CVE-2023-41331

moderate-risk
Published 2023-09-12

SOFARPC is a Java RPC framework. Versions prior to 5.11.0 are vulnerable to remote command execution. Through a carefully crafted payload, an attacker can achieve JNDI injection or system command execution. In the default configuration of the SOFARPC framework, a blacklist is used to filter out dangerous classes encountered during the deserialization process. However, the blacklist is not comprehensive, and an actor can exploit certain native JDK classes and common third-party packages to construct gadget chains capable of achieving JNDI injection or system command execution attacks. Version 5.11.0 contains a fix for this issue. As a workaround, users can add `-Drpc_serialize_blacklist_override=javax.sound.sampled.AudioFileFormat` to the blacklist.

Do I need to act?

~
4.0% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 7177205e4bd54fa0e45ad1e2101d0bdfd0b41ca6
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Sofarpc

Affected Vendors

Sofastack

References (4)

Release Notes https://github.com/sofastack/sofa-rpc/releases/tag/v5.11.0
Mitigation https://github.com/sofastack/sofa-rpc/security/advisories/GHSA-chv2-7hxj-2j86
Release Notes https://github.com/sofastack/sofa-rpc/releases/tag/v5.11.0
Mitigation https://github.com/sofastack/sofa-rpc/security/advisories/GHSA-chv2-7hxj-2j86
44
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 7/34 · Low
Exposure 5/34 · Minimal