Joao F M Figueiredo

**Name of the Vulnerable Software and Affected Versions** Red Hat JBoss Application Server versions as shipped with Red Hat Enterprise Application Platform 5.2 **Description** The issue is related to the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker, which does not restrict classes for which it performs deserialization. This allows an attacker to execute arbitrary code via crafted serialized data. The vulnerability is associated with the restoration of untrusted data in memory, potentially enabling a remote attacker to execute arbitrary code using specially formed serialized data. **Recommendations** For Red Hat JBoss Application Server versions as shipped with Red Hat Enterprise Application Platform 5.2, consider disabling the `doFilter` method in the `ReadOnlyAccessFilter` of the HTTP Invoker as a temporary workaround until a patch is available. Restrict access to the HTTP Invoker to minimize the risk of exploitation. Avoid using crafted serialized data in the affected application server until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.