CVE-2024-23636

Description

Impact SOFARPC defaults to using the SOFA Hessian protocol to deserialize received data, while the SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components. Patches Fixed this issue by adding a blacklist, users can upgrade to sofarpc version 5.12.0 to avoid this issue. Workarounds SOFARPC also provides a way to add additional blacklist. Users can add some class like -Drpc_serialize_blacklist_override=org.apache.xpath. to avoid this issue.

How to fix CVE-2024-23636

To remediate CVE-2024-23636, upgrade the affected package to a fixed version below.

• —upgrade to 5.12.0 or later

Is CVE-2024-23636 being exploited?

Low — EPSS is 0.9%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 5.12.0

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-23636
• PATCHgithub.com/sofastack/sofa-rpc
• WEBgithub.com/sofastack/sofa-rpc/commit/42d19b1b1d14a25aafd9ef7c219c04a19f90fc76
• WEBgithub.com/sofastack/sofa-rpc/commit/d08e25824ae9feaf0876adba9acd2938f34759b1