CVE-2023-41331

2023-09-1220:15:09

Google

osv.dev

sofarpc

java

rpc

vulnerable

remote

command execution

jndi injection

system command

blacklist

deserialization

jdk classes

third-party packages

fix

workaround

7.9 High

AI Score

Confidence

Low

0.002 Low

EPSS

Percentile

56.0%

JSON

SOFARPC is a Java RPC framework. Versions prior to 5.11.0 are vulnerable to remote command execution. Through a carefully
crafted payload, an attacker can achieve JNDI injection or system command execution. In the default configuration of the SOFARPC framework, a blacklist is used to filter out dangerous classes encountered during the deserialization process. However, the blacklist is not comprehensive, and an actor can exploit certain native JDK classes and common third-party packages to construct gadget chains capable of achieving JNDI injection or system command execution attacks. Version 5.11.0 contains a fix for this issue. As a workaround, users can add -Drpc_serialize_blacklist_override=javax.sound.sampled.AudioFileFormat to the blacklist.

CPENameOperatorVersion
sofa-rpceq5.4.1
sofa-rpceq5.6.1
sofa-rpceq5.7.10
sofa-rpceq5.7.5
sofa-rpceq5.5.0
sofa-rpceq5.9.2
sofa-rpceq5.7.6
sofa-rpceq5.8.0
sofa-rpceq5.6.0
sofa-rpceq5.10.0

Name	Operator	Version
sofa-rpc	eq	5.4.1
sofa-rpc	eq	5.6.1
sofa-rpc	eq	5.7.10
sofa-rpc	eq	5.7.5
sofa-rpc	eq	5.5.0
sofa-rpc	eq	5.9.2
sofa-rpc	eq	5.7.6
sofa-rpc	eq	5.8.0
sofa-rpc	eq	5.6.0
sofa-rpc	eq	5.10.0