You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ignite.apache.org by "Ilya Kasnacheev (Jira)" <ji...@apache.org> on 2020/04/22 08:12:00 UTC

[jira] [Commented] (IGNITE-6643) Exploitable unsafe deserialization in Ignite cluster

    [ https://issues.apache.org/jira/browse/IGNITE-6643?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17089434#comment-17089434 ] 

Ilya Kasnacheev commented on IGNITE-6643:
-----------------------------------------

{{
commit d268eb2573ad46efce8b6d9480b7c9c317b792cd
Author: Andrey Gura <ag...@apache.org>
Date:   Mon Jan 22 22:41:54 2018 +0300

    ignite-6643 Marshalling improvements
}}

> Exploitable unsafe deserialization in Ignite cluster
> ----------------------------------------------------
>
>                 Key: IGNITE-6643
>                 URL: https://issues.apache.org/jira/browse/IGNITE-6643
>             Project: Ignite
>          Issue Type: Bug
>            Reporter: Denis A. Magda
>            Assignee: Denis A. Magda
>            Priority: Blocker
>             Fix For: 2.4
>
>         Attachments: ExampleNodeExploit.java, obj
>
>
> The security breach was reported by an end-user:
> https://mail-search.apache.org/pmc/private-arch/ignite-private/201710.mbox/%3cDDA66C96-83C3-458B-ABC7-EC89CFF0FBE6@apache.org%3e
> This unsafe deserialization here can be used to attack any ignite node (not require other pluggins enabled), happened during an incoming packet is parsed (so probably pre-authentication) and can be attacked through the standard ignite port (47500).
> 1. Start an ignite node e.g. with 'examples/config/example-ignite.xml'.
> 2. Run `ExampleNodeExploit` to send a malicious packet.
> Remote code execution will happen when:
> https://lgtm.com/projects/g/apache/ignite/latest/files/modules/core/src/main/java/org/apache/ignite/spi/discovery/tcp/ServerImpl.java?sort=name&dir=ASC&mode=list#L5771
> calls the `JdkMarshaller` to deserializer the packet data. (The logging in line 5760 also shows that this is a plausible scenario)This is easily prevented as you know at compile time that this data is supposed to be an instance of `TcpDiscoveryAbstractMessage`, so checking the type and prevent unsafe deserialization in this case is fairly straightforward.
> Please let me know if you need help or more information. Thanks.
> *Vulnerabilities resolution process:*
> https://www.apache.org/security/committers.html



--
This message was sent by Atlassian Jira
(v8.3.4#803005)