Headline
CVE-2023-41331: Remote Command Execution(RCE) Vulnerbility
SOFARPC is a Java RPC framework. Versions prior to 5.11.0 are vulnerable to remote command execution. Through a carefully
crafted payload, an attacker can achieve JNDI injection or system command execution. In the default configuration of the SOFARPC framework, a blacklist is used to filter out dangerous classes encountered during the deserialization process. However, the blacklist is not comprehensive, and an actor can exploit certain native JDK classes and common third-party packages to construct gadget chains capable of achieving JNDI injection or system command execution attacks. Version 5.11.0 contains a fix for this issue. As a workaround, users can add -Drpc_serialize_blacklist_override=javax.sound.sampled.AudioFileFormat to the blacklist.
Impact
SOFARPC framework is facing the risk of Remote Command Execution(RCE) Vulnerbility. Through a carefully
craft payload, an attacker can achieve JNDI Injection or System Command Executation attack.
In the default configuration of the SOFARPC framework, a blacklist is used to filter out dangerous classes
encountered during the deserialization process. However, the blacklist is not comprehensive, and we will
demonstrate that we can exploit certain native JDK classes and common third-party packages (e.g., fastjson,
jackson, etc., which are also introduced into the SOFARPC framework) to construct gadget chains capable of
achieving JNDI Injection or System Command Execution attacks.
Patches
Fixed this issue by adding a blacklist, users can upgrade to sofarpc version 5.11.0 to avoid this issue.
Workarounds
SOFARPC also provides a way to add additional blacklist. Users can add -Drpc_serialize_blacklist_override=javax.sound.sampled.AudioFileFormat to avoid this issue.
Credits
Bofei Chen, Xinyou Huang, and Lei Zhang@secsys from Fudan.