[ https://issues.apache.org/jira/browse/FLEX-35290?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15953370#comment-15953370 ]
Christofer Dutz commented on FLEX-35290: ---------------------------------------- Ups ... well what should I say? You are absolutely correct ... I'll take care of that as soon as possible. > Deserialization of Untrusted Data via Externalizable.readExternal > ----------------------------------------------------------------- > > Key: FLEX-35290 > URL: https://issues.apache.org/jira/browse/FLEX-35290 > Project: Apache Flex > Issue Type: Bug > Components: BlazeDS > Affects Versions: BlazeDS 4.7.2 > Reporter: Markus Wulftange > Assignee: Christofer Dutz > Priority: Critical > Labels: security > Fix For: Apache BlazeDS 4.7.3 > > > The AMF deserialization implementation of Flex BlazeDS is vulnerable to > Deserialization of Untrusted Data via > {{Externalizable.readExternal(ObjectInput)}}. > By sending a specially crafted AMF message, it is possible to make the server > establish a connection to an endpoint specified in the message and request an > RMI remote object from that endpoint. This can result in the execution of > arbitrary code on the server via Java deserialization. -- This message was sent by Atlassian JIRA (v6.3.15#6346)