Uploaded image for project: 'Ignite'
  1. Ignite
  2. IGNITE-8565

Arbitrary code execution from GridClientJdkMarshaller

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.6
    • Component/s: binary
    • Labels:

      Description

      The reported issue is related to previously discovered and addressed vulnerability: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1295

      The vulnerability can be exploited if the one sends a specially prepared form of a serialized object to one of the deserialization endpoints of some Ignite components.

      It was noticed that some results ended up in the `GridClientJdkMarshaller`, which is not protected by the measures that you put in place in CVE-2018-1295:

      https://lgtm.com/projects/g/apache/ignite/snapshot/ef232f82e217ed104f1d2be282612727a47c79ee/files/modules/core/src/main/java/org/apache/ignite/internal/client/marshaller/jdk/GridClientJdkMarshaller.java?#L66

      It looks like most of the results go through a polymorphic call of this following function (i.e., from the 4th result):

      https://lgtm.com/projects/g/apache/ignite/snapshot/ef232f82e217ed104f1d2be282612727a47c79ee/files/modules/core/src/main/java/org/apache/ignite/internal/client/impl/connection/GridClientConnectionManagerAdapter.java?sort=name&dir=ASC&mode=heatmap&showExcluded=false#L633

      Has to be mitigated using the same approach as in CVE-2018-1295.

      Use the following CVE when will be reporting to Mitre: CVE-2018-8018

        Attachments

          Activity

            People

            • Assignee:
              agura Andrey N. Gura
              Reporter:
              dmagda Denis A. Magda
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: