CVE-2017-5641

CRITICAL

Apache Flex BlazeDS < 4.7.3 - Deserialization of Untrusted Data via AMF(X) Object Deserialization

Title source: llm
STIX 2.1

Description

Previous versions of Apache Flex BlazeDS (4.7.2 and earlier) did not restrict which types were allowed for AMF(X) object deserialization by default. During the deserialization process code is executed that for several known types has undesired side-effects. Other, unknown types may also exhibit such behaviors. One vector in the Java standard library exists that allows an attacker to trigger possibly further exploitable Java deserialization of untrusted data. Other known vectors in third party libraries can be used to trigger remote code execution.

References (8)

Core 8
Core References
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
https://www.kb.cert.org/vuls/id/307983
Broken Link vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/97383
Broken Link vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1038273
Issue Tracking, Vendor Advisory x_refsource_confirm
https://issues.apache.org/jira/browse/FLEX-35290
Third Party Advisory, VDB Entry x_refsource_misc
https://www.zerodayinitiative.com/advisories/ZDI-22-507/
Third Party Advisory, VDB Entry x_refsource_misc
https://www.zerodayinitiative.com/advisories/ZDI-22-506/

Scores

CVSS v3 9.8
EPSS 0.4848
EPSS Percentile 97.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-502
Status published
Products (5)
apache/flex_blazeds < 4.7.2
Apache Software Foundation/Apache Flex Blaze DS before 4.7.3
hp/xp_command_view_advanced_edition < 8.5.3-00
org.apache.flex.blazeds/flex-messaging-core 0 - 4.7.3Maven
org.apache.flex.blazeds/flex-messaging-remoting 0 - 4.7.3Maven
Published Dec 28, 2017
Tracked Since Feb 18, 2026