A number of Java implementations of AMF3 are susceptible to insecure deserialization and XML external entities reference, according to an advisory from CERT.
One flaw, CWE-502: Deserialization of Untrusted Data, could allow an attacker with the ability to spoof or control an RMI server connection to send serialized Java objects that execute arbitrary code when deserialized.
Another bug, CWE-913: Improper Control of Dynamically-Managed Code Resources, could enable a remote attacker to send serialized Java objects with pre-set properties that result in arbitrary code execution when deserialized.
If XML parsing is handled incorrectly owing to a third flaw, CWE-611: Improper Restriction of XML External Entity Reference (‘XXE’), sensitive data on the server could be exposed, and a denial of service or a server side request forgery could be initiated.
CERT recommends users apply updates immediately.
Developers are advised to use an updated Java development kit (JDK).
“JDK 8 update 121, JDK 7 update 131 and JDK 6 update 141 implement basic serialization blacklisting filters, while more serialization protection measures are expected in the upcoming Java 9,” the CERT report stated.