GitHub Advisory DatabaseGHSA-C459-2M73-67HJSOFA Hessian Remote Command Execution (RCE) Vulnerability
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
9.6%
Impact
SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components.
Patches
Fixed this issue by update blacklist, users can upgrade to sofahessian version 3.5.5 to avoid this issue.
Workarounds
You can maintain a blacklist yourself in this directory external/serialize.blacklist.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| com.alipay.sofa | hessian | * | cpe:2.3:a:com.alipay.sofa:hessian:*:*:*:*:*:*:*:* |
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
9.6%