CVE-2017-3207

Name of the Vulnerable Software and Affected Versions: WebORB for Java version 5.1.1.0

Description: The issue concerns the Java implementations of AMF3 deserializers in WebORB for Java, which derive class instances from java.io.Externalizable instead of following the AMF3 specification's recommendation of flash.utils.IExternalizable. This could allow a remote attacker, who has the ability to spoof or control an RMI server connection, to send serialized Java objects that execute arbitrary code when deserialized.

Recommendations: For WebORB for Java version 5.1.1.0, consider updating to a version that adheres to the AMF3 specification's recommendation for deserialization, or apply a patch if available, to prevent arbitrary code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.