QwikSec

Security Database

CVE

CWE

Training

CVE-2017-5641

Published: Dec 28, 2017

Modified: Sep 16, 2024

PUBLISHED

Description

Previous versions of Apache Flex BlazeDS (4.7.2 and earlier) did not restrict which types were allowed for AMF(X) object deserialization by default. During the deserialization process code is executed that for several known types has undesired side-effects. Other, unknown types may also exhibit such behaviors. One vector in the Java standard library exists that allows an attacker to trigger possibly further exploitable Java deserialization of untrusted data. Other known vectors in third party libraries can be used to trigger remote code execution.

Vendor	Product	Versions
Apache Software Foundation	Apache Flex Blaze DS	affected `before 4.7.3`

References

third-party-advisory

x_refsource_CERT-VN

vdb-entry

x_refsource_BID

vdb-entry

x_refsource_SECTRACK

[flex-dev] 20170327 [VOTE] Release Apache Flex BlazeDS 4.7.3

mailing-list

x_refsource_MLIST

https://issues.apache.org/jira/browse/FLEX-35290

x_refsource_CONFIRM

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03823en_us

x_refsource_CONFIRM

https://www.zerodayinitiative.com/advisories/ZDI-22-507/

x_refsource_MISC

https://www.zerodayinitiative.com/advisories/ZDI-22-506/

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.