Details
-
Bug
-
Status: Closed
-
Blocker
-
Resolution: Fixed
-
None
Description
The security breach was reported by an end-user:
https://mail-search.apache.org/pmc/private-arch/ignite-private/201710.mbox/%3cDDA66C96-83C3-458B-ABC7-EC89CFF0FBE6@apache.org%3e
This unsafe deserialization here can be used to attack any ignite node (not require other pluggins enabled), happened during an incoming packet is parsed (so probably pre-authentication) and can be attacked through the standard ignite port (47500).
1. Start an ignite node e.g. with 'examples/config/example-ignite.xml'.
2. Run `ExampleNodeExploit` to send a malicious packet.
Remote code execution will happen when:
calls the `JdkMarshaller` to deserializer the packet data. (The logging in line 5760 also shows that this is a plausible scenario)This is easily prevented as you know at compile time that this data is supposed to be an instance of `TcpDiscoveryAbstractMessage`, so checking the type and prevent unsafe deserialization in this case is fairly straightforward.
Please let me know if you need help or more information. Thanks.
Vulnerabilities resolution process:
https://www.apache.org/security/committers.html