CVE-2018-1131

Vulnerability

Infinispan, an open-source in-memory data grid, permits improper deserialization of trusted data via XML and JSON transcoders under certain server configurations [2]. The vulnerability resides in the transcoder components that handle XML and JSON serialization. A cache must be configured to accept certain types of objects for the vulnerable code path to be reachable. Affected versions include 8.2.10.Final, 9.0.3.Final, 9.1.7.Final, 9.2.2.Final, and 9.3.0.Alpha1 [1][2].

Exploitation

An attacker requires authenticated access to the Infinispan server [2]. Exploitation involves sending a malicious serialized object to a cache that is configured to accept XML or JSON data types [1][2]. The attacker must craft a payload that, when deserialized by the vulnerable transcoder, executes arbitrary code. No other user interaction is required beyond authentication [2].

Impact

Successful exploitation leads to remote code execution (RCE) on the Infinispan server [1][2][3]. The attacker gains the ability to execute arbitrary commands with the privileges of the Infinispan process, potentially leading to full compromise of the data grid and the underlying host. This is rated as an Important severity issue by Red Hat [1][3].

Mitigation

Red Hat released a security update for Red Hat JBoss Data Grid 7.2.1, which includes a fixed version of Infinispan, on 2018-06-12 [3]. Users should upgrade to the patched version or apply the vendor-supplied updates [1][3]. For those using the upstream Infinispan project, updating to a version containing the fix (e.g., beyond the affected versions listed) is recommended [4]. No workaround is described in the available references.