U.S. Dept Of Defense: [HTAF4-213] [Pre-submission] Unsafe AMF deserialization (CVE-2017-5641) in Apache Flex BlazeDS at the https://www.███████/daip/messagebroker/amf

The vulnerability was an unsafe AMF Action Message Format deserialization issue in Apache Flex BlazeDS, affecting the /daip/messagebroker/amf endpoint. Successful exploitation could allow an attacker to trigger a DNS lookup by sending a crafted AMF payload. The vulnerability was identified and...

Vigor ACS Unsafe Flex AMF Java Object Deserialization(CVE-2017-5641)

Vulnerability Summary A vulnerability in Vigor ACS allows unauthenticated users to cause the product to execute arbitrary code. VigorACS 2 “is a powerful centralized management software for Vigor Routers and VigorAPs, it is an integrated solution for configuring, monitoring, and maintenance of...

CVE-2017-5641

Previous versions of Apache Flex BlazeDS 4.7.2 and earlier did not restrict which types were allowed for AMFX object deserialization by default. During the deserialization process code is executed that for several known types has undesired side-effects. Other, unknown types may also exhibit such...

CVE-2017-5641

Previous versions of Apache Flex BlazeDS 4.7.2 and earlier did not restrict which types were allowed for AMFX object deserialization by default. During the deserialization process code is executed that for several known types has undesired side-effects. Other, unknown types may also exhibit such...

CVE-2017-5641

CVE-2017-5641 is an insecure-deserialization issue in Apache Flex BlazeDS (AMF3) affecting BlazeDS

VMware vCenter Server Appliance BlazeDS AMF3 RCE (VMSA-2017-0007)

The version of VMware vCenter Server Appliance installed on the remote host is 6.0 prior to Update 3b or 6.5 prior to Update c. It is, therefore, affected by a flaw in FlexBlazeDS when processing AMF3 messages due to allowing the instantiation of arbitrary classes when deserializing objects. An...

VMware vCenter Server 6.0.x < 6.0u3b / 6.5.x < 6.5c BlazeDS AMF3 RCE (VMSA-2017-0007)

The version of VMware vCenter Server installed on the remote host is 6.0.x prior to 6.0u3b or 6.5.x prior to 6.5c. It is, therefore, affected by a flaw in FlexBlazeDS when processing AMF3 messages due to allowing the instantiation of arbitrary classes when deserializing objects. An unauthenticate...

VMSA-2017-0007:VMware vCenter Server updates resolve a remote code execution vulnerability via BlazeDS

VMSA-2017-0007 VMware vCenter Server updates resolve a remote code execution vulnerability via BlazeDS VMware Security Advisory VMware Security Advisory Advisory ID: VMSA-2017-0007 VMware Security Advisory Severity: Critical VMware Security Advisory Synopsis: VMware vCenter Server updates resolve...

AMF3 Java implementations Improper Control of Dynamically-Managed Code Resources

Details reference: https://codewhitesec.blogspot.kr/2017/04/amf.html Some Java implementations of AMF3 deserializers may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this...