Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Flaws in Java AMF Libraries Allow Remote Code Execution

Deserialization-related vulnerabilities found in several Java implementations of AMF3 can be exploited for unauthenticated remote code execution and XXE attacks, warned CERT/CC.

Deserialization-related vulnerabilities found in several Java implementations of AMF3 can be exploited for unauthenticated remote code execution and XXE attacks, warned CERT/CC.

The security holes were reported to CERT/CC and vendors by Markus Wulftange, senior penetration tester at Code White. Patches have been made available for some of the affected products.

Serialization is the process where an object is converted to a stream of bytes in order to store or transmit that object to memory or a file. The process in which serialized data is extracted is called deserialization and it can lead to significant security flaws if not handled properly.

AMF3, the latest version of Adobe’s Action Message Format, is a compact binary format used to serialize ActionScript object graphs. AMF was first introduced in Flash Player 6 in 2001 and AMF3 has been around since Flash Player 9.

There have been several reports in the past few years about remote code execution vulnerabilities introduced in Java-based applications due to inadequate serialization implementations.

Wulftange has discovered that some Java implementations of AMF3 deserializers introduce potentially serious vulnerabilities, allowing unauthenticated attackers to remotely execute code or cause a denial-of-service (DoS) condition. An XXE flaw reported by the researcher can also lead to disclosure of sensitive data on the server.

CERT/CC’s advisory mentions three vulnerabilities. The first flaw allows an attacker who can spoof or control an RMI (Remote Method Invocation) server to execute code. This security hole is said to affect Atlassian’s JIRA, Exadel’s Flamingo, GraniteDS, Spring spring-flex, and WebORB for Java by Midnight Coders.

The second vulnerability can also be exploited for arbitrary code execution by an attacker who can spoof or control information. This weakness impacts Flamingo, Apache’s Flex BlazeDS and GraniteDS. The XXE flaw has been found to affect the same products along with WebORB.

Advertisement. Scroll to continue reading.

Some of the vulnerable libraries, such as GraniteDS and Flamingo, have been discontinued. Atlassian and Apache have released patches for the flaws impacting their products.

According to CERT/CC, products from HPE, SonicWall and VMware could also be affected. The organization has advised developers to use versions of JDK that implement serialization blacklisting filters and ensure that their products properly handle deserialized data from untrusted sources.

Related: Serialization Vulnerabilities Put Many Android Devices at Risk

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.