Vulnerability Description
The Java implementations of AMF3 deserializers in WebORB for Java by Midnight Coders, version 5.1.1.0, derive class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an RMI server connection may be able to send serialized Java objects that execute arbitrary code when deserialized.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Themidnightcoders | Weborb For Java | 5.1.1.0 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/97384Third Party AdvisoryVDB Entry
- http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-executionThird Party Advisory
- https://codewhitesec.blogspot.com/2017/04/amf.htmlExploitThird Party Advisory
- https://www.kb.cert.org/vuls/id/307983Third Party AdvisoryUS Government Resource
- http://www.securityfocus.com/bid/97384Third Party AdvisoryVDB Entry
- http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-executionThird Party Advisory
- https://codewhitesec.blogspot.com/2017/04/amf.htmlExploitThird Party Advisory
- https://www.kb.cert.org/vuls/id/307983Third Party AdvisoryUS Government Resource
FAQ
What is CVE-2017-3207?
CVE-2017-3207 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The Java implementations of AMF3 deserializers in WebORB for Java by Midnight Coders, version 5.1.1.0, derive class instances from java.io.Externalizable rather than the AMF3 specification's recommend...
How severe is CVE-2017-3207?
CVE-2017-3207 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2017-3207?
Check the references section above for vendor advisories and patch information. Affected products include: Themidnightcoders Weborb For Java.