Red Hat JBoss Data Grid Insecure Deserialization Vulnerability
Red Hat JBoss Data Grid is an in-memory datastore solution. The client application of this software has integrated the Infinispan Hot Rod client library.
A deserialization vulnerability exists in the Red Hat JBoss Data Grid. As the Hot Rod client library failed to add proper filtering before deserializing an arbitrary class, an arbitrary object could be serialized by this library. An attacker could inject a malicious serialized object via the cache, and execute arbitrary code with the privilege of the client application.
Object serialization is a feature supported by Java, which allows an object to be loaded via a binary stream, making them portable. This feature also causes security risks as hackers may load malicious object via a controllable object in deserialization. A common practice is enabling a whitelist before the application retrieve the object.
In the Hot Rod client library, however, in the version 7.1.0, the code lacks of necessary whitelisting of the object class. And in 7.1.1, the filtering could still be bypassed by using the River Marshalling Protocol:
In class org.infinispan.client.hotrod.marshall.MarshallerUtil:
In class org.infinispan.commons.marshall.jboss.AbstractJBossMarshaller:
The patch 7.1.2 for Red Hat JBoss Data Grid version is already available here. Also SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:
- IPS 13248: Red Hat JBoss Data Grid Insecure Deserialization
Reference:
- Infinispan open sourced library : http://grepcode.com/file/repo1.maven.org/maven2/org.infinispan/infinispan-client-hotrod/
- Red Hat JBoss Data Grid 7.1.2 security update : https://dl.packetstormsecurity.net/1802-advisories/RHSA-2018-0294-01.txt
