SOFARPC Hessian deserialization bypass, blacklist evaded remediated in 5.12.0
CVE-2024-23636 Published on January 23, 2024

SOFARPC Remote Command Execution(RCE) Vulnerbility
SOFARPC is a Java RPC framework. SOFARPC defaults to using the SOFA Hessian protocol to deserialize received data, while the SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But, prior to version 5.12.0, there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components. Version 5.12.0 fixed this issue by adding a blacklist. SOFARPC also provides a way to add additional blacklists. Users can add a class like `-Drpc_serialize_blacklist_override=org.apache.xpath.` to avoid this issue.

Github Repository NVD

Vulnerability Analysis

CVE-2024-23636 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

What is a Marshaling, Unmarshaling Vulnerability?

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

CVE-2024-23636 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.


Products Associated with CVE-2024-23636

Want to know whenever a new CVE is published for Sofastack Sofarpc? stack.watch will email you.

Sofastack Sofarpc
 

Affected Versions

sofastack sofa-rpc Version < 5.12.0 is affected by CVE-2024-23636

Vulnerable Packages

The following package name and versions may be associated with CVE-2024-23636

Package Manager Vulnerable Package Versions Fixed In
maven com.alipay.sofa:rpc-sofa-boot-starter < 5.12.0 5.12.0

Exploit Probability

EPSS
0.94%
Percentile
76.53%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.