Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 1 Apr 2018 21:11:12 -0700
From: Denis Magda <dmagda@...che.org>
To: dev <dev@...ite.apache.org>, user@...ite.apache.org, 
	Man Yue Mo <mmo@...mle.com>, security@...che.org, security@...ite.apache.org, 
	oss-security@...ts.openwall.com
Subject: [CVE-2018-1295]: Possible Execution of Arbitrary Code Within
 Deserialization Endpoints of Apache Ignite

CVE-2018-1295: Possible Execution of Arbitrary Code Within Deserialization
Endpoints of Apache Ignite

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Apache Ignite 2.3 or earlier

Impact:
An attacker can execute arbitrary code on Ignite nodes in the case when
Ignite classpath contains arbitrary vulnerable classes.

Description:
Apache Ignite serialization mechanism does not have a list of classes
allowed for serialization/deserialization, which makes it possible to run
arbitrary code when 3-rd party vulnerable classes are present in Ignite
classpath. The vulnerability can be exploited if the one sends a specially
prepared form of a serialized object to one of the deserialization
endpoints of some Ignite components -   discovery SPI, Ignite persistence,
Memcached endpoint, socket steamer.

Mitigation:
•    All Ignite versions: make sure there are no vulnerable classes among
your custom code used in Apache Ignite.
•    Ignite 2.3 or earlier users: upgrade to Ignite 2.4 and use
IGNITE_MARSHALLER_WHITELIST and/or IGNITE_MARSHALLER_BLACKLIST system
properties to define classes allowed for deserialization

Credit:
The vulnerability was discovered by Man Yue Mo of lgtm.com.

References:
* http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1295

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ