GHSA-7q8p-9953-pxvr
Suggest an improvement- Source
- https://github.com/advisories/GHSA-7q8p-9953-pxvr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-7q8p-9953-pxvr/GHSA-7q8p-9953-pxvr.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-7q8p-9953-pxvr
- Aliases
- Published
- 2024-01-23T20:10:20Z
- Modified
- 2024-02-16T08:13:01.857139Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Remote Command Execution in SOFARPC
- Details
-
Impact SOFARPC defaults to using the SOFA Hessian protocol to deserialize received data, while the SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components.
Patches Fixed this issue by adding a blacklist, users can upgrade to sofarpc version 5.12.0 to avoid this issue.
Workarounds SOFARPC also provides a way to add additional blacklist. Users can add some class like -Drpcserializeblacklist_override=org.apache.xpath. to avoid this issue.
- Database specific
{ "nvd_published_at": "2024-01-23T18:15:19Z", "cwe_ids": [ "CWE-502" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2024-01-23T20:10:20Z" }- References
-
- https://github.com/sofastack/sofa-rpc/security/advisories/GHSA-7q8p-9953-pxvr
- https://nvd.nist.gov/vuln/detail/CVE-2024-23636
- https://github.com/sofastack/sofa-rpc/commit/42d19b1b1d14a25aafd9ef7c219c04a19f90fc76
- https://github.com/sofastack/sofa-rpc/commit/d08e25824ae9feaf0876adba9acd2938f34759b1
- https://github.com/sofastack/sofa-rpc
Affected packages
Maven / com.alipay.sofa:rpc-sofa-boot-starter
Package
- Name
- com.alipay.sofa:rpc-sofa-boot-starter
- View open source insights on deps.dev
- Purl
- pkg:maven/com.alipay.sofa/rpc-sofa-boot-starter
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.12.0
Affected versions
3.*
3.2.0
3.2.1
3.2.2
3.3.0
3.3.1
3.3.2
3.4.0
3.4.1
3.4.2
3.4.3
3.4.4
3.4.5
3.4.6
3.4.7
3.4.8
3.6.0
3.7.0
3.8.0
3.9.0
3.9.1
3.10.0
3.11.0
3.11.1
3.12.0
3.12.1
3.13.0
3.14.0
3.14.1
3.15.0
3.16.0
3.16.1
3.16.2
3.16.3
3.17.0
3.18.0
3.18.1
3.19.0
3.19.1
3.20.0
3.21.0
3.22.0
4.*
4.0.0-M1
4.0.0-M2
4.0.0
4.0.1
4.0.2
4.1.0
4.2.0
5.*
5.3.0
5.3.1
5.3.2
5.4.0
5.4.2
5.4.3
5.4.4
5.4.5
5.4.6
5.4.7
5.4.8
5.5.0
5.5.1
5.5.2
5.5.3