Arbitrary Code Execution via Deserialization in JbossMQ Implementation
CVE-2017-7504 · HIGH Severity
AV:N/AC:L/AU:N/C:P/I:P/A:P
HTTPServerILServlet.java in JMS over HTTP Invocation Layer of the JbossMQ implementation, which is enabled by default in Red Hat Jboss Application Server <= Jboss 4.X does not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized data.
Learn more about our Cis Benchmark Audit For Server Software.