CVE-2021-36981

A remote attacker who is already authenticated to the Verinice.Pro server (they must have a valid JSESSIONID) sends a crafted serialized Java object to a Spring remoting endpoint. The server's `RemoteInvocationSerializingExporter` deserializes the payload using `readObject()`, which triggers a gadget chain (e.g., C3P0, FileUpload1, URLDNS) that executes arbitrary code on the server. The advisory demonstrates that the C3P0 gadget can be leveraged for full remote code execution by serving a malicious Java class via a rogue JNDI server [ref_id=1].

The vulnerability resides in the Spring `RemoteInvocationSerializingExporter` class (within `spring-context`) used by the Verinice.Pro server. The `doReadRemoteInvocation` method calls `ois.readObject()` on attacker-controlled input without any type filtering or validation, allowing arbitrary Java objects to be deserialized.

The advisory does not include a patch diff, but the fix is described as upgrading to Verinice.Pro version 1.22.2. The remediation likely involves either removing the insecure Spring remoting endpoint, adding a type whitelist to the `ObjectInputStream`, or replacing the deserialization mechanism entirely to prevent arbitrary class instantiation [ref_id=1].