Headline
CVE-2023-48886: GitHub - luxiaoxun/NettyRpc: A simple RPC framework based on Netty, ZooKeeper and Spring
A deserialization vulnerability in NettyRpc v1.2 allows attackers to execute arbitrary commands via sending a crafted RPC request.
final RpcClient rpcClient = new RpcClient("127.0.0.1:2181");
// Sync call
HelloService helloService = rpcClient.createService(HelloService.class, "1.0");
String result = helloService.hello("World");
// Async call
RpcService client = rpcClient.createAsyncService(HelloService.class, "2.0");
RPCFuture helloFuture = client.call("hello", "World");
String result = (String) helloFuture.get(3000, TimeUnit.MILLISECONDS);
public class Baz implements Foo {
@RpcAutowired(version = "1.0")
private HelloService helloService1;
@RpcAutowired(version = "2.0")
private HelloService helloService2;
@Override
public String say(String s) {
return helloService1.hello(s);
}
}