Main Vulnerability Database SB2017051911

SB2017051911 - Deserialization of untrusted data in JBoss Application Server

Published: May 19, 2017 Updated: December 26, 2017

Security Bulletin ID SB2017051911

CSH Severity

High

Patch available

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Deserialization of untrusted data (CVE-ID: CVE-2017-7504)

CWE-ID: CWE-502 - Deserialization of Untrusted Data

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists in Red Hat JBoss Seam Framework due to deserialization of untrusted data in HTTPServerILServlet.java in JMS over HTTP Invocation Layer of the JbossMQ implementation. A remote attacker can send a specially crafted file to the web application and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

https://access.redhat.com/security/cve/cve-2017-7504