Lucene search

K
cveGitHub_MCVE-2024-23636
HistoryJan 23, 2024 - 6:15 p.m.

CVE-2024-23636

2024-01-2318:15:19
CWE-502
GitHub_M
web.nvd.nist.gov
27
sofarpc
java
rpc
framework
cve
2024
23636
sofa hessian
blacklist
deserialization
security
vulnerability
gadget chain
jdk
fix
nvd

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.001

Percentile

31.1%

SOFARPC is a Java RPC framework. SOFARPC defaults to using the SOFA Hessian protocol to deserialize received data, while the SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But, prior to version 5.12.0, there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components. Version 5.12.0 fixed this issue by adding a blacklist. SOFARPC also provides a way to add additional blacklists. Users can add a class like -Drpc_serialize_blacklist_override=org.apache.xpath. to avoid this issue.

Affected configurations

Nvd
Vulners
Node
sofastacksofarpcRange<5.12.0
VendorProductVersionCPE
sofastacksofarpc*cpe:2.3:a:sofastack:sofarpc:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "vendor": "sofastack",
    "product": "sofa-rpc",
    "versions": [
      {
        "version": "< 5.12.0",
        "status": "affected"
      }
    ]
  }
]

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.001

Percentile

31.1%