Miggo Logo

CVE-2017-3203: Deserialization of Untrusted Data in Spring-flex

8.1

CVSS Score
3.0

Basic Information

EPSS Score
0.93999%
Published
5/13/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.springframework.flex:spring-flexmaven<= 1.5.2.RELEASE

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from using Java's Externalizable interface rather than the Flash IExternalizable specification. This implementation choice allows attackers to leverage Java's Externalizable classes (like sun.rmi.server.UnicastRef) during AMF3 deserialization. The readObject method in the AMF3 deserializer would be responsible for instantiating these classes and calling their readExternal method, which can trigger dangerous RMI operations. While exact file paths aren't provided in public disclosures, the core issue is clearly tied to the AMF3 deserialization logic handling Externalizable types.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** J*v* impl*m*nt*tions o* *M** **s*ri*liz*rs in Pivot*l/Sprin* Sprin*-*l*x **riv* *l*ss inst*n**s *rom j*v*.io.*xt*rn*liz**l* r*t**r t**n t** *M** sp**i*i**tion's r**omm*n**tion o* *l*s*.utils.I*xt*rn*liz**l*. * r*mot* *tt**k*r wit* t** **ility to

Reasoning

T** vuln*r**ility st*ms *rom usin* J*v*'s *xt*rn*liz**l* int*r**** r*t**r t**n t** *l*s* I*xt*rn*liz**l* sp**i*i**tion. T*is impl*m*nt*tion **oi** *llows *tt**k*rs to l*v*r*** J*v*'s *xt*rn*liz**l* *l*ss*s (lik* `sun.rmi.s*rv*r.Uni**stR**`) *urin* *M