In Apache Ignite 2.3 or earlier, the serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3-rd party vulnerable classes are present in Ignite classpath. The vulnerability can be exploited if the one sends a specially prepared form of a serialized object to one of the deserialization endpoints of some Ignite components - discovery SPI, Ignite persistence, Memcached endpoint, socket steamer.
En Apache Ignite 2.3 o anterior, el mecanismo de serialización no tiene una lista de clases permitidas para serializar/deserializar, lo que hace posible que se ejecute código arbitrario cuando clases vulnerables de terceros están presentes en la ruta de clases de Ignite. La vulnerabilidad se puede explotar si uno envía un forma especial de objeto serializado a uno de los extremos de deserialización de determinados componentes de Ignite - discovery SPI, Ignite persistence, Memcached endpoint, socket steamer.
Red Hat Fuse Integration Services provides a set of tools and containerized xPaaS images that enable development, deployment, and management of integration microservices within OpenShift. Security fix: undertow: Client can use bogus uri in Digest authentication spring-boot: Malicious PATCH requests submitted to servers can use specially crafted JSON data to run arbitrary Java code Issues addressed include bypass, deserialization, and file disclosure vulnerabilities.
