flex-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Markus Wulftange (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FLEX-35290) Deserialization of Untrusted Data via Externalizable.readExternal
Date Mon, 03 Apr 2017 11:24:41 GMT

    [ https://issues.apache.org/jira/browse/FLEX-35290?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15953308#comment-15953308
] 

Markus Wulftange commented on FLEX-35290:
-----------------------------------------

[~cdutz] Good to hear that. You should update your download page <http://flex.apache.org/download-blazeds.html>
accordingly.

> Deserialization of Untrusted Data via Externalizable.readExternal
> -----------------------------------------------------------------
>
>                 Key: FLEX-35290
>                 URL: https://issues.apache.org/jira/browse/FLEX-35290
>             Project: Apache Flex
>          Issue Type: Bug
>          Components: BlazeDS
>    Affects Versions: BlazeDS 4.7.2
>            Reporter: Markus Wulftange
>            Assignee: Christofer Dutz
>            Priority: Critical
>              Labels: security
>             Fix For: Apache BlazeDS 4.7.3
>
>
> The AMF deserialization implementation of Flex BlazeDS is vulnerable to Deserialization
of Untrusted Data via {{Externalizable.readExternal(ObjectInput)}}.
> By sending a specially crafted AMF message, it is possible to make the server establish
a connection to an endpoint specified in the message and request an RMI remote object from
that endpoint. This can result in the execution of arbitrary code on the server via Java deserialization.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message