Apache Flex BlazeDS CVE-2017-5641 Remote Code Execution Vulnerability

Apache Flex BlazeDS is prone to remote code-execution vulnerability.

Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the affected application. Failed exploits will result in denial-of-service conditions.

Apache Flex BlazeDS versions 4.6.0.23207 and 4.7.2 are vulnerable.

Information

Bugtraq ID: 97383
Class: Input Validation Error
CVE: CVE-2017-5641

Remote: Yes
Local: No
Published: Apr 04 2017 12:00AM
Credit: Markus Wulftange
Vulnerable: Apache Flex BlazeDS 4.7.2
Apache Flex BlazeDS 4.6.0.23207

Not Vulnerable: Apache Flex BlazeDS 4.7.3

References:

• Apache Homepage (Apache Software Foundation)
  
• Deserialization of Untrusted Data via Externalizable.readExternal (Apache)
  
• VU#307983: AMF3 Java implementations are vulnerable to insecure deserialization (CERT)
  

Source: www.securityfocus.com