[IGNITE-6643] Exploitable unsafe deserialization in Ignite cluster - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.4
Component/s: binary
Labels:
- vulnerability

Description

The security breach was reported by an end-user:
https://mail-search.apache.org/pmc/private-arch/ignite-private/201710.mbox/%3cDDA66C96-83C3-458B-ABC7-EC89CFF0FBE6@apache.org%3e

This unsafe deserialization here can be used to attack any ignite node (not require other pluggins enabled), happened during an incoming packet is parsed (so probably pre-authentication) and can be attacked through the standard ignite port (47500).

1. Start an ignite node e.g. with 'examples/config/example-ignite.xml'.

2. Run `ExampleNodeExploit` to send a malicious packet.

Remote code execution will happen when:

https://lgtm.com/projects/g/apache/ignite/latest/files/modules/core/src/main/java/org/apache/ignite/spi/discovery/tcp/ServerImpl.java?sort=name&dir=ASC&mode=list#L5771

calls the `JdkMarshaller` to deserializer the packet data. (The logging in line 5760 also shows that this is a plausible scenario)This is easily prevented as you know at compile time that this data is supposed to be an instance of `TcpDiscoveryAbstractMessage`, so checking the type and prevent unsafe deserialization in this case is fairly straightforward.

Please let me know if you need help or more information. Thanks.

Vulnerabilities resolution process:
https://www.apache.org/security/committers.html

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

ExampleNodeExploit.java
16/Oct/17 17:42
0.8 kB
Denis A. Magda
obj
16/Oct/17 17:42
1 kB
Denis A. Magda

Activity

People

Assignee:: Denis A. Magda

Reporter:: Denis A. Magda

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 16/Oct/17 17:40

Updated:: 22/Apr/20 08:12

Resolved:: 11/Jul/18 21:23