CVE-2017-3202 - OpenCVE

The Java implementation of AMF3 deserializers used in Flamingo amf-serializer by Exadel, version 2.2.0, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability depends on the availability of classes in the class path that make use of deserialization. A remote attacker with the ability to spoof or control information may be able to send serialized Java objects with pre-set properties that result in arbitrary code execution when deserialized.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Exadel	Flamingo

Configuration 1 [-]

cpe:2.3:a:exadel:flamingo:2.2.0:*:*:*:*:*:*:*

References

Link	Resource
http://www.securityfocus.com/bid/97380	Third Party Advisory VDB Entry
http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-execution	Third Party Advisory
https://codewhitesec.blogspot.com/2017/04/amf.html	Exploit Third Party Advisory
https://www.kb.cert.org/vuls/id/307983	Third Party Advisory US Government Resource

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: certcc

Published: 2018-06-11T17:00:00

Updated: 2018-06-12T09:57:01

Reserved: 2016-12-05T00:00:00

Link: CVE-2017-3202

JSON object: View

NVD Information

Status : Modified

Published: 2018-06-11T17:29:00.617

Modified: 2019-10-09T23:27:22.603

Link: CVE-2017-3202

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Flamingo amf-serializer", "vendor": "Exadel", "versions": [{"status": "affected", "version": "2.2.0"}]}], "datePublic": "2017-04-04T00:00:00", "descriptions": [{"lang": "en", "value": "The Java implementation of AMF3 deserializers used in Flamingo amf-serializer by Exadel, version 2.2.0, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability depends on the availability of classes in the class path that make use of deserialization. A remote attacker with the ability to spoof or control information may be able to send serialized Java objects with pre-set properties that result in arbitrary code execution when deserialized."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-913", "description": "CWE-913: Improper Control of Dynamically-Managed Code Resources", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-06-12T09:57:01", "orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://codewhitesec.blogspot.com/2017/04/amf.html"}, {"name": "VU#307983", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "https://www.kb.cert.org/vuls/id/307983"}, {"tags": ["x_refsource_MISC"], "url": "http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-execution"}, {"name": "97380", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/97380"}], "source": {"discovery": "UNKNOWN"}, "title": "The implementation of Action Message Format (AMF3) deserializers in Flamingo amf-serializer by Exadel, version 2.2.0, may allow instantiation of arbitrary classes due to improper code control", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cert@cert.org", "ID": "CVE-2017-3202", "STATE": "PUBLIC", "TITLE": "The implementation of Action Message Format (AMF3) deserializers in Flamingo amf-serializer by Exadel, version 2.2.0, may allow instantiation of arbitrary classes due to improper code control"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Flamingo amf-serializer", "version": {"version_data": [{"affected": "=", "version_affected": "=", "version_name": "2.2.0", "version_value": "2.2.0"}]}}]}, "vendor_name": "Exadel"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Java implementation of AMF3 deserializers used in Flamingo amf-serializer by Exadel, version 2.2.0, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability depends on the availability of classes in the class path that make use of deserialization. A remote attacker with the ability to spoof or control information may be able to send serialized Java objects with pre-set properties that result in arbitrary code execution when deserialized."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-913: Improper Control of Dynamically-Managed Code Resources"}]}]}, "references": {"reference_data": [{"name": "https://codewhitesec.blogspot.com/2017/04/amf.html", "refsource": "MISC", "url": "https://codewhitesec.blogspot.com/2017/04/amf.html"}, {"name": "VU#307983", "refsource": "CERT-VN", "url": "https://www.kb.cert.org/vuls/id/307983"}, {"name": "http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-execution", "refsource": "MISC", "url": "http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-execution"}, {"name": "97380", "refsource": "BID", "url": "http://www.securityfocus.com/bid/97380"}]}, "source": {"discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "assignerShortName": "certcc", "cveId": "CVE-2017-3202", "datePublished": "2018-06-11T17:00:00", "dateReserved": "2016-12-05T00:00:00", "dateUpdated": "2018-06-12T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:exadel:flamingo:2.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "14271505-24A5-4A02-9D89-5849F8917E68", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Java implementation of AMF3 deserializers used in Flamingo amf-serializer by Exadel, version 2.2.0, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability depends on the availability of classes in the class path that make use of deserialization. A remote attacker with the ability to spoof or control information may be able to send serialized Java objects with pre-set properties that result in arbitrary code execution when deserialized."}, {"lang": "es", "value": "La implementaci\u00f3n de Java de los deserializadores AMF3 empleada en Flamingo amf-serializer, de Exadel, versi\u00f3n 2.2.0, podr\u00eda permitir la instanciaci\u00f3n de clases arbitrarias mediante su constructor p\u00fablico sin par\u00e1metros y, en consecuencia, llamar a m\u00e9todos setter arbitrarios de Java Beans. La capacidad para explotar esta vulnerabilidad depende de la disponibilidad de las clases en la ruta de clase que emplea la deserializaci\u00f3n. Un atacante remoto con la capacidad de suplantar o controlar informaci\u00f3n podr\u00eda ser capaz de enviar objetos Java serializados con propiedades preestablecidas que resultan en la ejecuci\u00f3n de c\u00f3digo arbitrario cuando se deserializan."}], "id": "CVE-2017-3202", "lastModified": "2019-10-09T23:27:22.603", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-06-11T17:29:00.617", "references": [{"source": "cret@cert.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/97380"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory"], "url": "http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-execution"}, {"source": "cret@cert.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://codewhitesec.blogspot.com/2017/04/amf.html"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.kb.cert.org/vuls/id/307983"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-913"}], "source": "cret@cert.org", "type": "Secondary"}]}