CVE-2018-1295

Vulnerability

Apache Ignite versions 2.3 and earlier do not enforce a whitelist of allowed classes for serialization/deserialization [1]. This defect means that any class present on the Ignite classpath can be deserialized. When third-party vulnerable classes (such as gadget chains) are available, an attacker can craft a serialized object that triggers arbitrary code execution upon deserialization. The affected endpoints include the discovery SPI, Ignite persistence, Memcached endpoint, and socket streamer [1].

Exploitation

An attacker does not need authentication but must be able to send a specially crafted serialized Java object to one of the exposed deserialization endpoints [1]. Network access to the Ignite service is sufficient. The attacker prepares a malicious object that leverages known deserialization gadget classes (for example, from libraries like Commons Collections or similar) present in the Ignite classpath. On receiving and deserializing the object, the gadget chain executes attacker-supplied code [1][2].

Impact

Successful exploitation results in remote code execution (RCE) with the privileges of the Ignite process [1][2]. This can lead to full compromise of the Ignite node and potentially the entire cluster, including data theft, service disruption, or further lateral movement within the network [2]. The CVSS score is critical, indicating the severity of the impact [2].

Mitigation

Apache Ignite fixed this issue in version 2.4, which introduced a class whitelist for deserialization [1]. Users should upgrade to Ignite 2.4 or later immediately. Red Hat released an erratum (RHSA-2018:2405) for Red Hat FIS 2.0 on Fuse 6.3.0 R7 that includes the fix [2]. No workaround is mentioned in the available references; blocking network access to the vulnerable endpoints can reduce risk but is not a complete mitigation [1][2].