CVE-2017-12149

NameCVE-2017-12149
DescriptionIn Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jbossas4sourcewheezy(unfixed)end-of-life
jbossas4source(unstable)(unfixed)

Notes

[wheezy] - jbossas4 <end-of-life> (incomplete packaging, 4.x series released more than nine years ago.)

Search for package or bug name: Reporting problems