WebORB for Java Remote Code Execution and XML External Entity Injection Vulnerabilities

WebORB for Java is prone to a remote code execution vulnerability and an XML External Entity injection vulnerability.

Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the affected application, to gain access to sensitive information or cause denial-of-service conditions.

WebORB for Java 5.1.1.0 is vulnerable; other versions may also be affected.

Information

Bugtraq ID: 97384
Class: Input Validation Error
CVE: CVE-2017-3207
CVE-2017-3208

Remote: Yes
Local: No
Published: Apr 04 2017 12:00AM
Credit: Markus Wulftange
Vulnerable: MidnightCoders WebORB for Java 5.1.1.0

Not Vulnerable:

References:

• AMF â?? Another Malicious Format (Codewhitesec)
  
• MidnightCoders Homepage (MidnightCoders)
  
• VU#307983: AMF3 Java implementations are vulnerable to insecure deserialization (CERT)
  

Source: www.securityfocus.com