CVE-2018-1295

Name of the Vulnerable Software and Affected Versions Apache Ignite versions 2.3 and earlier

Description The issue arises from the lack of a whitelist for classes allowed for serialization and deserialization in the serialization mechanism. This allows for the execution of arbitrary code when vulnerable third-party classes are present in the Ignite classpath. The exploitation occurs when a specially crafted serialized object is sent to certain deserialization endpoints, including discovery SPI, Ignite persistence, Memcached endpoint, and socket steamer.

Recommendations For Apache Ignite versions 2.3 and earlier, update to a version later than 2.3 to resolve the issue. As a temporary workaround, consider restricting access to the deserialization endpoints of Ignite components, such as discovery SPI, Ignite persistence, Memcached endpoint, and socket steamer, to minimize the risk of exploitation.