vulnerability

VMware vCenter Server: CVE-2017-5641 (VMSA-2017-0007)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
8	(AV:N/AC:L/Au:N/C:P/I:P/A:P)	Dec 28, 2017	Jul 25, 2022	Jul 25, 2022

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:P/A:P)

Published

Dec 28, 2017

Added

Jul 25, 2022

Modified

Jul 25, 2022

Description

Previous versions of Apache Flex BlazeDS (4.7.2 and earlier) did not restrict which types were allowed for AMF(X) object deserialization by default. During the deserialization process code is executed that for several known types has undesired side-effects. Other, unknown types may also exhibit such behaviors. One vector in the Java standard library exists that allows an attacker to trigger possibly further exploitable Java deserialization of untrusted data. Other known vectors in third party libraries can be used to trigger remote code execution.

Solution

vmware-vcenter-server-upgrade-latest

References

BID-97383
CERT-VN-307983
CVE-2017-5641
https://attackerkb.com/topics/CVE-2017-5641
URL-https://www.vmware.com/security/advisories/VMSA-2017-0007

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today