Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-8682

CVE-2018-1295 ignite-core: ignite: Possible Execution of Arbitrary Code Within Deserialization Endpoints [fis-2.0]

    XMLWordPrintable

    Details

    • Epic Link:
    • Security Sensitive Issue:
      This issue is security relevant

      Description

      Security Tracking Issue

      Do not make this issue public.

      This bug is subject to the Security Errata Policy.

      The overall impact of the blocking security issue(s) is Important. Based on this impact, this bug must be resolved by 02-May-2018.

      Please refer to the Security Errata Policy documentation for further details: https://docs.prodsec.redhat.com/policy-guide/#policy-errata

      Flaw:


      CVE-2018-1295 ignite: Possible Execution of Arbitrary Code Within Deserialization Endpoints
      https://bugzilla.redhat.com/show_bug.cgi?id=1563133

      Apache Ignite serialization mechanism does not have a list of classes
      allowed for serialization/deserialization, which makes it possible to run
      arbitrary code when 3-rd party vulnerable classes are present in Ignite
      classpath. The vulnerability can be exploited if the one sends a specially
      prepared form of a serialized object to one of the deserialization
      endpoints of some Ignite components - discovery SPI, Ignite persistence,
      Memcached endpoint, socket steamer.

      External References:

      https://lists.apache.org/thread.html/45e7d5e2c6face85aab693f5ae0616563132ff757e5a558da80d0209@%3Cdev.ignite.apache.org%3E

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  hooman_b2455 Hooman Broujerdi
                  Tester:
                  Lukáš Löwinger
                  Involved:
                  Hooman Broujerdi
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Due:
                    Created:
                    Updated:
                    Resolved: