Java AMF3 exposure remote code execution vulnerability-vulnerability warning-the black bar safety net

!

Recently, a German security team @codewhitesec found a Java AMF3 plurality of functions to achieve vulnerability, the American CERT/CC also issued a safety warning. An attacker can remotely by tricking or controlling the service connection, in AMF3 reverse sequence operation when the execution of arbitrary code. Part of the affected products the patch has been released.

AMF3 is actually the Adobe Action Message Format of the latest version, is used to ActionScript object graph to serialize in compressed binary format. AMF first appeared in 2001’s Flash Player 6, and AMF3 is accompanied by Flash Player 9 appears.

Serialization means that an object converted to a byte stream the process, so that the object is stored, or transmitted into memory or file. And the serialization of the data release process is the process of deserialization–this process if the process is not in place there will be significant safety issues.

CERT/CC security Bulletin mentioned 3 a vulnerability, the first vulnerability allows an attacker to spoof or control RMI（Remote Method Invocation server to execute the code. The second vulnerability can be exploited by attackers to achieve arbitrary code execution-the vulnerability affected the Flamingo, Apache Flex BlazeDS and GraniteDS it. XXE vulnerability also affects these products, in addition to the WebORB for. Details are as follows:

Vulnerability overview

Java AMF3 function of the presence of unsafe deserialization and XML external entity injection vulnerability, resulting in multiple applications of the product affected, the vulnerability profile, see KB-CERT VU#307983, a detailed technical analysis see [codewhitesec blog](<https://codewhitesec.blogspot.kr/2017/04/amf.html&gt; a).

Vulnerability description

Untrusted data deserialization vulnerability

Some Java AMF3 deserialization is implemented not from the recommended specification for the class of the flash. utils. IExternalizable, but from java. io. Externalizable in a derived class instance. Therefore, the remote attacker can trick-or control is used to serialize Java objects RMI service connection, to achieve the deserialization operation when the execution of arbitrary code.

Some Java AMF3 deserialization is not from the recommended specification for the class of the flash. utils. IExternalizable, but from java. io. Externalizable in a derived class instance. Therefore, the remote attacker can trick-or control is used to serialize Java objects RMI service connection, to achieve the deserialization operation when the execution of arbitrary code.

Affected by the vulnerability of the product program and the CVE number is as follows:

Atlassian JIRA, 4.2. 4 to 6. 3. 0 version – CVE-2017-5983 for

Flamingo amf-serializer by Exadel, version 2.2.0 – CVE-2017-3201

GraniteDS, 3.1.1. GA version – CVE-2017-3199

Pivotal/Spring spring-flex – CVE-2017-3203

WebORB for Java by Midnight Coders, 5.1.1.0 version – CVE-2017-3207

Use these library programs, other products may also be affected.

Dynamic managed code resource of an incorrect control vulnerability

Some Java AMF3 deserialization is implemented by its public no-argument constructor to construct arbitrary instances of the class, or call any of the Java Beans setter methods. Vulnerability can be the use case depends on use of anti-serialization of the class path of the class in usability. A remote attacker can send pre-set the serialization of java objects, in order to deceive or control the manner in reverse sequence operation when the execution of arbitrary code.

Affected by the vulnerability of the product program and the CVE number is as follows:

Flamingo amf-serializer by Exadel, version 2.2.0 – CVE-2017-3202

Flex BlazeDS , 4.6.0. 23207 version and the 4. 7. 2 versions – CVE-2017-5641

GraniteDS, 3.1.1. GA version – CVE-2017-3200

Use these library programs, other products may also be affected.

XML external entity references of unduly limit the vulnerability XXE vulnerability

Some Java AMF3 deserialization is implemented to allow from AMF3 message is embedded in the XML file to perform an external entity reference, once the XML parsing error occurs in processing, it will leak the server to sensitive information, but also will lead toDDoS, a SSRF-server side request forgery attacks.

Affected by the vulnerability of the product program and the CVE number is as follows:

Flex BlazeDS , 4.6.0.23207 version – CVE-2015-3269

GraniteDS, 3.1.1. GA version – CVE-2016-2340 (see VU#279472)

WebORB for Java by Midnight Coders, 5.1.1.0 version – CVE-2017-3208

Use these library programs, other products may also be affected.

Vulnerability

An attacker can remotely by tricking or controlling the service connection, sending a serialized java object, in the reverse sequence operation when the execution of arbitrary code.

Solution

Program update to the latest version;

Application developers should use the newer version of the JDK programs, such as JDK 8 update 121, the JDK 7 update 131 and JDK 6 update 141 are included in the sequence of the blacklist filter, and the upcoming release of the JDK9 is more secure;

Developers should improve on Don’t trust the source to deserialize the data the Security Alert; and

Configure firewall rules or file system restrictions.

Currently the affected vendor information

!

Part of the library such as GraniteDS and Flamingo are no longer supported; and Atlassian and Apache it has been for their products released a patch. CERT/CC logo, HP, SonicWall and VMware products may also be affected.