Deserialization-related vulnerabilities found in several Java implementations of AMF3 can be exploited for unauthenticated remote code execution and XXE attacks, warned CERT/CC.
The security holes were reported to CERT/CC and vendors by Markus Wulftange, senior penetration tester at Code White. Patches have been made available for some of the affected products.
Serialization is the process where an object is converted to a stream of bytes in order to store or transmit that object to memory or a file. The process in which serialized data is extracted is called deserialization and it can lead to significant security flaws if not handled properly.
AMF3, the latest version of Adobe’s Action Message Format, is a compact binary format used to serialize ActionScript object graphs. AMF was first introduced in Flash Player 6 in 2001 and AMF3 has been around since Flash Player 9.
There have been several reports in the past few years about remote code execution vulnerabilities introduced in Java-based applications due to inadequate serialization implementations.
Wulftange has discovered that some Java implementations of AMF3 deserializers introduce potentially serious vulnerabilities, allowing unauthenticated attackers to remotely execute code or cause a denial-of-service (DoS) condition. An XXE flaw reported by the researcher can also lead to disclosure of sensitive data on the server.
CERT/CC’s advisory mentions three vulnerabilities. The first flaw allows an attacker who can spoof or control an RMI (Remote Method Invocation) server to execute code. This security hole is said to affect Atlassian’s JIRA, Exadel’s Flamingo, GraniteDS, Spring spring-flex, and WebORB for Java by Midnight Coders.
The second vulnerability can also be exploited for arbitrary code execution by an attacker who can spoof or control information. This weakness impacts Flamingo, Apache’s Flex BlazeDS and GraniteDS. The XXE flaw has been found to affect the same products along with WebORB.
Some of the vulnerable libraries, such as GraniteDS and Flamingo, have been discontinued. Atlassian and Apache have released patches for the flaws impacting their products.
According to CERT/CC, products from HPE, SonicWall and VMware could also be affected. The organization has advised developers to use versions of JDK that implement serialization blacklisting filters and ensure that their products properly handle deserialized data from untrusted sources.
Related: Serialization Vulnerabilities Put Many Android Devices at Risk
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Google Patches Third Chrome Zero-Day of 2023
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Verizon 2023 DBIR: Human Error Involved in Many Breaches, Ransomware Cost Surges
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
- Cybersecurity M&A Roundup: 36 Deals Announced in May 2023
Latest News
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- BBC, British Airways, Novia Scotia Among First Big-Name Victims in Global Supply-Chain Hack
- Sysdig Introduces CNAPP With Realtime CDR
- Stay Focused on What’s Important
- VMware Plugs Critical Flaws in Network Monitoring Product
- Google Patches Third Chrome Zero-Day of 2023
- Hackers Issue ‘Ultimatum’ Over Payroll Data Breach
