edit-icon download-icon

[Vulnerability notice] CVE-2017-12149: Deserialization command execution vulnerability in JBossAS 5.x/6.x

Last Updated: Apr 02, 2018

On August 30, 2017, Red Hat announced a critical remote code execution vulnerability in JBossAS 5.x with the vulnerability ID CVE-2017-12149. Recently, security research personnel found that JBossAS 6.x was also affected. Attackers can exploit this vulnerability to run arbitrary code in the operating systems, without the need of user authentication.

See the following for more information about the vulnerability.

CVE identifier


Vulnerability name

JBossAS 5.x/6.x deserialization command execution vulnerability

Vulnerability rating


Vulnerability description

This vulnerability exists in the ReadOnlyAccessFilter of JBossAS HttpInvoker. This filter attempts to perform deserialization on the data streams from clients without any security check.

Condition and method of exploitation

The vulnerability can be remotely exploited through PoC.

PoC status


Affected scope

JBossAS 5.x/6.x

Vulnerability detection

Check whether any affected version of JBossAS is used.

How to fix or mitigate

  • If your service does not need the http-invoker.sar component, delete this component.

  • Add the following code to the security-constraint tag in the web.xml file under http-invoker.sar, to restrict the access to http invoker: <url-pattern>/*</url-pattern>.


[1]. https://access.redhat.com/security/cve/cve-2017-12149

Thank you! We've received your feedback.