CVE-2017-3199

Name of the Vulnerable Software and Affected Versions: GraniteDS version 3.1.1.GA

Description: The Java implementation of GraniteDS has an issue where AMF3 deserializers derive class instances from java.io.Externalizable instead of following the AMF3 specification's recommendation of flash.utils.IExternalizable. This could allow a remote attacker, who can spoof or control an RMI server connection, to send serialized Java objects that execute arbitrary code when deserialized.

Recommendations: For GraniteDS version 3.1.1.GA, consider restricting access to the AMF3 deserialization functionality until a proper fix is available, or apply configuration changes that limit the ability of remote attackers to send malicious serialized objects. At the moment, there is no information about a newer version that contains a fix for this vulnerability.