugging Face smolagents Remote Python Executor Deserialization of Untrusted Data Remote Code Execution Vulnerability.…
Browse all CWE-502 (Deserialization of Untrusted Data) vulnerabilities →