Dpp

**Name of the Vulnerable Software and Affected Versions** mchange-commons-java versions prior to 0.4.0 **Description** mchange-commons-java, a library providing Java utilities, contains code that replicates early JNDI implementations, including support for remote `factoryClassLocation` values. This allows for the potential download and execution of malicious code if an application processes a specially crafted `jaxax.naming.Reference` or serialized object. While the JDK has default protections against this behavior via the `com.sun.jndi.ldap.object.trustURLCodebase` System property, mchange-commons-java's independent JNDI implementation bypasses these protections. This means that libraries like c3p0, which use mchange-commons-java for JNDI resolution, could be exploited even with a hardened JDK. The library's JNDI functionality is now protected by configuration parameters that default to restrictive values, starting with version 0.4.0. The API endpoint is not explicitly mentioned. The vulnerable parameter is `factoryClassLocation`. **Recommendations** Upgrade to mchange-commons-java version 0.4.0 or later. Avoid using versions of mchange-commons-java prior to 0.4.0 on application CLASSPATHs.

**Name of the Vulnerable Software and Affected Versions** c3p0 versions prior to 0.12.0 **Description** c3p0, a JDBC Connection pooling library, is susceptible to attack through maliciously crafted Java-serialized objects and `javax.naming.Reference` instances. Specifically, the `userOverridesAsString` property in several `ConnectionPoolDataSource` implementations, which represents a `Map<String,Map<String,String>>`, was previously maintained as a hex-encoded serialized object. An attacker who can modify this property, either directly or through malicious serialized objects or `javax.naming.Reference` instances, could potentially execute arbitrary code on the application's `CLASSPATH`. This risk is amplified by vulnerabilities in c3p0's dependency, mchange-commons-java, which includes JNDI functionality with ungated support for remote `factoryClassLocation` values. Attackers could leverage this to set `userOverridesAsString` with objects indirectly serialized via JNDI references, leading to the download and execution of malicious code from a remote `factoryClassLocation`. The use of Java-serialized-object hex encoding for a writable Java-Bean property exposed across JNDI interfaces is a significant security concern. **Recommendations** Upgrade to c3p0 version 0.12.0 or later.