[
https://issues.apache.org/jira/browse/IGNITE-23594?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dmitry Pavlov updated IGNITE-23594:
-----------------------------------
Security: (was: Private)
> Enhance object input stream filtering
> -------------------------------------
>
> Key: IGNITE-23594
> URL: https://issues.apache.org/jira/browse/IGNITE-23594
> Project: Ignite
> Issue Type: Task
> Reporter: Mikhail Petrov
> Assignee: Mikhail Petrov
> Priority: Blocker
> Labels: ise, vulnerability
> Fix For: 2.17
>
> Attachments: ignite-kladr.tar.gz
>
> Time Spent: 2h
> Remaining Estimate: 0h
>
> The security vulnerability was reported by an end-user [email:
> [email protected]] by providing the reproducer demonstrating RCE. The
> reproducer mentioned above is attached to the current ticket.
> Attacker can create a special object using classes present on the server side
> and embed it in manually created message that mimics the Ignite messages used
> for communication.
> When Ignite receives such a message and tries to deserialize it, an arbitrary
> command can be executed on the server side.
> The provided reproducer uses javax.management.BadAttributeValueExpException
> as an entry point. This class has readObject method which is automatically
> invoked during deserialization and calls toString on arbitrary inner value.
> com.fasterxml.jackson.databind.node.POJONode is used as the next step - it
> provides an ability to call arbitrary object getters during string building.
> And the last step -
> com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl that registers
> arbitrary class and executes its constructor if getOutputProperties() method
> is invoked.
> This problem usually is solved by using class filters that are applied during
> deserialization.
> Ignite already has such mechanism - see IGNITE_MARSHALLER_BLACKLIST and
> IGNITE_MARSHALLER_WHITELIST Ignite system properties. But the class filters
> defined by these system properties is not applied to all marshalers that
> Ignite uses during deserialization of incoming messages. Most of
> JdkMarshaller instances and usages of ObjectInputStream class are susceptible
> to this problem.
> The proposed solution :
> 1. Refactor Ignite marshalling process to use a single instance of
> JdkMarshaller with class filters applied.
> 2. Automatically set JVM wide Object Input filters based on mentioned above
> Ignite class filters - see [JDK
> Docs|https://docs.oracle.com/javase/10/core/serialization-filtering1.htm#JSCOR-GUID-80AD4DA1-6AA3-42C0-8172-DECF8FB8A841].
> It will help to automatically cover all Java ObjectInputStream usages.
> 3. Add com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl and
> javax.management.BadAttributeValueExpException classes to default Ignite
> Black List as classes that pose a potential security risk.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
