Skip to main content

4. Principle of JBoss deserialisation

CVE-2017-12149

The vulnerability exists in the ReadOnlyAccessFilter filter within the JBoss HttpInvoker component. Without performing any security checks, it attempts to deserialise the data stream from the client. The source code can be found in jboss\server\all\deploy\httpha-invoker.sar\invoker.war\WEB-INF\classes\org\jboss\invocation\http\servlet\ReadOnlyAccessFilter.class. The filter retrieves data from the HTTP request and calls the readObject() method to perform deserialisation without any inspection or filtering. Consequently, the invoker/JMXInvokerServlet path in JBoss is exposed externally, and the JMX component supports Java deserialisation.