Vulnerability Description
SOFARPC is a Java RPC framework. Versions prior to 5.11.0 are vulnerable to remote command execution. Through a carefully crafted payload, an attacker can achieve JNDI injection or system command execution. In the default configuration of the SOFARPC framework, a blacklist is used to filter out dangerous classes encountered during the deserialization process. However, the blacklist is not comprehensive, and an actor can exploit certain native JDK classes and common third-party packages to construct gadget chains capable of achieving JNDI injection or system command execution attacks. Version 5.11.0 contains a fix for this issue. As a workaround, users can add `-Drpc_serialize_blacklist_override=javax.sound.sampled.AudioFileFormat` to the blacklist.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sofastack | Sofarpc | < 5.11.0 |
Related Weaknesses (CWE)
References
- https://github.com/sofastack/sofa-rpc/releases/tag/v5.11.0Release Notes
- https://github.com/sofastack/sofa-rpc/security/advisories/GHSA-chv2-7hxj-2j86MitigationVendor Advisory
- https://github.com/sofastack/sofa-rpc/releases/tag/v5.11.0Release Notes
- https://github.com/sofastack/sofa-rpc/security/advisories/GHSA-chv2-7hxj-2j86MitigationVendor Advisory
FAQ
What is CVE-2023-41331?
CVE-2023-41331 is a vulnerability with a CVSS score of 9.8 (CRITICAL). SOFARPC is a Java RPC framework. Versions prior to 5.11.0 are vulnerable to remote command execution. Through a carefully crafted payload, an attacker can achieve JNDI injection or system command exec...
How severe is CVE-2023-41331?
CVE-2023-41331 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2023-41331?
Check the references section above for vendor advisories and patch information. Affected products include: Sofastack Sofarpc.