Adobe

Notified:  March 28, 2017 Updated: April 03, 2017

Statement Date:   March 31, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Affected versions (< 4.7) of Adobe Flex BlazeDS are no longer supported. Any affected users should upgrade to a newer version of BlazeDS now supported by the Apache Software Foundation.

Apache Software Foundation

Notified:  March 28, 2017 Updated: April 07, 2017

Statement Date:   April 04, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Apache Flex BlazeDS version 4.7.3 addresses CVE-2017-5641 by restricting classes to only those whitelisted. Affected users are encouraged to upgrade. The XXE vulnerability (CVE-2015-3269) was previously addressed in version 4.7.1.

Vendor References

Atlassian

Updated:  April 07, 2017

Status

  Affected

Vendor Statement

Atlassian has identified that JIRA versions from 4.2.4 prior to versionĀ 6.3.0 are impacted. These versions are all currently unsupported.

Vendor Information

Atlassian has released JIRA Security Advisory 2017-03-09 for this issue. CVE-2017-5983 was assigned according to ticket JRA-64077.

Vendor References

Exadel

Notified:  March 28, 2017 Updated: March 28, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References

    Granite Data Services

    Notified:  March 16, 2017 Updated: March 16, 2017

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor References

      Hewlett Packard Enterprise

      Notified:  March 28, 2017 Updated: March 28, 2017

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor References

        Midnight Coders

        Notified:  March 16, 2017 Updated: April 03, 2017

        Statement Date:   March 16, 2017

        Status

          Unknown

        Vendor Statement

        The demonstrated code would not be able to be able to cause any harm for the reason that calling setAutoCommit( true ) requires a connection object which is not even initialized at that time (see lines 4067-4087 at: http://www.docjar.com/html/api/com/sun/rowset/JdbcRowSetImpl.java.html). Additionally, in our implementation all com.sun.* and java.* classes are excluded from deserialization.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        Pivotal

        Notified:  March 28, 2017 Updated: March 28, 2017

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor References

          SonicWall

          Notified:  March 28, 2017 Updated: March 28, 2017

          Status

            Unknown

          Vendor Statement

          No statement is currently available from the vendor regarding this vulnerability.

          Vendor References

            VMware

            Notified:  March 16, 2017 Updated: April 14, 2017

            Statement Date:   April 14, 2017

            Status

              Affected

            Vendor Statement

            No statement is currently available from the vendor regarding this vulnerability.

            Vendor Information

            VMware uses Flex BlazeDS, and has released security advisory VMSA-2017-0007 to address this issue.

            Vendor References