'[oss-security] CVE-2023-38647: Apache Helix: Deserialization vulnerability in Helix workflow and RES'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2023-38647: Apache Helix: Deserialization vulnerability in Helix workflow and RES
From:       Junkai Xue <jxue () apache ! org>
Date:       2023-07-25 16:54:17
Message-ID: d8fb0f6d-4865-c82f-91b7-d18788aaa16e () apache ! org
[Download RAW message or body]

Severity: important

Affected versions:

- Apache Helix through 1.2.0

Description:

An attacker can use SnakeYAML to deserialize java.net.URLClassLoader and make it load a JAR \
from a specified URL, and then deserialize javax.script.ScriptEngineManager to load code using \
that ClassLoader. This unbounded deserialization can likely lead to remote code execution.  The \
code can be run in Helix REST start and Workflow creation.

Affect all the versions lower and include 1.2.0.

Affected products: helix-core, helix-rest

Mitigation: Short term, stop using any YAML based configuration and workflow creation.
                           Long term, all Helix version bumping up to 1.3.0

Credit:

Qing Xu (reporter)

References:

https://helix.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-38647

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic