7.5 - VU#307983

Executive Summary

Summary
Title	Action Message Format (AMF3) Java implementations are vulnerable to insecure deserialization and XML external entities references

Informations
Name	VU#307983	First vendor Publication	2017-04-04
Vendor	VU-CERT	Last vendor Modification	2017-04-14
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score	7.5	Attack Range	Network
Cvss Impact Score	6.4	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#307983

Action Message Format (AMF3) Java implementations are vulnerable to insecure deserialization and XML external entities references

Original Release date: 04 Apr 2017 | Last revised: 14 Apr 2017

Overview

Several Java implementations of AMF3 are vulnerable to insecure deserialization and XML external entities references.

Description

Several Java implementations of Action Message Format (AMF3) are vulnerable to one or more of the following implementation errors:

CWE-502: Deserialization of Untrusted Data

Some Java implementations of AMF3 deserializers derive class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an RMI server connection may be able to send serialized Java objects that execute arbitrary code when deserialized.

The reporter has identified the following products and versions as being affected, and CVE ID have been assigned as follows:
- Atlassian JIRA, versions from 4.2.4 prior to version6.3.0 - CVE-2017-5983
- Flamingo amf-serializer by Exadel, version 2.2.0 - CVE-2017-3201
- GraniteDS, version 3.1.1.GA - CVE-2017-3199
- Pivotal/Spring spring-flex - CVE-2017-3203
- WebORB for Java by Midnight Coders, version 5.1.1.0 - CVE-2017-3207

Products using these libraries may also be impacted.

CWE-913: Improper Control of Dynamically-Managed Code Resources

Some Java implementations of AMF3 deserializers may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability depends on the availability of classes in the class path that make use of deserialization. A remote attacker with the ability to spoof or control information may be able to send serialized Java objects with pre-set properties that result in arbitrary code execution when deserialized.

The reporter has identified the following products and versions as being affected, and CVE ID have been assigned as follows:
- Flamingo amf-serializer by Exadel, version 2.2.0 - CVE-2017-3202
- Flex BlazeDS , versions 4.6.0.23207 and 4.7.2 - CVE-2017-5641
- GraniteDS, version 3.1.1.GA - CVE-2017-3200

Products using these libraries may also be impacted.

CWE-611: Improper Restriction of XML External Entity Reference ('XXE')

Some Java implementations of AMF3 deserializers allow external entity references (XXEs) from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose sensitive data on the server, denial of service, or server side request forgery.

- Flamingo amf-serializer by Exadel, version 2.2.0 - CVE-2017-3206
- Flex BlazeDS , version 4.6.0.23207 - CVE-2015-3269
- GraniteDS, version 3.1.1.GA - CVE-2016-2340 (see VU#279472)
- WebORB for Java by Midnight Coders, version 5.1.1.0 - CVE-2017-3208

Products using these libraries may also be impacted.

More information is provided in the researcher's advisory.

Impact

A remote attacker with the ability to spoof or control a server connection may be able to send serialized Java objects that execute arbitrary code when deserialized.

Solution

Apply an update if available

CERT/CC recommends applying an update or patch to your product if available. Some vendors have responded that only out-of-support versions of products are impacted. In these cases, CERT/CC recommends updating your product to the latest supported version.

More details are included for each vendor in the vendor records below.

Developers should use an updated JDK

Developers should use an updated Java development kit (JDK). JDK 8 update 121, JDK 7 update 131 and JDK 6 update 141 implement basic serialization blacklisting filters, while more serialization protection measures are expected in the upcoming Java 9. For more information, please see JEP 290.

Developers should be suspicious of deserialized data from untrusted sources

Developers should in general be very suspicious of deserialized data from an untrusted source. For best practices, see the CERT Oracle Coding Standard for Java guidelines for Serialization, especially rules SER12-J and SER13-J.

Use firewall rules or filesystem restrictions

System administrators may be able to mitigate this issue for some applications by restricting access to the network and/or filesystem. If an affected application utilizes an open port accepting serialized objects, restricting access to the application may help mitigate the issue.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Adobe	Affected	28 Mar 2017	03 Apr 2017
Apache Software Foundation	Affected	28 Mar 2017	07 Apr 2017
Atlassian	Affected	-	07 Apr 2017
VMware	Affected	16 Mar 2017	14 Apr 2017
Exadel	Unknown	28 Mar 2017	28 Mar 2017
Granite Data Services	Unknown	16 Mar 2017	16 Mar 2017
Hewlett Packard Enterprise	Unknown	28 Mar 2017	28 Mar 2017
Midnight Coders	Unknown	16 Mar 2017	03 Apr 2017
Pivotal	Unknown	28 Mar 2017	28 Mar 2017
SonicWall	Unknown	28 Mar 2017	28 Mar 2017

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	9.3	AV:N/AC:M/Au:N/C:C/I:C/A:C
Temporal	8.4	E:POC/RL:U/RC:C
Environmental	6.3	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

http://codewhitesec.blogspot.com/2017/04/amf.html
http://openjdk.java.net/jeps/290
http://www.kb.cert.org/vuls/id/279472
http://www.adobe.com/go/amfspec
https://cwe.mitre.org/data/definitions/502.html
https://cwe.mitre.org/data/definitions/913.html
https://cwe.mitre.org/data/definitions/611.html

Credit

Thanks to Markus Wulftange for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

CVE IDs:CVE-2015-3269CVE-2016-2340CVE-2017-5641CVE-2017-5983CVE-2017-3199CVE-2017-3200CVE-2017-3201CVE-2017-3202CVE-2017-3203CVE-2017-3206CVE-2017-3207CVE-2017-3208
Date Public:04 Apr 2017
Date First Published:04 Apr 2017
Date Last Updated:14 Apr 2017
Document Revision:89

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/307983

CWE : Common Weakness Enumeration

%	Id	Name
73 %	CWE-502	Deserialization of Untrusted Data
18 %	CWE-611	Information Leak Through XML External Entity File Disclosure
9 %	CWE-200	Information Exposure

CPE : Common Platform Enumeration

Type	Description	Count
Application	Adobe Livecycle Data Services cpe:2.3:a:adobe:livecycle_data_services:4.7:::::::* cpe:2.3:a:adobe:livecycle_data_services:4.6:::::::* cpe:2.3:a:adobe:livecycle_data_services:4.5:::::::* cpe:2.3:a:adobe:livecycle_data_services:3.0:::::::*	4
Application	Atlassian Jira cpe:2.3:a:atlassian:jira:6.2.7:::::::* cpe:2.3:a:atlassian:jira:6.2.6:::::::* cpe:2.3:a:atlassian:jira:6.2.5:::::::* cpe:2.3:a:atlassian:jira:6.2.4:::::::* cpe:2.3:a:atlassian:jira:6.2.3:::::::* cpe:2.3:a:atlassian:jira:6.2.2:::::::* cpe:2.3:a:atlassian:jira:6.2.1:::::::* cpe:2.3:a:atlassian:jira:6.2:::::::* cpe:2.3:a:atlassian:jira:6.1.9:::::::* cpe:2.3:a:atlassian:jira:6.1.8:::::::* cpe:2.3:a:atlassian:jira:6.1.7:::::::* cpe:2.3:a:atlassian:jira:6.1.6:::::::* cpe:2.3:a:atlassian:jira:6.1.5:::::::* cpe:2.3:a:atlassian:jira:6.1.4:::::::* cpe:2.3:a:atlassian:jira:6.1.3:::::::* cpe:2.3:a:atlassian:jira:6.1.2:::::::* cpe:2.3:a:atlassian:jira:6.1.1:::::::* cpe:2.3:a:atlassian:jira:6.1:::::::* cpe:2.3:a:atlassian:jira:6.0.8:::::::* cpe:2.3:a:atlassian:jira:6.0.7:::::::* cpe:2.3:a:atlassian:jira:6.0.5:::::::* cpe:2.3:a:atlassian:jira:6.0.4:::::::* cpe:2.3:a:atlassian:jira:6.0.3:::::::* cpe:2.3:a:atlassian:jira:6.0.2:::::::* cpe:2.3:a:atlassian:jira:6.0.1:::::::* cpe:2.3:a:atlassian:jira:6.0:::::::* cpe:2.3:a:atlassian:jira:5.2.9:::::::* cpe:2.3:a:atlassian:jira:5.2.8:::::::* cpe:2.3:a:atlassian:jira:5.2.7:::::::* cpe:2.3:a:atlassian:jira:5.2.6:::::::* cpe:2.3:a:atlassian:jira:5.2.5:::::::* cpe:2.3:a:atlassian:jira:5.2.4:::::::* cpe:2.3:a:atlassian:jira:5.2.3:::::::* cpe:2.3:a:atlassian:jira:5.2.2:::::::* cpe:2.3:a:atlassian:jira:5.2.11:::::::* cpe:2.3:a:atlassian:jira:5.2.10:::::::* cpe:2.3:a:atlassian:jira:5.2.1:::::::* cpe:2.3:a:atlassian:jira:5.2:::::::* cpe:2.3:a:atlassian:jira:5.1.8:::::::* cpe:2.3:a:atlassian:jira:5.1.7:::::::* cpe:2.3:a:atlassian:jira:5.1.6:::::::* cpe:2.3:a:atlassian:jira:5.1.5:::::::* cpe:2.3:a:atlassian:jira:5.1.4:::::::* cpe:2.3:a:atlassian:jira:5.1.3:::::::* cpe:2.3:a:atlassian:jira:5.1.2:::::::* cpe:2.3:a:atlassian:jira:5.1.1:::::::* cpe:2.3:a:atlassian:jira:5.1:::::::* cpe:2.3:a:atlassian:jira:5.0.7:::::::* cpe:2.3:a:atlassian:jira:5.0.5:::::::* cpe:2.3:a:atlassian:jira:5.0.4:::::::* cpe:2.3:a:atlassian:jira:5.0.3:::::::* cpe:2.3:a:atlassian:jira:5.0.2:::::::* cpe:2.3:a:atlassian:jira:5.0.1:::::::* cpe:2.3:a:atlassian:jira:5.0:::::::* cpe:2.3:a:atlassian:jira:4.4.5:::::::* cpe:2.3:a:atlassian:jira:4.4.4:::::::* cpe:2.3:a:atlassian:jira:4.4.3:::::::* cpe:2.3:a:atlassian:jira:4.4.2:::::::* cpe:2.3:a:atlassian:jira:4.4.1:::::::* cpe:2.3:a:atlassian:jira:4.4:::::::* cpe:2.3:a:atlassian:jira:4.3.4:::::::* cpe:2.3:a:atlassian:jira:4.3.3:::::::* cpe:2.3:a:atlassian:jira:4.3.2:::::::* cpe:2.3:a:atlassian:jira:4.3.1:::::::* cpe:2.3:a:atlassian:jira:4.3:::::::* cpe:2.3:a:atlassian:jira:4.2.4:::::::*	66
Application	Exadel Flamingo cpe:2.3:a:exadel:flamingo:2.2.0:::::::*	1
Application	Exadel Flamingo Amf-Serializer cpe:2.3:a:exadel:flamingo_amf-serializer:2.2.0:::::::*	1
Application	Graniteds Granite Data Services cpe:2.3:a:graniteds:granite_data_services:3.1.1-snapshot:::::::*	1
Application	Graniteds cpe:2.3:a:graniteds:graniteds:3.1.1:::::::*	1
Application	Hp Business Service Management cpe:2.3:a:hp:business_service_management:9.25:ip1:::::: cpe:2.3:a:hp:business_service_management:9.12:::::::* cpe:2.3:a:hp:business_service_management:9.10:::::::* cpe:2.3:a:hp:business_service_management:9.01:::::::*	4
Application	Hp Xp Command View Advanced Edition cpe:2.3:a:hp:xp_command_view_advanced_edition::::::::	1
Application	Pivotal Spring-Flex cpe:2.3:a:pivotal:spring-flex::::::::	1
Application	Themidnightcoders Weborb For Java cpe:2.3:a:themidnightcoders:weborb_for_java:5.1.1.0:::::::*	1

Information Assurance Vulnerability Management (IAVM)

Date	Description
2015-09-03	IAVM : 2015-A-0205 - Adobe Cold Fusion Information Disclosure Vulnerability Severity : Category I - VMSKEY : V0061363
2015-08-20	IAVM : 2015-B-0102 - Adobe LiveCycle Data Services Information Disclosure Vulnerability Severity : Category I - VMSKEY : V0061331

Nessus® Vulnerability Scanner

Date	Description
2017-05-16	Name : The remote web server hosts a web application that is affected by multiple vu... File : jira_6_3.nasl - Type : ACT_GATHER_INFO
2017-04-19	Name : A virtualization appliance installed on the remote host is affected by a remo... File : vmware_vcenter_server_appliance_vmsa-2017-0007.nasl - Type : ACT_GATHER_INFO
2017-04-19	Name : A virtualization management application installed on the remote host is affec... File : vmware_vcenter_vmsa-2017-0007.nasl - Type : ACT_GATHER_INFO
2016-03-09	Name : The remote host is affected by an external entity injection vulnerability. File : hp_operations_manager_i_hpsbgn03550.nasl - Type : ACT_GATHER_INFO
2015-12-22	Name : The remote host has a virtualization management application installed that is... File : vmware_vcenter_vmsa-2015-0008.nasl - Type : ACT_GATHER_INFO
2015-09-03	Name : A web-based application running on the remote Windows host is affected by an ... File : coldfusion_win_apsb15-21.nasl - Type : ACT_GATHER_INFO
2015-04-13	Name : The remote Windows host has an application installed that is affected by mult... File : vmware_horizon_view_VMSA-2015-0003.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2018-06-11 21:21:56	Multiple Updates
2017-12-28 21:23:46	Multiple Updates
2017-05-17 13:22:24	Multiple Updates
2017-04-20 13:24:14	Multiple Updates
2017-04-15 09:25:30	Multiple Updates
2017-04-14 17:22:55	Multiple Updates
2017-04-10 21:26:10	Multiple Updates
2017-04-07 21:22:34	Multiple Updates
2017-04-07 17:23:27	Multiple Updates
2017-04-06 21:18:47	Multiple Updates
2017-04-04 21:22:47	First insertion

Global Informations

Type	Count
CWE ID(s)	11
CPE ID(s)	81
IAVM(s)	2
Nessus® Exploit(s)	7

	Related
9.8	CVE-2017-5983
9.8	CVE-2017-5641
9.8	CVE-2017-3208
9.8	CVE-2017-3207
9.8	CVE-2017-3206
9.8	CVE-2017-3202
8.1	CVE-2017-3203
8.1	CVE-2017-3201
8.1	CVE-2017-3200
8.1	CVE-2017-3199
5.5	VU#279472
5.4	CVE-2016-2340
5	CVE-2015-3269
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 13 more Alert(s)