CVE-2017-3202

Name of the Vulnerable Software and Affected Versions: Flamingo amf-serializer version 2.2.0

Description: The Java implementation of AMF3 deserializers in Flamingo amf-serializer may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. This could potentially lead to arbitrary code execution when deserialized. The ability to exploit this issue depends on the availability of classes in the class path that make use of deserialization. A remote attacker with the ability to spoof or control information may be able to send serialized Java objects with pre-set properties.

Recommendations: For version 2.2.0, consider restricting the use of the AMF3 deserializers until a patch is available. As a temporary workaround, restrict access to classes in the class path that make use of deserialization to minimize the risk of exploitation.