Remote Command Execution(RCE) Vulnerbility in sofa-hessian
Description
sofa-hessian is an internal improved version of Hessian3/4 powered by Ant Group CO., Ltd. The SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components. This issue is fixed by an update to the blacklist, users can upgrade to sofahessian version 3.5.5 to avoid this issue. Users unable to upgrade may maintain a blacklist themselves in the directory external/serialize.blacklist.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.alipay.sofa:hessianMaven | < 3.5.5 | 3.5.5 |
Affected products
4- osv-coords3 versions
< 3.2.0-r6+ 2 more
- (no CPE)range: < 3.2.0-r6
- (no CPE)range: < 3.2.0-r2
- (no CPE)range: < 3.5.5
- Range: < 3.5.5
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.