[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2023-28754: ShardingSphere-Agent: Deserialization vulnerability in ShardingSphere
From:       Weijie Wu <wuweijie () apache ! org>
Date:       2023-07-19 6:24:52
Message-ID: a3830426-0e83-631c-df91-6ba69c00a333 () apache ! org
[Download RAW message or body]

Severity: low

Affected versions:

- ShardingSphere-Agent through 5.3.2

Description:

Deserialization of Untrusted Data vulnerability in Apache ShardingSphere-Agent, which allows \
attackers to execute arbitrary code by constructing a special YAML configuration file.

The attacker needs to have permission to modify the ShardingSphere Agent YAML configuration \
file on the target machine, and the target machine can access the URL with the arbitrary code \
JAR. An attacker can use SnakeYAML to deserialize java.net.URLClassLoader and make it load a \
JAR from a specified URL, and then deserialize javax.script.ScriptEngineManager to load code \
using that ClassLoader. When the ShardingSphere JVM process starts and uses the \
ShardingSphere-Agent, the arbitrary code specified by the attacker will be executed during the \
deserialization of the YAML configuration file by the Agent.

This issue affects ShardingSphere-Agent: through 5.3.2. This vulnerability is fixed in Apache \
ShardingSphere 5.4.0.

Credit:

Liav Gutman of the JFrog CSO Research team (finder)

References:

https://shardingsphere.apache.org
https://www.cve.org/CVERecord?id=CVE-2023-28754


[prev in list] [next in list] [prev in thread] [next in thread]