[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2022-24289: Apache Cayenne: Deserialization of untrusted data in the Hessian Comp
From:       Aristedes Maniatis <amaniatis () apache ! org>
Date:       2022-02-11 2:08:41
Message-ID: 59c2f992-ea03-6654-51da-b485f5a16d9b () apache ! org
[Download RAW message or body]

Severity: moderate

Description:

Hessian serialization is a network protocol that supports object-based =
transmission.
Apache Cayenne's optional Remote Object Persistence (ROP) feature is a web =
services-based technology that provides object persistence and query =
functionality to 'remote' applications.

In Apache Cayenne 4.1 and earlier, running on non-current patch versions of=
 Java, an attacker with client access to Cayenne ROP can transmit a =
malicious payload to any vulnerable third-party dependency on the server.  =
This can result in arbitrary code execution.


Mitigation:

Either upgrade to Apache Cayenne 4.2 or a patched version of Java (after =
6u211, 7u201, 8u191, and 11.0.1)

All versions of Apache Cayenne 4.2 have whitelisting enabled by default for=
 the Hessian deserialization.  Later versions of Java also have LDAP =
mitigation in place. Users can either upgrade Java or Apache Cayenne to =
avoid the issue.

LDAP mitigation is present starting in JDK 6u211, 7u201, 8u191, and 11.0.1 =
where com.sun.jndi.ldap.object.trustURLCodebase system property is set to =
false by default to prevent JNDI from loading remote code through LDAP.

Credit:

Panda

[prev in list] [next in list] [prev in thread] [next in thread]