### [CVE-2017-3207](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3207)
![](https://img.shields.io/static/v1?label=Product&message=WebORB%20for%20Java&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=5.1.1.05.1.1.0%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-502%3A%20Deserialization%20of%20Untrusted%20Data&color=brighgreen)

### Description

The Java implementations of AMF3 deserializers in WebORB for Java by Midnight Coders, version 5.1.1.0, derive class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an RMI server connection may be able to send serialized Java objects that execute arbitrary code when deserialized.

### POC

#### Reference
- http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-execution
- https://codewhitesec.blogspot.com/2017/04/amf.html
- https://www.kb.cert.org/vuls/id/307983

#### Github
- https://github.com/PalindromeLabs/Java-Deserialization-CVEs