JBoss Java Object Deserialization RCE

critical Nessus Plugin ID 87312
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.


The remote JBoss server is affected by multiple remote code execution vulnerabilities.


The remote JBoss server is affected by multiple remote code execution vulnerabilities :

- A flaw exists due to the JMXInvokerHAServlet and EJBInvokerHAServlet invoker servlets not properly restricting access to profiles. A remote attacker can exploit this issue to bypass authentication and invoke MBean methods, allowing arbitrary code to be executed in the context of the user running the server.

- The remote host is affected by a remote code execution vulnerability due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons Collections (ACC) library. An unauthenticated, remote attacker can exploit this, by sending a crafted RMI request, to execute arbitrary code on the target host.


Apply the appropriate interim fix according to the vendor advisory.
Alternatively, ensure that all exposed ports used by the JBoss server are firewalled from any public networks.

See Also



Plugin Details

Severity: Critical

ID: 87312

File Name: jboss_java_serialize.nasl

Version: 1.16

Type: remote

Family: Web Servers

Published: 12/10/2015

Updated: 11/22/2019

Dependencies: http_version.nasl

Risk Information

CVSS Score Source: CVE-2015-7501


Risk Factor: High

Score: 7.4


Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:F/RL:OF/RC:C


Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:redhat:jboss_a-mq, cpe:/a:redhat:jboss_bpm_suite, cpe:/a:redhat:jboss_data_virtualization, cpe:/a:redhat:jboss_enterprise_application_platform, cpe:/a:redhat:jboss_enterprise_brms_platform, cpe:/a:redhat:jboss_enterprise_portal_platform, cpe:/a:redhat:jboss_enterprise_soa_platform, cpe:/a:redhat:jboss_enterprise_web_server, cpe:/a:redhat:jboss_fuse, cpe:/a:redhat:jboss_fuse_service_works, cpe:/a:redhat:jboss_operations_network, x-cpe:/a:redhat:jboss_data_grid

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Vulnerability Publication Date: 1/24/2013

Exploitable With


Core Impact

Reference Information

CVE: CVE-2012-0874, CVE-2015-7501

BID: 57552, 78215

CERT: 576313

EDB-ID: 30211