Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-7q8p-9953-pxvr: Remote Command Execution in SOFARPC

Impact SOFARPC defaults to using the SOFA Hessian protocol to deserialize received data, while the SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components.

Patches Fixed this issue by adding a blacklist, users can upgrade to sofarpc version 5.12.0 to avoid this issue.

Workarounds SOFARPC also provides a way to add additional blacklist. Users can add some class like -Drpc_serialize_blacklist_override=org.apache.xpath. to avoid this issue.

ghsa
#apache#git#java#xpath#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2024-23636

Remote Command Execution in SOFARPC

Critical severity GitHub Reviewed Published Jan 23, 2024 in sofastack/sofa-rpc • Updated Jan 23, 2024

Package

maven com.alipay.sofa:rpc-sofa-boot-starter (Maven)

Affected versions

< 5.12.0

Impact
SOFARPC defaults to using the SOFA Hessian protocol to deserialize received data, while the SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components.

Patches
Fixed this issue by adding a blacklist, users can upgrade to sofarpc version 5.12.0 to avoid this issue.

Workarounds
SOFARPC also provides a way to add additional blacklist. Users can add some class like -Drpc_serialize_blacklist_override=org.apache.xpath. to avoid this issue.

References

  • GHSA-7q8p-9953-pxvr
  • https://nvd.nist.gov/vuln/detail/CVE-2024-23636
  • sofastack/sofa-rpc@42d19b1
  • sofastack/sofa-rpc@d08e258

Published to the GitHub Advisory Database

Jan 23, 2024

Last updated

Jan 23, 2024

ghsa: Latest News

GHSA-hxf5-99xg-86hw: cap-std doesn't fully sandbox all the Windows device filenames