Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Leaking deserialization protection on Externalizables #15346

Closed
kwart opened this issue Jul 23, 2019 · 3 comments · Fixed by #15358
Closed

Leaking deserialization protection on Externalizables #15346

kwart opened this issue Jul 23, 2019 · 3 comments · Fixed by #15358
Assignees
@kwart
Labels
Module: Security Source: Community PR or issue was opened by a community user Team: Core Type: Defect
Milestone
3.12.2

Comments

@kwart
Copy link
Member

kwart commented Jul 23, 2019

The deserialization filter doesn't properly protect against vulnerable Externalizable classes. The filtering has to be extended.

The issue was discovered by @Mak-Sym and reported on Hazelcast google group - https://groups.google.com/forum/#!topic/hazelcast/B_RAv7gTVPU.
@kwart kwart added this to the 3.12.2 milestone Jul 23, 2019
@kwart kwart self-assigned this Jul 23, 2019
@kwart kwart added the Source: Community PR or issue was opened by a community user label Jul 23, 2019
kwart added a commit to kwart/hazelcast that referenced this issue Jul 23, 2019
@kwart
[hazelcast#15346] Fix deserialization filtering for Externalizables a…
2587c21 
…nd Deadlock in Map index
@kwart kwart mentioned this issue Jul 23, 2019
Merged
kwart added a commit to kwart/hazelcast that referenced this issue Jul 23, 2019
@kwart
[hazelcast#15346] Fix deserialization filtering for Externalizables a…
6c9c3bd 
…nd Deadlock in Map index
kwart added a commit to kwart/hazelcast that referenced this issue Jul 23, 2019
@kwart
[hazelcast#15346] Fix deserialization filtering for Externalizables a…
162d1b1 
…nd Deadlock in Map index
kwart added a commit to kwart/hazelcast that referenced this issue Jul 23, 2019
@kwart
[hazelcast#15346] Fix deserialization filtering for Externalizables a…
ad5ce3a 
…nd Deadlock in Map index
kwart added a commit that referenced this issue Jul 24, 2019
@kwart
[#15346] Fix deserialization filtering for Externalizables and Deadlo…
f029f9f 
…ck in Map index (#15358)

* [#15346] Fix deserialization filtering for Externalizables and Deadlock in Map index

* Fix ambiguous toArray() in Java 11
kwart added a commit that referenced this issue Jul 24, 2019
@kwart
[BACKPORT 3.12.z] Fix deserialization filtering for Externalizables a…
b7f2c15 
…nd Deadlock in Map index (#15359)

* [#15346] Fix deserialization filtering for Externalizables and Deadlock in Map index
@andrewfinnell
Copy link

Would it be possible for someone to describe specifically how an attacker might use this vulnerability? From what I am reading it sounds like an attacker would need to send a malformed Join request that tricks Hazelcast into deserializing a rogue class that is on the classpath of the service accepting the join request. Is that accurate?

@mmedenjak
Copy link
Contributor

@kwart can you provide an answer for the question or confirm it?

@kwart
Copy link
Member Author

kwart commented Jan 31, 2022

Would it be possible for someone to describe specifically how an attacker might use this vulnerability? From what I am reading it sounds like an attacker would need to send a malformed Join request that tricks Hazelcast into deserializing a rogue class that is on the classpath of the service accepting the join request. Is that accurate?

We don't publish details on attack vectors. Sorry.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kwart kwart

Labels
Module: Security Source: Community PR or issue was opened by a community user Team: Core Type: Defect
Projects
None yet
Milestone
3.12.2
Development

Successfully merging a pull request may close this issue.

[#15346] Fix deserialization filtering for Externalizables and Deadlock in Map index kwart/hazelcast
3 participants
@andrewfinnell @kwart @mmedenjak