Описание
The PooledInvokerServlet in JBoss EAP 4.x and 5.x allows remote attackers to execute arbitrary code via a crafted serialized payload.
It was discovered that the LegacyInvokerServlet is exposed on all network interfaces and deserializes objects sent to it. An attacker could use this flaw to cause remote code execution in the JVM running it.
Меры по смягчению последствий
The PooledInvokerServlet is no longer required and can be removed by following the details in this knowledgebase solution: https://access.redhat.com/solutions/178393
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat JBoss BRMS 5 | jbossas | Will not fix | ||
| Red Hat JBoss Enterprise Application Platform 4 | jbossas | Will not fix | ||
| Red Hat JBoss Enterprise Application Platform 5 | jbossas | Will not fix | ||
| Red Hat JBoss SOA Platform 4 | JBossAS | Will not fix | ||
| Red Hat JBoss SOA Platform 5 | JBossAS | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS2
Связанные уязвимости
The PooledInvokerServlet in JBoss EAP 4.x and 5.x allows remote attackers to execute arbitrary code via a crafted serialized payload.
The PooledInvokerServlet in JBoss EAP 4.x and 5.x allows remote attackers to execute arbitrary code via a crafted serialized payload.
EPSS
7.5 High
CVSS2