CVE-2017-3200 - OpenCVE

The Java implementation of AMF3 deserializers used in GraniteDS, version 3.1.1.G, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability depends on the availability of classes in the class path that make use of deserialization. A remote attacker with the ability to spoof or control information may be able to send serialized Java objects with pre-set properties that result in arbitrary code execution when deserialized.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Graniteds	Graniteds

Configuration 1 [-]

cpe:2.3:a:graniteds:graniteds:3.1.1:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/97382
http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-execution
https://codewhitesec.blogspot.com/2017/04/amf.html
https://www.kb.cert.org/vuls/id/307983

History

No history.

MITRE

Status: PUBLISHED

Assigner: certcc

Published: 2018-06-11T17:00:00

Updated: 2024-08-05T14:16:28.479Z

Reserved: 2016-12-05T00:00:00

Link: CVE-2017-3200

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2018-06-11T17:29:00.447

Modified: 2020-02-05T19:35:55.517

Link: CVE-2017-3200

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Framework", "vendor": "GraniteDS", "versions": [{"status": "affected", "version": "3.1.1.G"}]}], "datePublic": "2017-04-04T00:00:00", "descriptions": [{"lang": "en", "value": "The Java implementation of AMF3 deserializers used in GraniteDS, version 3.1.1.G, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability depends on the availability of classes in the class path that make use of deserialization. A remote attacker with the ability to spoof or control information may be able to send serialized Java objects with pre-set properties that result in arbitrary code execution when deserialized."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-913", "description": "CWE-913: Improper Control of Dynamically-Managed Code Resources", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-06-12T09:57:01", "orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc"}, "references": [{"name": "97382", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/97382"}, {"tags": ["x_refsource_MISC"], "url": "https://codewhitesec.blogspot.com/2017/04/amf.html"}, {"name": "VU#307983", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "https://www.kb.cert.org/vuls/id/307983"}, {"tags": ["x_refsource_MISC"], "url": "http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-execution"}], "source": {"discovery": "UNKNOWN"}, "title": "The implementation of Action Message Format (AMF3) deserializers in GraniteDS, version 3.1.1.GA, may allow instantiation of arbitrary classes due to improper code control", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cert@cert.org", "ID": "CVE-2017-3200", "STATE": "PUBLIC", "TITLE": "The implementation of Action Message Format (AMF3) deserializers in GraniteDS, version 3.1.1.GA, may allow instantiation of arbitrary classes due to improper code control"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Framework", "version": {"version_data": [{"affected": "=", "version_affected": "=", "version_name": "3.1.1.G", "version_value": "3.1.1.G"}]}}]}, "vendor_name": "GraniteDS"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Java implementation of AMF3 deserializers used in GraniteDS, version 3.1.1.G, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability depends on the availability of classes in the class path that make use of deserialization. A remote attacker with the ability to spoof or control information may be able to send serialized Java objects with pre-set properties that result in arbitrary code execution when deserialized."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-913: Improper Control of Dynamically-Managed Code Resources"}]}]}, "references": {"reference_data": [{"name": "97382", "refsource": "BID", "url": "http://www.securityfocus.com/bid/97382"}, {"name": "https://codewhitesec.blogspot.com/2017/04/amf.html", "refsource": "MISC", "url": "https://codewhitesec.blogspot.com/2017/04/amf.html"}, {"name": "VU#307983", "refsource": "CERT-VN", "url": "https://www.kb.cert.org/vuls/id/307983"}, {"name": "http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-execution", "refsource": "MISC", "url": "http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-execution"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T14:16:28.479Z"}, "title": "CVE Program Container", "references": [{"name": "97382", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/97382"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://codewhitesec.blogspot.com/2017/04/amf.html"}, {"name": "VU#307983", "tags": ["third-party-advisory", "x_refsource_CERT-VN", "x_transferred"], "url": "https://www.kb.cert.org/vuls/id/307983"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-execution"}]}]}, "cveMetadata": {"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "assignerShortName": "certcc", "cveId": "CVE-2017-3200", "datePublished": "2018-06-11T17:00:00", "dateReserved": "2016-12-05T00:00:00", "dateUpdated": "2024-08-05T14:16:28.479Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:graniteds:graniteds:3.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "3B952992-5FE8-4BA5-8916-D4EE395D627D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Java implementation of AMF3 deserializers used in GraniteDS, version 3.1.1.G, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability depends on the availability of classes in the class path that make use of deserialization. A remote attacker with the ability to spoof or control information may be able to send serialized Java objects with pre-set properties that result in arbitrary code execution when deserialized."}, {"lang": "es", "value": "La implementaci\u00f3n de Java de los deserializadores AMF3 empleada en GraniteDS, versi\u00f3n 3.1.1.G, podr\u00eda permitir la instanciaci\u00f3n de clases arbitrarias mediante su constructor p\u00fablico sin par\u00e1metros y, en consecuencia, llamar a m\u00e9todos setter arbitrarios de Java Beans. La capacidad para explotar esta vulnerabilidad depende de la disponibilidad de las clases en la ruta de clase que emplea la deserializaci\u00f3n. Un atacante remoto con la capacidad de suplantar o controlar informaci\u00f3n podr\u00eda ser capaz de enviar objetos Java serializados con propiedades preestablecidas que resultan en la ejecuci\u00f3n de c\u00f3digo arbitrario cuando se deserializan."}], "id": "CVE-2017-3200", "lastModified": "2020-02-05T19:35:55.517", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-06-11T17:29:00.447", "references": [{"source": "cret@cert.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/97382"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory"], "url": "http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-execution"}, {"source": "cret@cert.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://codewhitesec.blogspot.com/2017/04/amf.html"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.kb.cert.org/vuls/id/307983"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-913"}], "source": "cret@cert.org", "type": "Secondary"}]}