[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2023-38647: Apache Helix: Deserialization vulnerability in Helix workflow and RES
From: Junkai Xue <jxue () apache ! org>
Date: 2023-07-25 16:54:17
Message-ID: d8fb0f6d-4865-c82f-91b7-d18788aaa16e () apache ! org
[Download RAW message or body]
Severity: important
Affected versions:
- Apache Helix through 1.2.0
Description:
An attacker can use SnakeYAML to deserialize java.net.URLClassLoader and make it load a JAR \
from a specified URL, and then deserialize javax.script.ScriptEngineManager to load code using \
that ClassLoader. This unbounded deserialization can likely lead to remote code execution. The \
code can be run in Helix REST start and Workflow creation.
Affect all the versions lower and include 1.2.0.
Affected products: helix-core, helix-rest
Mitigation: Short term, stop using any YAML based configuration and workflow creation.
Long term, all Helix version bumping up to 1.3.0
Credit:
Qing Xu (reporter)
References:
https://helix.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-38647
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic