Apache Software Foundation Information for VU#307983
Action Message Format (AMF3) Java implementations are vulnerable to insecure deserialization and XML external entities references
- Vendor Information Help Date Notified: 28 Mar 2017
- Statement Date: 04 Apr 2017
- Date Updated: 07 Apr 2017
No statement is currently available from the vendor regarding this vulnerability.
Apache Flex BlazeDS version 4.7.3 addresses CVE-2017-5641 by restricting classes to only those whitelisted. Affected users are encouraged to upgrade.
The XXE vulnerability (CVE-2015-3269) was previously addressed in version 4.7.1.
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.