Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 29395200C3C for ; Mon, 3 Apr 2017 14:13:47 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 238C1160BA8; Mon, 3 Apr 2017 12:13:47 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 74435160B76 for ; Mon, 3 Apr 2017 14:13:46 +0200 (CEST) Received: (qmail 44228 invoked by uid 500); 3 Apr 2017 12:13:45 -0000 Mailing-List: contact issues-help@flex.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@flex.apache.org Delivered-To: mailing list issues@flex.apache.org Received: (qmail 44135 invoked by uid 99); 3 Apr 2017 12:13:45 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 03 Apr 2017 12:13:45 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 3F4551A04ED for ; Mon, 3 Apr 2017 12:13:45 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -99.202 X-Spam-Level: X-Spam-Status: No, score=-99.202 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id K-YMZ-zhqLFC for ; Mon, 3 Apr 2017 12:13:44 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id E1C555FCD9 for ; Mon, 3 Apr 2017 12:13:43 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 11BAAE0D34 for ; Mon, 3 Apr 2017 12:13:43 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 267352402D for ; Mon, 3 Apr 2017 12:13:42 +0000 (UTC) Date: Mon, 3 Apr 2017 12:13:42 +0000 (UTC) From: "Christofer Dutz (JIRA)" To: issues@flex.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (FLEX-35290) Deserialization of Untrusted Data via Externalizable.readExternal MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Mon, 03 Apr 2017 12:13:47 -0000 [ https://issues.apache.org/jira/browse/FLEX-35290?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15953370#comment-15953370 ] Christofer Dutz commented on FLEX-35290: ---------------------------------------- Ups ... well what should I say? You are absolutely correct ... I'll take care of that as soon as possible. > Deserialization of Untrusted Data via Externalizable.readExternal > ----------------------------------------------------------------- > > Key: FLEX-35290 > URL: https://issues.apache.org/jira/browse/FLEX-35290 > Project: Apache Flex > Issue Type: Bug > Components: BlazeDS > Affects Versions: BlazeDS 4.7.2 > Reporter: Markus Wulftange > Assignee: Christofer Dutz > Priority: Critical > Labels: security > Fix For: Apache BlazeDS 4.7.3 > > > The AMF deserialization implementation of Flex BlazeDS is vulnerable to Deserialization of Untrusted Data via {{Externalizable.readExternal(ObjectInput)}}. > By sending a specially crafted AMF message, it is possible to make the server establish a connection to an endpoint specified in the message and request an RMI remote object from that endpoint. This can result in the execution of arbitrary code on the server via Java deserialization. -- This message was sent by Atlassian JIRA (v6.3.15#6346)