Lucene search

[email protected]CVE-2024-23636

HistoryJan 23, 2024 - 6:15 p.m.

CVE-2024-23636

2024-01-2318:15:19

CWE-502

[email protected]

web.nvd.nist.gov

sofarpc

java

rpc

framework

cve

2024

23636

sofa hessian

blacklist

deserialization

security

vulnerability

gadget chain

jdk

fix

nvd

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.6 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

31.3%

JSON

SOFARPC is a Java RPC framework. SOFARPC defaults to using the SOFA Hessian protocol to deserialize received data, while the SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But, prior to version 5.12.0, there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components. Version 5.12.0 fixed this issue by adding a blacklist. SOFARPC also provides a way to add additional blacklists. Users can add a class like -Drpc_serialize_blacklist_override=org.apache.xpath. to avoid this issue.

Affected configurations

Vulners

NVD

Node

sofastacksofarpcRange<5.12.0

VendorProductVersionCPE
sofastacksofarpc*cpe:2.3:a:sofastack:sofarpc:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
sofastack	sofarpc	*	cpe:2.3:a:sofastack:sofarpc::::::::

CNA Affected

[
  {
    "vendor": "sofastack",
    "product": "sofa-rpc",
    "versions": [
      {
        "version": "< 5.12.0",
        "status": "affected"
      }
    ]
  }
]