CVE-2017-12149

NameCVE-2017-12149
DescriptionIn Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jbossas4 (PTS)wheezy4.2.3.GA-7vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jbossas4source(unstable)(unfixed)high
jbossas4sourcewheezy(unfixed)end-of-life

Notes

[wheezy] - jbossas4 <end-of-life> (incomplete packaging, 4.x series released more than nine years ago.)

Search for package or bug name: Reporting problems