Uploaded image for project: 'Apache Flex'
  1. Apache Flex
  2. FLEX-35290

Deserialization of Untrusted Data via Externalizable.readExternal

    Details

    • Flags:
      Important

      Description

      The AMF deserialization implementation of Flex BlazeDS is vulnerable to Deserialization of Untrusted Data via Externalizable.readExternal(ObjectInput).

      By sending a specially crafted AMF message, it is possible to make the server establish a connection to an endpoint specified in the message and request an RMI remote object from that endpoint. This can result in the execution of arbitrary code on the server via Java deserialization.

        Activity

        Hide
        cdutz Christofer Dutz added a comment -

        This issue has been addressed by the BLazeDS version 4.7.3 which we released last week. Starting with that version classes used for deserialization have to be whitelisted.

        Show
        cdutz Christofer Dutz added a comment - This issue has been addressed by the BLazeDS version 4.7.3 which we released last week. Starting with that version classes used for deserialization have to be whitelisted.
        Hide
        markus.wulftange@code-white.com Markus Wulftange added a comment -

        Christofer Dutz Good to hear that. You should update your download page <http://flex.apache.org/download-blazeds.html> accordingly.

        Show
        markus.wulftange@code-white.com Markus Wulftange added a comment - Christofer Dutz Good to hear that. You should update your download page < http://flex.apache.org/download-blazeds.html > accordingly.
        Hide
        cdutz Christofer Dutz added a comment -

        Ups ... well what should I say? You are absolutely correct ... I'll take care of that as soon as possible.

        Show
        cdutz Christofer Dutz added a comment - Ups ... well what should I say? You are absolutely correct ... I'll take care of that as soon as possible.

          People

          • Assignee:
            cdutz Christofer Dutz
            Reporter:
            markus.wulftange@code-white.com Markus Wulftange
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development