-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unsafe Java object serialization #1161
Comments
Special thanks to @ThingToNO for investigation. It's much appreciated 👍 |
Hi @mkalinin 👋 I've recently noticed that CVE-2018-15890 has been published on this issue. It does not appear based on this issue that a fix has been made. Is a fix planned for this issue (or has it potentially already been fixed)? |
@rschultheis It's not yet been fixed. We probably tack on that during Ethash to ProgPoW update. |
Hi @mkalinin . I am evaluating whether this CVE should included in GitHub's advisory dataset, thus sending security alerts to clients. Something seems out of sync between the CVE, and this issue, in terms of how severe this vulnerability is. In the parent comment above it says this implying this is not parituclarly exploitable:
In the CVE however, it has a Critical base severity as says:
We understand sometimes that CVEs are issues for things that are not truly exploitable vulnerabilities, but in this case it is somewhat unclear. Could you help give us some context on this issue and whether it represents a true critical vulnerability? 🙇 Thanks! |
What's wrong
Ethash class uses pure Java object serialization to store light and full datasets.
As @ThingToNO pointed out, this serialization in its pure form can be exploited, additional information can be found here.
However, in this particular case it doesn't look valuable for attacker.
How to fix
Looks like the easiest way is to use custom serialization.
The text was updated successfully, but these errors were encountered: