CVE-2018-8018

Name of the Vulnerable Software and Affected Versions: Apache Ignite versions prior to 2.4.8 Apache Ignite versions 2.5.x prior to 2.5.3

Description: The serialization mechanism in Apache Ignite does not have a list of classes allowed for serialization/deserialization. This allows for the execution of arbitrary code when third-party vulnerable classes are present in the Ignite classpath. The issue can be exploited by sending a specially prepared serialized object to the GridClientJdkMarshaller deserialization endpoint.

Recommendations: For Apache Ignite versions prior to 2.4.8, update to version 2.4.8 or later. For Apache Ignite versions 2.5.x prior to 2.5.3, update to version 2.5.3 or later. As a temporary workaround, consider restricting access to the GridClientJdkMarshaller deserialization endpoint to minimize the risk of exploitation.