www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Denis Magda <dma...@apache.org>
Subject [CVE-2018-8018] Possible Execution of Arbitrary Code via Apache Ignite GridClientJdkMarshaller
Date Thu, 19 Jul 2018 17:14:16 GMT
Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Apache Ignite 2.5 and earlier

Impact:
An attacker can execute arbitrary code on Ignite nodes via
GridClientJdkMarshaller deserialization endpoint in the case when Ignite
classpath contains arbitrary vulnerable classes.

Description:
Apache Ignite serialization mechanism does not have a list of classes
allowed for serialization/deserialization, which makes it possible to run
arbitrary code when 3-rd party vulnerable classes are present in Ignite
classpath. The vulnerability can be exploited if the one sends a specially
prepared form of a serialized object to GridClientJdkMarshaller
deserialization endpoint.

Mitigation:
•    All Ignite versions: make sure there are no vulnerable classes among
your custom code used in Apache Ignite.
•    Ignite 2.5 or earlier users: upgrade to Ignite 2.6 and use
IGNITE_MARSHALLER_WHITELIST and/or IGNITE_MARSHALLER_BLACKLIST system
properties to define classes allowed for deserialization. Refer to this
documentation for more details:
https://apacheignite.readme.io/docs/securing-data-deserialization

Credit:
* The vulnerability was discovered by Man Yue Mo of lgtm.com.

References:
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8018

Mime
View raw message