logo
DATABASE RESOURCES PRICING ABOUT US

Action Message Format (AMF3) Java implementations are vulnerable to insecure deserialization and XML external entities references

Description

### Overview Several Java implementations of AMF3 are vulnerable to insecure deserialization and XML external entities references. ### Description Several Java implementations of Action Message Format (AMF3) are vulnerable to one or more of the following implementation errors: [**CWE-502**](<http://cwe.mitre.org/data/definitions/502.html>)**: Deserialization of Untrusted Data** Some Java implementations of AMF3 deserializers derive class instances from `java.io.Externalizable` rather than the [AMF3 specification](<http://www.adobe.com/go/amfspec>)'s recommendation of `flash.utils.IExternalizable`. A remote attacker with the ability to spoof or control an RMI server connection may be able to send serialized Java objects that execute arbitrary code when deserialized. The reporter has identified the following products and versions as being affected, and CVE ID have been assigned as follows: \- Atlassian JIRA, versions from 4.2.4 prior to version 6.3.0 - CVE-2017-5983 \- Flamingo amf-serializer by Exadel, version 2.2.0 - CVE-2017-3201 \- GraniteDS, version 3.1.1.GA - CVE-2017-3199 \- Pivotal/Spring spring-flex - CVE-2017-3203 \- WebORB for Java by Midnight Coders, version 5.1.1.0 - CVE-2017-3207 Products using these libraries may also be impacted. [**CWE-913**](<http://cwe.mitre.org/data/definitions/913.html>)**: Improper Control of Dynamically-Managed Code Resources** Some Java implementations of AMF3 deserializers may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability depends on the availability of classes in the class path that make use of deserialization. A remote attacker with the ability to spoof or control information may be able to send serialized Java objects with pre-set properties that result in arbitrary code execution when deserialized. The reporter has identified the following products and versions as being affected, and CVE ID have been assigned as follows: \- Flamingo amf-serializer by Exadel, version 2.2.0 - CVE-2017-3202 \- Flex BlazeDS , versions 4.6.0.23207 and 4.7.2 - CVE-2017-5641 \- GraniteDS, version 3.1.1.GA - CVE-2017-3200 Products using these libraries may also be impacted. [**CWE-611**](<https://cwe.mitre.org/data/definitions/611.html>)**: Improper Restriction of XML External Entity Reference ('XXE')** Some Java implementations of AMF3 deserializers allow external entity references (XXEs) from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose sensitive data on the server, denial of service, or server side request forgery. \- Flamingo amf-serializer by Exadel, version 2.2.0 - CVE-2017-3206 \- Flex BlazeDS , version 4.6.0.23207 - CVE-2015-3269 \- GraniteDS, version 3.1.1.GA - CVE-2016-2340 (see [VU#279472](<http://www.kb.cert.org/vuls/id/279472>)) \- WebORB for Java by Midnight Coders, version 5.1.1.0 - CVE-2017-3208 Products using these libraries may also be impacted. More information is provided in the researcher's [advisory](<http://codewhitesec.blogspot.com/2017/04/amf.html>). --- ### Impact A remote attacker with the ability to spoof or control a server connection may be able to send serialized Java objects that execute arbitrary code when deserialized. --- ### Solution **Apply an update if available** CERT/CC recommends applying an update or patch to your product if available. Some vendors have responded that only out-of-support versions of products are impacted. In these cases, CERT/CC recommends updating your product to the latest supported version. More details are included for each vendor in the vendor records below. --- **Developers should use an updated JDK** Developers should use an updated Java development kit (JDK). JDK 8 update 121, JDK 7 update 131 and JDK 6 update 141 implement basic serialization blacklisting filters, while more serialization protection measures are expected in the upcoming Java 9. For more information, please see [JEP 290](<http://openjdk.java.net/jeps/290>). **Developers should be suspicious of deserialized data from untrusted sources** Developers should in general be very suspicious of deserialized data from an untrusted source. For best practices, see the [_CERT Oracle Coding Standard for Java_](<https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=27492407>) guidelines for Serialization, especially rules [_SER12-J_](<https://www.securecoding.cert.org/confluence/display/java/SER12-J.+Prevent+deserialization+of+untrusted+classes>) and [_SER13-J_](<https://www.securecoding.cert.org/confluence/display/java/SER13-J.+Treat+data+to+be+deserialized+as+potentially+malicious+by+default>). ** Use firewall rules or filesystem restrictions** System administrators may be able to mitigate this issue for some applications by restricting access to the network and/or filesystem. If an affected application utilizes an open port accepting serialized objects, restricting access to the application may help mitigate the issue. --- ### Vendor Information 307983 Filter by status: All Affected Not Affected Unknown Filter by content: __ Additional information available __ Sort by: Status Alphabetical Expand all **Javascript is disabled. Click here to view vendors.** ### Adobe __ Affected Notified: March 28, 2017 Updated: April 03, 2017 **Statement Date: March 31, 2017** ### Status Affected ### Vendor Statement We have not received a statement from the vendor. ### Vendor Information Affected versions (< 4.7) of Adobe Flex BlazeDS are no longer supported. Any affected users should upgrade to a newer version of BlazeDS now supported by the Apache Software Foundation. ### Apache Software Foundation __ Affected Notified: March 28, 2017 Updated: April 07, 2017 **Statement Date: April 04, 2017** ### Status Affected ### Vendor Statement We have not received a statement from the vendor. ### Vendor Information Apache Flex BlazeDS [version 4.7.3](<https://flex.apache.org/download-blazeds.html>) addresses CVE-2017-5641 by restricting classes to only those whitelisted. Affected users are encouraged to upgrade. The XXE vulnerability (CVE-2015-3269) was previously addressed in version 4.7.1. ### Vendor References * <https://issues.apache.org/jira/browse/FLEX-35290> * <http://www.apache.org/dyn/closer.lua/flex/BlazeDS/4.7.3/> * <http://apache-flex-users.2333346.n4.nabble.com/CVE-2015-3269-Apache-Flex-BlazeDS-Insecure-Xml-Entity-Expansion-Vulnerability-td10976.html> * <https://flex.apache.org/download-blazeds.html> ### Atlassian __ Affected Updated: April 07, 2017 ### Status Affected ### Vendor Statement Atlassian has identified that JIRA versions from 4.2.4 prior to version 6.3.0 are impacted. These versions are all currently unsupported. ### Vendor Information Atlassian has released [JIRA Security Advisory 2017-03-09](<https://confluence.atlassian.com/display/JIRA063/JIRA+Security+Advisory+2017-03-09>) for this issue. CVE-2017-5983 was assigned according to ticket [JRA-64077](<https://jira.atlassian.com/browse/JRA-64077?src=confmacro>). ### Vendor References * <https://confluence.atlassian.com/display/JIRA063/JIRA+Security+Advisory+2017-03-09> * <https://jira.atlassian.com/browse/JRA-64077?src=confmacro> ### VMware __ Affected Notified: March 16, 2017 Updated: April 14, 2017 **Statement Date: April 14, 2017** ### Status Affected ### Vendor Statement We have not received a statement from the vendor. ### Vendor Information VMware uses Flex BlazeDS, and has released security advisory [VMSA-2017-0007](<https://www.vmware.com/security/advisories/VMSA-2017-0007.html>) to address this issue. ### Vendor References * <https://www.vmware.com/security/advisories/VMSA-2017-0007.html> ### Exadel Unknown Notified: March 28, 2017 Updated: March 28, 2017 ### Status Unknown ### Vendor Statement We have not received a statement from the vendor. ### Vendor References ### Granite Data Services Unknown Notified: March 16, 2017 Updated: March 16, 2017 ### Status Unknown ### Vendor Statement We have not received a statement from the vendor. ### Vendor References ### Hewlett Packard Enterprise Unknown Notified: March 28, 2017 Updated: March 28, 2017 ### Status Unknown ### Vendor Statement We have not received a statement from the vendor. ### Vendor References ### Midnight Coders __ Unknown Notified: March 16, 2017 Updated: April 03, 2017 **Statement Date: March 16, 2017** ### Status Unknown ### Vendor Statement The demonstrated code would not be able to be able to cause any harm for the reason that calling `setAutoCommit( true )` requires a connection object which is not even initialized at that time (see lines 4067-4087 at: `<http://www.docjar.com/html/api/com/sun/rowset/JdbcRowSetImpl.java.html>`). Additionally, in our implementation all `com.sun.*` and` java.*` classes are excluded from deserialization. ### Vendor Information We are not aware of further vendor information regarding this vulnerability. ### Pivotal Unknown Notified: March 28, 2017 Updated: March 28, 2017 ### Status Unknown ### Vendor Statement We have not received a statement from the vendor. ### Vendor References ### SonicWall Unknown Notified: March 28, 2017 Updated: March 28, 2017 ### Status Unknown ### Vendor Statement We have not received a statement from the vendor. ### Vendor References ### CVSS Metrics Group | Score | Vector ---|---|--- Base | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C Temporal | 8.4 | E:POC/RL:U/RC:C Environmental | 6.3 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND ### References * <http://codewhitesec.blogspot.com/2017/04/amf.html> * <http://openjdk.java.net/jeps/290> * <http://www.kb.cert.org/vuls/id/279472> * <http://www.adobe.com/go/amfspec> * <https://cwe.mitre.org/data/definitions/502.html> * <https://cwe.mitre.org/data/definitions/913.html> * <https://cwe.mitre.org/data/definitions/611.html> ### Acknowledgements Thanks to Markus Wulftange for reporting this vulnerability. This document was written by Garret Wassermann. ### Other Information **CVE IDs:** | [CVE-2015-3269](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-3269>), [CVE-2016-2340](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-2340>), [CVE-2017-5641](<http://web.nvd.nist.gov/vuln/detail/CVE-2017-5641>), [CVE-2017-5983](<http://web.nvd.nist.gov/vuln/detail/CVE-2017-5983>), [CVE-2017-3199](<http://web.nvd.nist.gov/vuln/detail/CVE-2017-3199>), [CVE-2017-3200](<http://web.nvd.nist.gov/vuln/detail/CVE-2017-3200>), [CVE-2017-3201](<http://web.nvd.nist.gov/vuln/detail/CVE-2017-3201>), [CVE-2017-3202](<http://web.nvd.nist.gov/vuln/detail/CVE-2017-3202>), [CVE-2017-3203](<http://web.nvd.nist.gov/vuln/detail/CVE-2017-3203>), [CVE-2017-3206](<http://web.nvd.nist.gov/vuln/detail/CVE-2017-3206>), [CVE-2017-3207](<http://web.nvd.nist.gov/vuln/detail/CVE-2017-3207>), [CVE-2017-3208](<http://web.nvd.nist.gov/vuln/detail/CVE-2017-3208>) ---|--- **Date Public:** | 2017-04-04 **Date First Published:** | 2017-04-04 **Date Last Updated: ** | 2017-04-14 15:08 UTC **Document Revision: ** | 90


Related