You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@flex.apache.org by "Christofer Dutz (JIRA)" <ji...@apache.org> on 2017/04/03 08:31:41 UTC

[jira] [Commented] (FLEX-35290) Deserialization of Untrusted Data via Externalizable.readExternal

    [ https://issues.apache.org/jira/browse/FLEX-35290?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15953123#comment-15953123 ] 

Christofer Dutz commented on FLEX-35290:
----------------------------------------

This issue has been addressed by the BLazeDS version 4.7.3 which we released last week. Starting with that version classes used for deserialization have to be whitelisted.

> Deserialization of Untrusted Data via Externalizable.readExternal
> -----------------------------------------------------------------
>
>                 Key: FLEX-35290
>                 URL: https://issues.apache.org/jira/browse/FLEX-35290
>             Project: Apache Flex
>          Issue Type: Bug
>          Components: BlazeDS
>    Affects Versions: BlazeDS 4.7.2
>            Reporter: Markus Wulftange
>            Priority: Critical
>              Labels: security
>
> The AMF deserialization implementation of Flex BlazeDS is vulnerable to Deserialization of Untrusted Data via {{Externalizable.readExternal(ObjectInput)}}.
> By sending a specially crafted AMF message, it is possible to make the server establish a connection to an endpoint specified in the message and request an RMI remote object from that endpoint. This can result in the execution of arbitrary code on the server via Java deserialization.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)