Description

Red Hat Jboss Application Server could allow a remote attacker to execute arbitrary code on the system, caused by a deserialization flaw in the HTTPServerILServlet.java in JMS over HTTP Invocation Layer of the JbossMQ implementation. By using specially-crafted serialized data, an attacker could exploit this vulnerability to execute arbitrary code on the system.

Remediation

Upgrade to the latest version of JBoss.

References

CVE-2017-7504 jboss: JbossMQ HTTP Invocation Layer deserialization vulnerability

CVE-2017-7504

Related Vulnerabilities

Spring Boot Whitelabel Error Page SpEL

WordPress Plugin All-in-One WP Migration Remote Code Execution (2.0.2)

WordPress Plugin Duplicator-WordPress Migration Remote Code Execution (1.2.40)

WordPress 6.1.x Shortcode Execution (6.1 - 6.1.2)

Nginx PHP code execution via FastCGI

Severity

High

Classification

CVE-2017-7504 CWE-502 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Acumonitor