CVE-2017-3201

Name of the Vulnerable Software and Affected Versions: Flamingo amf-serializer version 2.2.0

Description: The Java implementation of AMF3 deserializers in Flamingo amf-serializer derives class instances from java.io.Externalizable, contrary to the AMF3 specification's recommendation of flash.utils.IExternalizable. This could allow a remote attacker with the ability to spoof or control an RMI server connection to send serialized Java objects that execute arbitrary code when deserialized.

Recommendations: For version 2.2.0, consider restricting the deserialization of Java objects from untrusted sources to minimize the risk of exploitation. As a temporary workaround, consider disabling the deserialization of objects that implement java.io.Externalizable until a patch is available.