Date: Thu, 19 Jul 2018 10:14:16 -0700 From: Denis Magda <dmagda@...che.org> To: announce@...che.org, security@...ite.apache.org, Apache Security Team <security@...che.org>, Man Yue Mo <mmo@...mle.com>, oss-security@...ts.openwall.com Cc: user@...ite.apache.org, dev <dev@...ite.apache.org> Subject: [CVE-2018-8018] Possible Execution of Arbitrary Code via Apache Ignite GridClientJdkMarshaller Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Ignite 2.5 and earlier Impact: An attacker can execute arbitrary code on Ignite nodes via GridClientJdkMarshaller deserialization endpoint in the case when Ignite classpath contains arbitrary vulnerable classes. Description: Apache Ignite serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3-rd party vulnerable classes are present in Ignite classpath. The vulnerability can be exploited if the one sends a specially prepared form of a serialized object to GridClientJdkMarshaller deserialization endpoint. Mitigation: • All Ignite versions: make sure there are no vulnerable classes among your custom code used in Apache Ignite. • Ignite 2.5 or earlier users: upgrade to Ignite 2.6 and use IGNITE_MARSHALLER_WHITELIST and/or IGNITE_MARSHALLER_BLACKLIST system properties to define classes allowed for deserialization. Refer to this documentation for more details: https://apacheignite.readme.io/docs/securing-data-deserialization Credit: * The vulnerability was discovered by Man Yue Mo of lgtm.com. References: * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8018
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ