Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 19 Jul 2018 10:14:16 -0700
From: Denis Magda <>
	Apache Security Team <>, Man Yue Mo <>,
Cc:, dev <>
Subject: [CVE-2018-8018] Possible Execution of Arbitrary Code via Apache
 Ignite GridClientJdkMarshaller

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Apache Ignite 2.5 and earlier

An attacker can execute arbitrary code on Ignite nodes via
GridClientJdkMarshaller deserialization endpoint in the case when Ignite
classpath contains arbitrary vulnerable classes.

Apache Ignite serialization mechanism does not have a list of classes
allowed for serialization/deserialization, which makes it possible to run
arbitrary code when 3-rd party vulnerable classes are present in Ignite
classpath. The vulnerability can be exploited if the one sends a specially
prepared form of a serialized object to GridClientJdkMarshaller
deserialization endpoint.

•    All Ignite versions: make sure there are no vulnerable classes among
your custom code used in Apache Ignite.
•    Ignite 2.5 or earlier users: upgrade to Ignite 2.6 and use
properties to define classes allowed for deserialization. Refer to this
documentation for more details:

* The vulnerability was discovered by Man Yue Mo of


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.