CVE-2017-5641
critical
CVSS v3
9.8
CVSS v2
7.5
VIR risk
9.8
Description
Apache Flex BlazeDS unsafe deserialization
Predictions
Exploit likelihood
97%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: security@apache.org — https://issues.apache.org/jira/browse/FLEX-35290
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.apache.flex.blazeds:flex-messaging-core | <4.7.3 | 4.7.3 |
| Maven | org.apache.flex.blazeds:flex-messaging-remoting | <4.7.3 | 4.7.3 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| apache | flex_blazeds | {"endIncluding":"4.7.2"} | |
| hp | xp_command_view_advanced_edition | {"endExcluding":"8.5.3-00"} | 8.5.3-00 |
References
- http://mail-archives.apache.org/mod_mbox/flex-dev/201703.mbox/%3C6B86C8D0-6E36-48F5-AC81-4AB3978F6746%40c-ware.de%3E
- http://www.securityfocus.com/bid/97383
- http://www.securitytracker.com/id/1038273
- https://issues.apache.org/jira/browse/FLEX-35290
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03823en_us
- https://www.kb.cert.org/vuls/id/307983
- https://www.zerodayinitiative.com/advisories/ZDI-22-506/
- https://www.zerodayinitiative.com/advisories/ZDI-22-507/
- https://nvd.nist.gov/vuln/detail/CVE-2017-5641
- https://github.com/apache/flex-blazeds/commit/11b0aa132d9a43bf81fa12654ff227ff247b4627
- https://github.com/apache/flex-blazeds/commit/f861f0993c35e664906609cad275e45a71e2aaf1
- https://github.com/apache/flex-blazeds
- https://web.archive.org/web/20170920093830/http://www.securitytracker.com/id/1038273
- https://web.archive.org/web/20210124021605/http://www.securityfocus.com/bid/97383
- https://www.zerodayinitiative.com/advisories/ZDI-22-506
- https://www.zerodayinitiative.com/advisories/ZDI-22-507
- http://mail-archives.apache.org/mod_mbox/flex-dev/201703.mbox/%3C6B86C8D0-6E36-48F5-AC81-4AB3978F6746@c-ware.de%3E
CWEs
CWE-502
Verify integrity in audit chain (admin only). AS-IS.