CVE-2024-46983
Deserialization of Untrusted Data (CWE-502)
Summary
sofa-hessian, an internal improved version of Hessian3/4 developed by Ant Group CO., Ltd., has a vulnerability in its deserialization process. The software uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. However, there exists a gadget chain that can bypass this blacklist protection mechanism. This bypass relies only on JDK and does not require any third-party components.
Impact
This vulnerability allows for deserialization of untrusted data, which can lead to remote code execution. The potential impact is severe, with high risks to confidentiality, integrity, and availability of the affected systems. Attackers can exploit this vulnerability over the network without requiring any user interaction or privileges. Given the CVSS base score of 9.8 (Critical), this vulnerability poses a significant threat to organizations using the affected software.
Exploitation
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
Patch
A patch is available. Users can upgrade to sofahessian version 3.5.5 to address this vulnerability.
Mitigation
For immediate mitigation, it is strongly recommended to upgrade to sofahessian version 3.5.5. For users unable to upgrade immediately, an alternative mitigation strategy is to maintain a custom blacklist in the directory `external/serialize.blacklist`. This allows for manual addition of potentially dangerous classes to the blacklist, providing an additional layer of protection against this vulnerability.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Timeline
Detection for the vulnerability has been added to Qualys (5001051)
Feedly found the first article mentioning CVE-2024-46983. See article
Feedly estimated the CVSS score as HIGH
NVD published the first details for CVE-2024-46983
A CVSS base score of 9.8 has been assigned.