[jira] [Commented] (FLEX-35290) Deserialization of Untrusted Data via Externalizable.readExternal

Markus Wulftange (JIRA) Mon, 03 Apr 2017 04:25:08 -0700

    [ 
https://issues.apache.org/jira/browse/FLEX-35290?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15953308#comment-15953308
 ]


Markus Wulftange commented on FLEX-35290:
-----------------------------------------

[~cdutz] Good to hear that. You should update your download page 
<http://flex.apache.org/download-blazeds.html> accordingly.

> Deserialization of Untrusted Data via Externalizable.readExternal
> -----------------------------------------------------------------
>
>                 Key: FLEX-35290
>                 URL: https://issues.apache.org/jira/browse/FLEX-35290
>             Project: Apache Flex
>          Issue Type: Bug
>          Components: BlazeDS
>    Affects Versions: BlazeDS 4.7.2
>            Reporter: Markus Wulftange
>            Assignee: Christofer Dutz
>            Priority: Critical
>              Labels: security
>             Fix For: Apache BlazeDS 4.7.3
>
>
> The AMF deserialization implementation of Flex BlazeDS is vulnerable to 
> Deserialization of Untrusted Data via 
> {{Externalizable.readExternal(ObjectInput)}}.
> By sending a specially crafted AMF message, it is possible to make the server 
> establish a connection to an endpoint specified in the message and request an 
> RMI remote object from that endpoint. This can result in the execution of 
> arbitrary code on the server via Java deserialization.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (FLEX-35290) Deserialization of Untrusted Data via Externalizable.readExternal

Reply via email to