CVE-2023-41331

SOFARPC Remote Command Execution (RCE) Vulnerability

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

SOFARPC is a Java RPC framework. Versions prior to 5.11.0 are vulnerable to remote command execution. Through a carefully
crafted payload, an attacker can achieve JNDI injection or system command execution. In the default configuration of the SOFARPC framework, a blacklist is used to filter out dangerous classes encountered during the deserialization process. However, the blacklist is not comprehensive, and an actor can exploit certain native JDK classes and common third-party packages to construct gadget chains capable of achieving JNDI injection or system command execution attacks. Version 5.11.0 contains a fix for this issue. As a workaround, users can add `-Drpc_serialize_blacklist_override=javax.sound.sampled.AudioFileFormat` to the blacklist.

SOFARPC es un framework de Java RPC. Las versiones anteriores a la 5.11.0 son vulnerables a la ejecución remota de comandos. A través de un payload manipulado, un atacante puede lograr la inyección JNDI o la ejecución de comandos del sistema. En la configuración predeterminada del framework SOFARPC, se utiliza una lista negra para filtrar las clases peligrosas encontradas durante el proceso de deserialización. Sin embargo, la lista negra no es exhaustiva y un actor puede explotar ciertas clases nativas de JDK y paquetes comunes de terceros para construir cadenas de dispositivos capaces de lograr ataques de inyección JNDI o ejecución de comandos del sistema. La versión 5.11.0 contiene una solución para este problema. Como workaround, los usuarios pueden agregar `-Drpc_serialize_blacklist_override=javax.sound.sampled.AudioFileFormat` a la lista negra.

SOFARPC is a Java RPC framework. Versions prior to 5.11.0 are vulnerable to remote command execution. Through a carefully crafted payload, an attacker can achieve JNDI injection or system command execution. In the default configuration of the SOFARPC framework, a blacklist is used to filter out dangerous classes encountered during the deserialization process. However, the blacklist is not comprehensive, and an actor can exploit certain native JDK classes and common third-party packages to construct gadget chains capable of achieving JNDI injection or system command execution attacks. Version 5.11.0 contains a fix for this issue. As a workaround, users can add `-Drpc_serialize_blacklist_override=javax.sound.sampled.AudioFileFormat` to the blacklist.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2023-08-28 CVE Reserved
2023-09-12 CVE Published
2024-09-25 CVE Updated
2024-12-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

CAPEC

References (2)

URL	Tag	Source
https://github.com/sofastack/sofa-rpc/releases/tag/v5.11.0	Release Notes

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://github.com/sofastack/sofa-rpc/security/advisories/GHSA-chv2-7hxj-2j86	2023-09-15

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Sofastack Search vendor "Sofastack"		Sofarpc Search vendor "Sofastack" for product "Sofarpc"				< 5.11.0 Search vendor "Sofastack" for product "Sofarpc" and version " < 5.11.0"		-		Affected