Arbitrary Code Execution via Deserialization in JbossMQ Implementation

Arbitrary Code Execution via Deserialization in JbossMQ Implementation

CVE-2017-7504 · HIGH Severity

AV:N/AC:L/AU:N/C:P/I:P/A:P

HTTPServerILServlet.java in JMS over HTTP Invocation Layer of the JbossMQ implementation, which is enabled by default in Red Hat Jboss Application Server <= Jboss 4.X does not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized data.

Learn more about our Cis Benchmark Audit For Server Software.