Uploaded image for project: 'Ignite'
  1. Ignite
  2. IGNITE-8565

Arbitrary code execution from GridClientJdkMarshaller

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Blocker
    • Resolution: Fixed
    • None
    • 2.6
    • binary

    Description

      The reported issue is related to previously discovered and addressed vulnerability: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1295

      The vulnerability can be exploited if the one sends a specially prepared form of a serialized object to one of the deserialization endpoints of some Ignite components.

      It was noticed that some results ended up in the `GridClientJdkMarshaller`, which is not protected by the measures that you put in place in CVE-2018-1295:

      https://lgtm.com/projects/g/apache/ignite/snapshot/ef232f82e217ed104f1d2be282612727a47c79ee/files/modules/core/src/main/java/org/apache/ignite/internal/client/marshaller/jdk/GridClientJdkMarshaller.java?#L66

      It looks like most of the results go through a polymorphic call of this following function (i.e., from the 4th result):

      https://lgtm.com/projects/g/apache/ignite/snapshot/ef232f82e217ed104f1d2be282612727a47c79ee/files/modules/core/src/main/java/org/apache/ignite/internal/client/impl/connection/GridClientConnectionManagerAdapter.java?sort=name&dir=ASC&mode=heatmap&showExcluded=false#L633

      Has to be mitigated using the same approach as in CVE-2018-1295.

      Use the following CVE when will be reporting to Mitre: CVE-2018-8018

      Attachments

        Activity

          People

            agura Andrey N. Gura
            dmagda Denis A. Magda
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: