Headline
GHSA-7q8p-9953-pxvr: Remote Command Execution in SOFARPC
Impact SOFARPC defaults to using the SOFA Hessian protocol to deserialize received data, while the SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components.
Patches Fixed this issue by adding a blacklist, users can upgrade to sofarpc version 5.12.0 to avoid this issue.
Workarounds SOFARPC also provides a way to add additional blacklist. Users can add some class like -Drpc_serialize_blacklist_override=org.apache.xpath. to avoid this issue.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-23636
Remote Command Execution in SOFARPC
Critical severity GitHub Reviewed Published Jan 23, 2024 in sofastack/sofa-rpc • Updated Jan 23, 2024
Package
maven com.alipay.sofa:rpc-sofa-boot-starter (Maven)
Affected versions
< 5.12.0
Impact
SOFARPC defaults to using the SOFA Hessian protocol to deserialize received data, while the SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components.
Patches
Fixed this issue by adding a blacklist, users can upgrade to sofarpc version 5.12.0 to avoid this issue.
Workarounds
SOFARPC also provides a way to add additional blacklist. Users can add some class like -Drpc_serialize_blacklist_override=org.apache.xpath. to avoid this issue.
References
- GHSA-7q8p-9953-pxvr
- https://nvd.nist.gov/vuln/detail/CVE-2024-23636
- sofastack/sofa-rpc@42d19b1
- sofastack/sofa-rpc@d08e258
Published to the GitHub Advisory Database
Jan 23, 2024
Last updated
Jan 23, 2024