Skip to content

Deserialization of Untrusted Data in com.supermartijn642.configlib.ConfigSyncPacket

High
SuperMartijn642 published GHSA-f4r5-w453-2jx6 Aug 5, 2021

Package

com.supermartijn642.configlib.ConfigSyncPacket

Affected versions

>= 1.0.4, < 1.0.8

Patched versions

>= 1.0.9

Description

Impact

SuperMartijn642's Config Lib is a library used by a number of mods for the game Minecraft. Currently the versions of SuperMartijn642's Config Lib between 1.0.4 and 1.0.8 are affected by a vulnerability and can be exploited on both servers and clients. The affected versions have been downloaded over 3 million times.

Using SuperMartijn642's Config Lib, servers will send a packet to clients with the server's config values. In order to read enum values from the packet data, ObjectInputStream#readObject is used. ObjectInputStream#readObject will instantiate a class based on the input data. Since, the packet data is not validated before ObjectInputStream#readObject is called, an attacker can instantiate any class by sending a malicious packet.
If a suitable class is found, the vulnerability can lead to a number of exploits, including remote code execution.

Although the vulnerable packet is typically only send from server to client, it can theoretically also be send from client to server. This means both clients and servers running SuperMartijn642's Config Lib between 1.0.4 and 1.0.8 are vulnerable.

Patches

The vulnerability has been patched in SuperMartijn642's Config lib 1.0.9. Both, players and server owners, should update to 1.0.9 or higher. Any dependencies on SuperMartijn642's Config Lib will also be compatible with SuperMartijn642's Config Lib 1.0.9.
Updated versions can be found on the CurseForge page for the project.

Workarounds

There are no workarounds for servers or clients running an older version of SuperMartijn642's Config Lib.

Credits

The vulnerability was discovered by @modmuss50 and they responsibly disclosed it via private communication channels.

References

More info on the security of ObjectInputStream#readObject:

A similar issue in RebornCore:

For more information

If you have any questions or comments about this advisory:

Severity

High
8.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE ID

CVE-2021-37632

Weaknesses

Credits