Vulnerabilities > CVE-2024-46983 - Unspecified vulnerability in Antfin Sofa-Hessian

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

antfin

critical

NVD

Published: 2024-09-19

Updated: 2024-09-25

Summary

sofa-hessian is an internal improved version of Hessian3/4 powered by Ant Group CO., Ltd. The SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components. This issue is fixed by an update to the blacklist, users can upgrade to sofahessian version 3.5.5 to avoid this issue. Users unable to upgrade may maintain a blacklist themselves in the directory `external/serialize.blacklist`.

Vulnerable Configurations

Part	Description	Count
Application	Antfin Antfin Sofa Hessian - Antfin Sofa Hessian 3.3.0 Antfin Sofa Hessian 3.3.1 Antfin Sofa Hessian 3.3.2 Antfin Sofa Hessian 3.3.3 Antfin Sofa Hessian 3.3.4 Antfin Sofa Hessian 3.3.5 Antfin Sofa Hessian 3.3.6 Antfin Sofa Hessian 3.3.7 Antfin Sofa Hessian 3.3.8 Antfin Sofa Hessian 3.3.9 Antfin Sofa Hessian 3.3.10 Antfin Sofa Hessian 3.4.0 Antfin Sofa Hessian 3.5.0 Antfin Sofa Hessian 3.5.2 Antfin Sofa Hessian 3.5.3 Antfin Sofa Hessian 3.5.4	17

References

https://github.com/sofastack/sofa-hessian/security/advisories/GHSA-c459-2m73-67hj