GHSA-7q8p-9953-pxvr

Suggest an improvement
Source
https://github.com/advisories/GHSA-7q8p-9953-pxvr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-7q8p-9953-pxvr/GHSA-7q8p-9953-pxvr.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-7q8p-9953-pxvr
Aliases
Published
2024-01-23T20:10:20Z
Modified
2024-02-16T08:13:01.857139Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Remote Command Execution in SOFARPC
Details

Impact SOFARPC defaults to using the SOFA Hessian protocol to deserialize received data, while the SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components.

Patches Fixed this issue by adding a blacklist, users can upgrade to sofarpc version 5.12.0 to avoid this issue.

Workarounds SOFARPC also provides a way to add additional blacklist. Users can add some class like -Drpcserializeblacklist_override=org.apache.xpath. to avoid this issue.

References

Affected packages

Maven / com.alipay.sofa:rpc-sofa-boot-starter

Package

Name
com.alipay.sofa:rpc-sofa-boot-starter
View open source insights on deps.dev
Purl
pkg:maven/com.alipay.sofa/rpc-sofa-boot-starter

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.12.0

Affected versions

3.*

3.2.0
3.2.1
3.2.2
3.3.0
3.3.1
3.3.2
3.4.0
3.4.1
3.4.2
3.4.3
3.4.4
3.4.5
3.4.6
3.4.7
3.4.8
3.6.0
3.7.0
3.8.0
3.9.0
3.9.1
3.10.0
3.11.0
3.11.1
3.12.0
3.12.1
3.13.0
3.14.0
3.14.1
3.15.0
3.16.0
3.16.1
3.16.2
3.16.3
3.17.0
3.18.0
3.18.1
3.19.0
3.19.1
3.20.0
3.21.0
3.22.0

4.*

4.0.0-M1
4.0.0-M2
4.0.0
4.0.1
4.0.2
4.1.0
4.2.0

5.*

5.3.0
5.3.1
5.3.2
5.4.0
5.4.2
5.4.3
5.4.4
5.4.5
5.4.6
5.4.7
5.4.8
5.5.0
5.5.1
5.5.2
5.5.3