CVE-2022-24289
N/A
Summary
Hessian serialization is a network protocol that supports object-based transmission. Apache Cayenne's optional Remote Object Persistence (ROP) feature is a web services-based technology that provides object persistence and query functionality to 'remote' applications. In Apache Cayenne 4.1 and earlier, running on non-current patch versions of Java, an attacker with client access to Cayenne ROP can transmit a malicious payload to any vulnerable third-party dependency on the server. This can result in arbitrary code execution.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Apache Software Foundation | Apache Cayenne | 4.1 <= 4.1 | affected |
Weaknesses
- CWE-502: CWE-502 Deserialization of Untrusted Data
Workarounds
Either upgrade to Apache Cayenne 4.2 or a patched version of Java (after 6u211, 7u201, 8u191, and 11.0.1)
All versions of Apache Cayenne 4.2 have whitelisting enabled by default for the Hessian deserialization. Later versions of Java also have LDAP mitigation in place. Users can either upgrade Java or Apache Cayenne to avoid the issue.
LDAP mitigation is present starting in JDK 6u211, 7u201, 8u191, and 11.0.1 where com.sun.jndi.ldap.object.trustURLCodebase system property is set to false by default to prevent JNDI from loading remote code through LDAP.
ADP Enrichment
CVE Program Container
Additional References
- https://lists.apache.org/thread/zthjy83t3o66x7xcbygn2vg3yjvlc9vc
- http://www.openwall.com/lists/oss-security/2022/02/11/1
References
- https://lists.apache.org/thread/zthjy83t3o66x7xcbygn2vg3yjvlc9vc
- http://www.openwall.com/lists/oss-security/2022/02/11/1
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.