Login Sign Up

CVE-2017-3208

9.8 CRITICAL
XXE Deserialization

📋 TL;DR

This vulnerability allows attackers to exploit XML External Entity (XXE) processing in WebORB for Java's AMF3 deserializer, potentially leading to sensitive data exposure, denial of service, or server-side request forgery. It affects systems using WebORB for Java version 5.1.1.0 with the vulnerable Java AMF3 implementation.

💻 Affected Systems

Products:
  • WebORB for Java by Midnight Coders
Versions: 5.1.1.0
Operating Systems: All platforms running Java
Default Config Vulnerable: ⚠️ Yes
Notes: Requires AMF3 deserialization with XML parsing enabled; typically affects Java web applications using WebORB for AMF messaging.

📦 What is this software?

Weborb For Java by Themidnightcoders

View all CVEs affecting Weborb For Java →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution, complete server compromise, and data exfiltration via XXE attacks embedded in AMF3 messages.

🟠

Likely Case

Sensitive file disclosure (e.g., /etc/passwd), denial of service via entity expansion attacks, or internal network probing via SSRF.

🟢

If Mitigated

Limited impact if XML parsing is disabled or external entity resolution is blocked at network/application layers.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending crafted AMF3 messages with embedded XXE payloads; public proof-of-concept demonstrates file disclosure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.1.1.1 or later

Vendor Advisory: http://www.themidnightcoders.com/

Restart Required: Yes

Instructions:

1. Upgrade WebORB for Java to version 5.1.1.1 or later. 2. Replace the vulnerable AMF3 deserializer library. 3. Restart the application server.

🔧 Temporary Workarounds

Disable XXE Processing

all

Configure XML parsers to disable external entity resolution in the AMF3 deserializer.

Set XML parser properties: FEATURE_SECURE_PROCESSING = true, DISALLOW_DOCTYPE_DECL = true

Input Validation Filter

all

Implement a filter to reject AMF3 messages containing XML DOCTYPE declarations or external entity references.

🧯 If You Can't Patch

  • Block or filter incoming AMF3 traffic at network perimeter (e.g., WAF rules to detect XXE patterns).
  • Isolate affected systems in segmented network zones to limit lateral movement if compromised.

🔍 How to Verify

Check if Vulnerable:

Check WebORB version in application configuration or library files; if version is 5.1.1.0, it is vulnerable.

Check Version:

grep -r 'weborb' /path/to/webapp/ | grep -i version

Verify Fix Applied:

Verify WebORB version is 5.1.1.1 or later and test with a benign XXE payload to confirm rejection.

📡 Detection & Monitoring

Log Indicators:

  • Unusual AMF3 deserialization errors
  • XML parsing exceptions with external entity references
  • Increased server load from malformed requests

Network Indicators:

  • AMF3 traffic containing XML DOCTYPE or ENTITY declarations
  • Outbound requests from server to internal resources triggered by incoming AMF3 messages

SIEM Query:

source="*weborb*" AND (message="*XXE*" OR message="*DOCTYPE*" OR message="*ENTITY*")

📊 Metadata

CVE ID: CVE-2017-3208
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-611
Published: June 11, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-3208, you might also want to check these:

CVE-2018-1000820 10.0

This CVE describes an XML External Entity (XXE) vulnerability in neo4j-contrib's APOC procedures lib...

Same vulnerability type (CWE-611)
CVE-2018-1000822 10.0

This XXE vulnerability in codelibs fess allows attackers to read sensitive files, cause denial of se...

Same vulnerability type (CWE-611)
CVE-2019-14678 10.0

SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that allows attackers to read loc...

Same vulnerability type (CWE-611)