Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unsafe Java object serialization #1161

Open
mkalinin opened this issue Aug 20, 2018 · 4 comments
Open

Unsafe Java object serialization #1161

mkalinin opened this issue Aug 20, 2018 · 4 comments
Labels
Projects

Comments

@mkalinin
Copy link
Contributor

mkalinin commented Aug 20, 2018

What's wrong

Ethash class uses pure Java object serialization to store light and full datasets.
As @ThingToNO pointed out, this serialization in its pure form can be exploited, additional information can be found here.
However, in this particular case it doesn't look valuable for attacker.

How to fix

Looks like the easiest way is to use custom serialization.

@mkalinin mkalinin added this to Backlog in Core via automation Aug 20, 2018
@mkalinin
Copy link
Contributor Author

mkalinin commented Aug 20, 2018

Special thanks to @ThingToNO for investigation. It's much appreciated 👍

@rschultheis
Copy link

rschultheis commented Jun 27, 2019

Hi @mkalinin 👋 I've recently noticed that CVE-2018-15890 has been published on this issue. It does not appear based on this issue that a fix has been made. Is a fix planned for this issue (or has it potentially already been fixed)?

@mkalinin
Copy link
Contributor Author

mkalinin commented Jul 2, 2019

@rschultheis It's not yet been fixed. We probably tack on that during Ethash to ProgPoW update.

@rschultheis
Copy link

rschultheis commented Jul 18, 2019

Hi @mkalinin . I am evaluating whether this CVE should included in GitHub's advisory dataset, thus sending security alerts to clients. Something seems out of sync between the CVE, and this issue, in terms of how severe this vulnerability is.

In the parent comment above it says this implying this is not parituclarly exploitable:

However, in this particular case it doesn't look valuable for attacker.

In the CVE however, it has a Critical base severity as says:

When a node syncs and mines a new block, arbitrary OS commands can be run on the server.

We understand sometimes that CVEs are issues for things that are not truly exploitable vulnerabilities, but in this case it is somewhat unclear. Could you help give us some context on this issue and whether it represents a true critical vulnerability?

🙇 Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Core
  
Backlog
Development

No branches or pull requests

2 participants