Several Java implementations of AMF3 are vulnerable to insecure deserialization and XML external entities references.
Several Java implementations of Action Message Format (AMF3) are vulnerable to one or more of the following implementation errors:
CWE-502: Deserialization of Untrusted Data
A remote attacker with the ability to spoof or control a server connection may be able to send serialized Java objects that execute arbitrary code when deserialized.
Apply an update if available
Developers should use an updated JDK
Thanks to Markus Wulftange for reporting this vulnerability.
This document was written by Garret Wassermann.
|CVE IDs:||CVE-2015-3269, CVE-2016-2340, CVE-2017-5641, CVE-2017-5983, CVE-2017-3199, CVE-2017-3200, CVE-2017-3201, CVE-2017-3202, CVE-2017-3203, CVE-2017-3206, CVE-2017-3207, CVE-2017-3208|
|Date First Published:||2017-04-04|
|Date Last Updated:||2017-04-14 15:08 UTC|