Vulnerabilities > CVE-2024-23636 - Deserialization of Untrusted Data vulnerability in Sofastack Sofarpc

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

sofastack

CWE-502

critical

NVD

Published: 2024-01-23

Updated: 2024-02-01

Summary

SOFARPC is a Java RPC framework. SOFARPC defaults to using the SOFA Hessian protocol to deserialize received data, while the SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But, prior to version 5.12.0, there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components. Version 5.12.0 fixed this issue by adding a blacklist. SOFARPC also provides a way to add additional blacklists. Users can add a class like `-Drpc_serialize_blacklist_override=org.apache.xpath.` to avoid this issue.

Vulnerable Configurations

Part	Description	Count
Application	Sofastack Sofastack Sofarpc - Sofastack Sofarpc 5.3.0 Sofastack Sofarpc 5.3.1 Sofastack Sofarpc 5.3.2 Sofastack Sofarpc 5.3.3 Sofastack Sofarpc 5.4.0 Sofastack Sofarpc 5.4.1 Sofastack Sofarpc 5.4.2 Sofastack Sofarpc 5.4.3 Sofastack Sofarpc 5.4.4 Sofastack Sofarpc 5.4.5 Sofastack Sofarpc 5.4.6 Sofastack Sofarpc 5.4.7 Sofastack Sofarpc 5.4.8 Sofastack Sofarpc 5.5.0 Sofastack Sofarpc 5.5.1 Sofastack Sofarpc 5.5.2 Sofastack Sofarpc 5.5.3 Sofastack Sofarpc 5.5.4 Sofastack Sofarpc 5.5.5 Sofastack Sofarpc 5.5.6 Sofastack Sofarpc 5.5.7 Sofastack Sofarpc 5.5.8 Sofastack Sofarpc 5.5.9 Sofastack Sofarpc 5.6.0 Sofastack Sofarpc 5.6.1 Sofastack Sofarpc 5.6.2 Sofastack Sofarpc 5.6.3 Sofastack Sofarpc 5.6.4 Sofastack Sofarpc 5.6.5 Sofastack Sofarpc 5.7.0 Sofastack Sofarpc 5.7.1 Sofastack Sofarpc 5.7.2 Sofastack Sofarpc 5.7.3 Sofastack Sofarpc 5.7.4 Sofastack Sofarpc 5.7.5 Sofastack Sofarpc 5.7.6 Sofastack Sofarpc 5.7.7 Sofastack Sofarpc 5.7.8 Sofastack Sofarpc 5.7.9 Sofastack Sofarpc 5.7.10 Sofastack Sofarpc 5.8.0 Sofastack Sofarpc 5.8.1 Sofastack Sofarpc 5.8.2 Sofastack Sofarpc 5.8.3 Sofastack Sofarpc 5.8.4 Sofastack Sofarpc 5.8.5 Sofastack Sofarpc 5.8.6 Sofastack Sofarpc 5.8.7 Sofastack Sofarpc 5.8.8 Sofastack Sofarpc 5.9.0 Sofastack Sofarpc 5.9.1 Sofastack Sofarpc 5.9.2 Sofastack Sofarpc 5.10.0 Sofastack Sofarpc 5.10.1 Sofastack Sofarpc 5.11.0 Sofastack Sofarpc 5.11.1	57

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References