On August 30, 2017, Red Hat announced a critical remote code execution vulnerability in JBossAS 5.x with the vulnerability ID CVE-2017-12149. Recently, security research personnel found that JBossAS 6.x was also affected. Attackers can exploit this vulnerability to run arbitrary code in the operating systems, without the need of user authentication.
See the following for more information about the vulnerability.
JBossAS 5.x/6.x deserialization command execution vulnerability
This vulnerability exists in the ReadOnlyAccessFilter of JBossAS HttpInvoker. This filter attempts to perform deserialization on the data streams from clients without any security check.
Condition and method of exploitation
The vulnerability can be remotely exploited through PoC.
Check whether any affected version of JBossAS is used.
How to fix or mitigate
If your service does not need the
http-invoker.sarcomponent, delete this component.
Add the following code to the security-constraint tag in the
http-invoker.sar, to restrict the access to http invoker: