9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.089 Low
EPSS
Percentile
93.9%
Recently, a German security team @codewhitesec found a Java AMF3 plurality of functions to achieve vulnerability, the American CERT/CC also issued a safety warning. An attacker can remotely by tricking or controlling the service connection, in AMF3 reverse sequence operation when the execution of arbitrary code. Part of the affected products the patch has been released.
AMF3 is actually the Adobe Action Message Format of the latest version, is used to ActionScript object graph to serialize in compressed binary format. AMF first appeared in 2001βs Flash Player 6, and AMF3 is accompanied by Flash Player 9 appears.
Serialization means that an object converted to a byte stream the process, so that the object is stored, or transmitted into memory or file. And the serialization of the data release process is the process of deserializationβthis process if the process is not in place there will be significant safety issues.
CERT/CC security Bulletin mentioned 3 a vulnerability, the first vulnerability allows an attacker to spoof or control RMIοΌRemote Method Invocation server to execute the code. The second vulnerability can be exploited by attackers to achieve arbitrary code execution-the vulnerability affected the Flamingo, Apache Flex BlazeDS and GraniteDS it. XXE vulnerability also affects these products, in addition to the WebORB for. Details are as follows:
Java AMF3 function of the presence of unsafe deserialization and XML external entity injection vulnerability, resulting in multiple applications of the product affected, the vulnerability profile, see KB-CERT VU#307983, a detailed technical analysis see [codewhitesec blog](<https://codewhitesec.blogspot.kr/2017/04/amf.html> a).
Some Java AMF3 deserialization is implemented not from the recommended specification for the class of the flash. utils. IExternalizable, but from java. io. Externalizable in a derived class instance. Therefore, the remote attacker can trick-or control is used to serialize Java objects RMI service connection, to achieve the deserialization operation when the execution of arbitrary code.
Some Java AMF3 deserialization is not from the recommended specification for the class of the flash. utils. IExternalizable, but from java. io. Externalizable in a derived class instance. Therefore, the remote attacker can trick-or control is used to serialize Java objects RMI service connection, to achieve the deserialization operation when the execution of arbitrary code.
Affected by the vulnerability of the product program and the CVE number is as follows:
Atlassian JIRA, 4.2. 4 to 6. 3. 0 version β CVE-2017-5983 for
Flamingo amf-serializer by Exadel, version 2.2.0 β CVE-2017-3201
GraniteDS, 3.1.1. GA version β CVE-2017-3199
Pivotal/Spring spring-flex β CVE-2017-3203
WebORB for Java by Midnight Coders, 5.1.1.0 version β CVE-2017-3207
Use these library programs, other products may also be affected.
Some Java AMF3 deserialization is implemented by its public no-argument constructor to construct arbitrary instances of the class, or call any of the Java Beans setter methods. Vulnerability can be the use case depends on use of anti-serialization of the class path of the class in usability. A remote attacker can send pre-set the serialization of java objects, in order to deceive or control the manner in reverse sequence operation when the execution of arbitrary code.
Affected by the vulnerability of the product program and the CVE number is as follows:
Flamingo amf-serializer by Exadel, version 2.2.0 β CVE-2017-3202
Flex BlazeDS , 4.6.0. 23207 version and the 4. 7. 2 versions β CVE-2017-5641
GraniteDS, 3.1.1. GA version β CVE-2017-3200
Use these library programs, other products may also be affected.
Some Java AMF3 deserialization is implemented to allow from AMF3 message is embedded in the XML file to perform an external entity reference, once the XML parsing error occurs in processing, it will leak the server to sensitive information, but also will lead toDDoS, a SSRF-server side request forgery attacks.
Affected by the vulnerability of the product program and the CVE number is as follows:
Flex BlazeDS , 4.6.0.23207 version β CVE-2015-3269
GraniteDS, 3.1.1. GA version β CVE-2016-2340 (see VU#279472)
WebORB for Java by Midnight Coders, 5.1.1.0 version β CVE-2017-3208
Use these library programs, other products may also be affected.
An attacker can remotely by tricking or controlling the service connection, sending a serialized java object, in the reverse sequence operation when the execution of arbitrary code.
Program update to the latest version;
Application developers should use the newer version of the JDK programs, such as JDK 8 update 121, the JDK 7 update 131 and JDK 6 update 141 are included in the sequence of the blacklist filter, and the upcoming release of the JDK9 is more secure;
Developers should improve on Donβt trust the source to deserialize the data the Security Alert; and
Configure firewall rules or file system restrictions.
Part of the library such as GraniteDS and Flamingo are no longer supported; and Atlassian and Apache it has been for their products released a patch. CERT/CC logo, HP, SonicWall and VMware products may also be affected.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.089 Low
EPSS
Percentile
93.9%