← back
CVE-2017-3207

WebORB for Java by Midnight Coders, version 5.1.1.0, Action Message Format (AMF3) Java implementation is vulnerable to insecure deserialization

EPSS 8.2%CWE-502
The Java implementations of AMF3 deserializers in WebORB for Java by Midnight Coders, version 5.1.1.0, derive class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an RMI server connection may be able to send serialized Java objects that execute arbitrary code when deserialized.
Affected products
Midnight Coders · WebORB for Java

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://codewhitesec.blogspot.com/2017/04/amf.htmlhttps://www.kb.cert.org/vuls/id/307983http://www.securityfocus.com/bid/97384http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-execution