CVE-2024-23636

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-23636
SOFARPC is a Java RPC framework. SOFARPC defaults to using the SOFA Hessian protocol to deserialize received data, while the SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But, prior to version 5.12.0, there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components. Version 5.12.0 fixed this issue by adding a blacklist. SOFARPC also provides a way to add additional blacklists. Users can add a class like `-Drpc_serialize_blacklist_override=org.apache.xpath.` to avoid this issue.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/sofastack/sofa-rpc/commit/42d19b1b1d14a25aafd9ef7c219c04a19f90fc76 Patch
https://github.com/sofastack/sofa-rpc/security/advisories/GHSA-7q8p-9953-pxvr Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:sofastack:sofarpc:*:*:*:*:*:*:*:*
History

01 Feb 2024, 20:17

Type Values Removed Values Added
CPE cpe:2.3:a:sofastack:sofarpc:*:*:*:*:*:*:*:*
Summary
  • (es) SOFARPC es un framework Java RPC. SOFARPC utiliza de forma predeterminada el protocolo SOFA Hessian para deserializar los datos recibidos, mientras que el protocolo SOFA Hessian utiliza un mecanismo de lista negra para restringir la deserialización de clases potencialmente peligrosas para la protección de la seguridad. Pero, antes de la versión 5.12.0, existía una cadena de dispositivos que podía eludir el mecanismo de protección de la lista negra de SOFA Hessian, y esta cadena de dispositivos solo se basa en JDK y no depende de ningún componente de terceros. La versión 5.12.0 solucionó este problema agregando una lista negra. SOFARPC también proporciona una forma de agregar listas negras adicionales. Los usuarios pueden agregar una clase como `-Drpc_serialize_blacklist_override=org.apache.xpath.` para evitar este problema.
References () https://github.com/sofastack/sofa-rpc/commit/42d19b1b1d14a25aafd9ef7c219c04a19f90fc76 - () https://github.com/sofastack/sofa-rpc/commit/42d19b1b1d14a25aafd9ef7c219c04a19f90fc76 - Patch
References () https://github.com/sofastack/sofa-rpc/security/advisories/GHSA-7q8p-9953-pxvr - () https://github.com/sofastack/sofa-rpc/security/advisories/GHSA-7q8p-9953-pxvr - Vendor Advisory
First Time Sofastack
Sofastack sofarpc

23 Jan 2024, 18:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-01-23 18:15

Updated : 2024-02-01 20:17

NVD link : CVE-2024-23636

Mitre link : CVE-2024-23636

CVE.ORG link : CVE-2024-23636

JSON object : View

Products Affected

sofastack

  • sofarpc
CWE
CWE-502

Deserialization of Untrusted Data