Apache Flex BlazeDS AMF Message Deserialization Code Execution Vulnerability



A vulnerability in the Action Message Format (AMF) deserialization implementation of Apache Flex BlazeDS could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.

The vulnerability exists because the affected software could deserialize untrusted user-supplied input via the Externalizable.readExternal(ObjectInput) method. An attacker could exploit this vulnerability by sending an AMF message that submits malicious input to the targeted system. A successful exploit could allow the attacker to execute arbitrary code on the system.

Apache has confirmed the vulnerability and released software updates.

Security Impact Rating: High

CVE: CVE-2017-5641

Source:: Cisco Multivendor Vulnerability Alerts