High severityNVD Advisory· Published Sep 19, 2024· Updated Sep 20, 2024
Remote Command Execution(RCE) Vulnerbility in sofa-hessian
CVE-2024-46983
Description
sofa-hessian is an internal improved version of Hessian3/4 powered by Ant Group CO., Ltd. The SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components. This issue is fixed by an update to the blacklist, users can upgrade to sofahessian version 3.5.5 to avoid this issue. Users unable to upgrade may maintain a blacklist themselves in the directory external/serialize.blacklist.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.alipay.sofa:hessianMaven | < 3.5.5 | 3.5.5 |
Affected products
1- Range: < 3.5.5
Patches
1764ef4b216aeMerge commit from fork
2 files changed · +165 −61
src/main/resources/security/serialize.blacklist+161 −57 modified@@ -1,44 +1,157 @@ -org.codehaus.groovy.runtime.MethodClosure -clojure.core$constantly -clojure.main$eval_opt -com.alibaba.citrus.springext.support.parser.AbstractNamedProxyBeanDefinitionParser$ProxyTargetFactory -com.alibaba.citrus.springext.support.parser.AbstractNamedProxyBeanDefinitionParser$ProxyTargetFactoryImpl -com.alibaba.citrus.springext.util.SpringExtUtil.AbstractProxy -com.alipay.custrelation.service.model.redress.Pair +aj.org.objectweb.asm. +br.com.anteros. +bsh. +ch.qos.logback. +clojure. +com.alibaba.citrus.springext.support.parser. +com.alibaba.citrus.springext.util.SpringExtUtil. +com.alibaba.druid.pool. +com.alibaba.druid.stat.JdbcDataSourceStat +com.alibaba.fastjson.annotation. +com.alibaba.hotcode.internal.org.apache.commons.collections.functors. +com.alipay.custrelation.service.model.redress. +com.alipay.oceanbase.obproxy.druid.pool. com.caucho.hessian.test.TestCons -com.mchange.v2.c3p0.JndiRefForwardingDataSource -com.mchange.v2.c3p0.WrapperConnectionPoolDataSource -com.rometools.rome.feed.impl.EqualsBean -com.rometools.rome.feed.impl.ToStringBean -com.sun.jndi.rmi.registry.BindingEnumeration -com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl -com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl -com.sun.rowset.JdbcRowSetImpl -com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data -java.rmi.server.UnicastRemoteObject -java.security.SignedObject -java.util.ServiceLoader$LazyIterator -javax.imageio.ImageIO$ContainsFilter -javax.imageio.spi.ServiceRegistry -javax.management.BadAttributeValueExpException -javax.naming.InitialContext -javax.naming.spi.ObjectFactory -javax.script.ScriptEngineManager -javax.sound.sampled.AudioFormat$Encoding -org.apache.carbondata.core.scan.expression.ExpressionResult -org.apache.commons.dbcp.datasources.SharedPoolDataSource -org.apache.ibatis.executor.loader.AbstractSerialStateHolder -org.apache.ibatis.executor.loader.CglibSerialStateHolder -org.apache.ibatis.executor.loader.JavassistSerialStateHolder -org.apache.ibatis.executor.loader.cglib.CglibProxyFactory -org.apache.ibatis.executor.loader.javassist.JavassistSerialStateHolder -org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource -org.apache.wicket.util.upload.DiskFileItem -org.apache.xalan.xsltc.trax.TemplatesImpl -org.apache.xbean.naming.context.ContextUtil$ReadOnlyBinding -org.apache.xpath.XPathContext -org.eclipse.jetty.util.log.LoggerLog -org.geotools.filter.ConstantExpression +com.caucho.naming.Qname +com.ibatis. +com.ibm.jtc.jax.xml.bind.v2.runtime.unmarshaller. +com.ibm.xltxe.rnm1.xtq.bcel.util. +com.mchange. +com.mysql.cj.jdbc.admin. +com.mysql.cj.jdbc.MysqlConnectionPoolDataSource +com.mysql.cj.jdbc.MysqlDataSource +com.mysql.cj.jdbc.MysqlXADataSource +com.mysql.cj.log. +com.mysql.jdbc.util. +com.p6spy.engine. +com.rometools.rome.feed. +com.sun. +com.taobao.eagleeye.wrapper. +com.taobao.vipserver.commons.collections.functors. +com.zaxxer.hikari. +flex.messaging.util.concurrent. +groovy.lang. +java.awt. +java.beans. +java.net.InetAddress +java.net.Socket +java.net.URL +java.rmi. +java.security. +java.util.EventListener +java.util.jar. +java.util.logging. +java.util.prefs. +java.util.ServiceLoader +java.util.StringTokenizer +javassist. +javax.activation. +javax.imageio. +javax.management. +javax.media.jai.remote. +javax.naming. +javax.net. +javax.print. +javax.script. +javax.sound. +javax.swing. +javax.tools. +javax.xml +jdk.internal. +jodd.db.connection. +junit. +net.bytebuddy.dynamic.loading. +net.sf.cglib. +net.sf.ehcache.hibernate. +net.sf.ehcache.transaction.manager. +ognl. +oracle.jdbc. +oracle.jms.aq. +oracle.net. +org.aoju.bus.proxy.provider. +org.apache.activemq.ActiveMQConnectionFactory +org.apache.activemq.ActiveMQXAConnectionFactory +org.apache.activemq.jms.pool. +org.apache.activemq.pool. +org.apache.activemq.spring. +org.apache.aries.transaction. +org.apache.axis2.jaxws.spi.handler. +org.apache.axis2.transport.jms. +org.apache.bcel. +org.apache.carbondata.core.scan.expression. +org.apache.catalina. +org.apache.cocoon. +org.apache.commons.beanutils. +org.apache.commons.codec. +org.apache.commons.collections.comparators. +org.apache.commons.collections.functors. +org.apache.commons.collections.Transformer +org.apache.commons.collections4.comparators. +org.apache.commons.collections4.functors. +org.apache.commons.collections4.Transformer +org.apache.commons.configuration. +org.apache.commons.configuration2. +org.apache.commons.dbcp. +org.apache.commons.fileupload. +org.apache.commons.jelly. +org.apache.commons.logging. +org.apache.commons.proxy. +org.apache.cxf.jaxrs.provider. +org.apache.hadoop.shaded.com.zaxxer.hikari. +org.apache.http.auth. +org.apache.http.conn. +org.apache.http.cookie. +org.apache.http.impl. +org.apache.ibatis.datasource. +org.apache.ibatis.executor. +org.apache.ibatis.javassist. +org.apache.ibatis.ognl. +org.apache.ibatis.parsing. +org.apache.ibatis.reflection. +org.apache.ibatis.scripting. +org.apache.ignite.cache. +org.apache.ignite.cache.jta. +org.apache.log.output.db. +org.apache.log4j. +org.apache.logging. +org.apache.myfaces.context.servlet. +org.apache.myfaces.view.facelets.el. +org.apache.openjpa.ee. +org.apache.shiro. +org.apache.tomcat. +org.apache.velocity. +org.apache.wicket.util. +org.apache.xalan. +org.apache.xbean. +org.apache.xpath. +org.apache.zookeeper. +org.aspectj. +org.codehaus.groovy.runtime. +org.codehaus.jackson. +org.datanucleus.store.rdbms.datasource.dbcp.datasources. +org.dom4j. +org.eclipse.jetty. +org.geotools.filter. +org.h2.jdbcx. +org.h2.server. +org.h2.value. +org.hibernate. +org.javasimon. +org.jaxen. +org.jboss. +org.jdom. +org.jdom2.transform. +org.junit. +org.logicalcobwebs. +org.mockito. +org.mortbay.jetty. +org.mortbay.log. +org.mozilla.javascript. +org.objectweb.asm. +org.osjava.sj. +org.python.core. +org.quartz. +org.slf4j. org.springframework.aop.aspectj.autoproxy.AspectJAwareAdvisorAutoProxyCreator$PartiallyComparableAdvisorHolder org.springframework.aop.support.DefaultBeanFactoryPointcutAdvisor org.springframework.beans.factory.BeanFactory @@ -47,22 +160,13 @@ org.springframework.beans.factory.support.DefaultListableBeanFactory org.springframework.jndi.support.SimpleJndiBeanFactory org.springframework.orm.jpa.AbstractEntityManagerFactoryBean org.springframework.transaction.jta.JtaTransactionManager -org.yaml.snakeyaml.tokens.DirectiveToken -sun.rmi.server.UnicastRef -javax.management.ImmutableDescriptor org.springframework.jndi.JndiObjectTargetSource -ch.qos.logback.core.db.JNDIConnectionSource -java.beans.Expression -javassist.bytecode -org.apache.ibatis.javassist.bytecode org.springframework.beans.factory.config.MethodInvokingFactoryBean -com.alibaba.druid.pool.DruidDataSource -com.sun.org.apache.bcel.internal.util.ClassLoader -com.alibaba.druid.stat.JdbcDataSourceStat -org.apache.tomcat.dbcp.dbcp.BasicDataSource -com.sun.org.apache.xml.internal.security.signature.XMLSignatureInput -javassist.tools.web.Viewer -net.bytebuddy.dynamic.loading.ByteArrayClassLoader -org.apache.commons.beanutils.BeanMap -com.caucho.naming.Qname -com.sun.org.apache.xpath.internal.objects.Xstring +org.thymeleaf. +org.yaml.snakeyaml.tokens. +pstore.shaded.org.apache.commons.collections. +sun.print. +sun.rmi.server. +sun.rmi.transport. +weblogic.ejb20.internal. +weblogic.jms.common. \ No newline at end of file
src/test/java/com/caucho/hessian/test/SerializerFactoryTest.java+4 −4 modified@@ -21,8 +21,8 @@ import org.junit.Assert; import org.junit.Test; -import java.awt.Color; import java.lang.reflect.Field; +import java.util.Date; import java.util.Map; /** @@ -41,7 +41,7 @@ public void getDeserializerByType() throws Exception { .get(serializerFactory)); ClassLoader cl = Thread.currentThread().getContextClassLoader(); - final String testClassName = Color.class.getName(); + final String testClassName = Date.class.getName(); Deserializer d1 = serializerFactory.getDeserializer(testClassName); Assert.assertNotNull("TestClass Deserializer!", d1); @@ -67,7 +67,7 @@ public void getDeserializerByType2() throws Exception { .get(serializerFactory)); ClassLoader cl = Thread.currentThread().getContextClassLoader(); - final String testClassName = Color.class.getName(); + final String testClassName = Date.class.getName(); Deserializer d1 = serializerFactory.getDeserializer(testClassName); Assert.assertNotNull("TestClass Deserializer!", d1); @@ -93,7 +93,7 @@ public void testDynamicLoadEnableDefaultFalse() throws Exception { .get(serializerFactory)); ClassLoader cl = Thread.currentThread().getContextClassLoader(); - final String testClassName = Color.class.getName(); + final String testClassName = Date.class.getName(); Deserializer d1 = serializerFactory.getDeserializer(testClassName); Assert.assertNotNull("TestClass Deserializer!", d1);
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.