Red Hat JBoss Application Server Remote Code Execution Vulnerability

A remote code execution vulnerability exists in JBoss Application Server versions included with Red Hat Enterprise Application Platform 5.2. The issue arises because the 'doFilter' method in the 'ReadOnlyAccessFilter' of the HTTP Invoker does not properly restrict which classes can be deserialized. This flaw allows attackers to execute arbitrary code by sending crafted serialized data. The vulnerability is known to be exploited in ransomware campaigns.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where JBoss Application Server is running.

Reproduction

To reproduce this vulnerability, deploy an application on JBoss Application Server 5.2 that uses the HTTP Invoker. The vulnerability can be triggered by sending serialized data that exploits the deserialization process in the 'ReadOnlyAccessFilter', allowing arbitrary code to be executed on the server.

Remediation

Users can update to the latest version of Red Hat JBoss Enterprise Application Platform 5.2.0, where this vulnerability has been addressed. Instructions for applying the update are available on the Red Hat JBoss Enterprise Application Platform documentation page.