You are viewing a plain text version of this content. The canonical link for it is here.

Posted to announce@apache.org by Maxim Solodovnik <so...@apache.org> on 2018/01/11 11:21:30 UTC

CVE-2017-5878 - RED5/AMF Unmarshalling RCE

Severity: Critical

Vendor: Red5

Versions Affected: Apache OpenMeetings 3.1.3 and earlier

Description: The AMF unmarshallers in Red5 Media Server before 1.0.8
do not restrict the classes for which it performs deserialization,
which allows remote attackers to execute arbitrary code via crafted
serialized Java data.
CVE-2017-5878

The issue was fixed in 3.1.4
All users are recommended to upgrade to the latest version of Apache
OpenMeetings

Credit: This issue was identified by Moritz Bechler