You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ignite.apache.org by Denis Magda <dm...@apache.org> on 2018/04/02 04:11:12 UTC
[CVE-2018-1295]: Possible Execution of Arbitrary Code Within
Deserialization Endpoints of Apache Ignite
CVE-2018-1295: Possible Execution of Arbitrary Code Within Deserialization
Endpoints of Apache Ignite
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: Apache Ignite 2.3 or earlier
Impact:
An attacker can execute arbitrary code on Ignite nodes in the case when
Ignite classpath contains arbitrary vulnerable classes.
Description:
Apache Ignite serialization mechanism does not have a list of classes
allowed for serialization/deserialization, which makes it possible to run
arbitrary code when 3-rd party vulnerable classes are present in Ignite
classpath. The vulnerability can be exploited if the one sends a specially
prepared form of a serialized object to one of the deserialization
endpoints of some Ignite components - discovery SPI, Ignite persistence,
Memcached endpoint, socket steamer.
Mitigation:
• All Ignite versions: make sure there are no vulnerable classes among
your custom code used in Apache Ignite.
• Ignite 2.3 or earlier users: upgrade to Ignite 2.4 and use
IGNITE_MARSHALLER_WHITELIST and/or IGNITE_MARSHALLER_BLACKLIST system
properties to define classes allowed for deserialization
Credit:
The vulnerability was discovered by Man Yue Mo of lgtm.com.
References:
* http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1295