CVE-2017-5641

Name of the Vulnerable Software and Affected Versions Apache Flex BlazeDS versions 4.7.2 and earlier

Description The issue is related to the deserialization process in Apache Flex BlazeDS, where code is executed that can have undesired side-effects for several known types. This can potentially allow an attacker to trigger further exploitable Java deserialization of untrusted data, and in some cases, remote code execution. The vulnerability may be exploited by a remote attacker to execute arbitrary code when deserializing an untrusted Java object.

Recommendations For Apache Flex BlazeDS versions 4.7.2 and earlier, consider restricting the types allowed for AMF(X) object deserialization to prevent potential exploitation. As a temporary workaround, consider disabling the deserialization of untrusted data until a patch is available. Restrict access to the vulnerable component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.