[
https://issues.apache.org/jira/browse/FLEX-35290?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15953123#comment-15953123
]
Christofer Dutz commented on FLEX-35290:
----------------------------------------
This issue has been addressed by the BLazeDS version 4.7.3 which we released
last week. Starting with that version classes used for deserialization have to
be whitelisted.
> Deserialization of Untrusted Data via Externalizable.readExternal
> -----------------------------------------------------------------
>
> Key: FLEX-35290
> URL: https://issues.apache.org/jira/browse/FLEX-35290
> Project: Apache Flex
> Issue Type: Bug
> Components: BlazeDS
> Affects Versions: BlazeDS 4.7.2
> Reporter: Markus Wulftange
> Priority: Critical
> Labels: security
>
> The AMF deserialization implementation of Flex BlazeDS is vulnerable to
> Deserialization of Untrusted Data via
> {{Externalizable.readExternal(ObjectInput)}}.
> By sending a specially crafted AMF message, it is possible to make the server
> establish a connection to an endpoint specified in the message and request an
> RMI remote object from that endpoint. This can result in the execution of
> arbitrary code on the server via Java deserialization.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
