Joseph Farebrother

**Name of the Vulnerable Software and Affected Versions** Redisson versions prior to 3.22.0 **Description** The issue concerns a Java Redis client that uses the Netty framework. Prior to version 3.22.0, some messages received from the Redis server contain Java objects that the client deserializes without further validation. Attackers can trick clients into communicating with a malicious server, including specially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running on. **Recommendations** For versions prior to 3.22.0, update to version 3.22.0 to resolve the issue. As a temporary workaround, consider restricting the allowed classes for deserialization by using the `SerializationCodec(ClassLoader classLoader, Set<String> allowedClasses)` constructor. Avoid using the `Kryo5Codec` as deserialization codec, as it is still vulnerable to arbitrary object deserialization due to the `setRegistrationRequired(false)` call. Use `KryoCodec` as a safe alternative for deserialization.

**Name of the Vulnerable Software and Affected Versions** Aerospike Java Client versions prior to 7.0.0 Aerospike Java Client versions prior to 6.2.0 Aerospike Java Client versions prior to 5.2.0 Aerospike Java Client versions prior to 4.5.0 **Description** The Aerospike Java client has a vulnerability related to the deserialization of Java objects received from the server. Attackers can trick clients into communicating with a malicious server, which can include crafted objects in its responses that force the client to execute arbitrary code when deserialized. This can be abused to take control of the machine the client is running on. The issue is related to the `ObjectInputStream` used in the `Buffer.bytesToObject` method, which deserializes objects from the message bytes without proper validation. **Recommendations** For versions prior to 7.0.0, update to version 7.0.0 or later. For versions prior to 6.2.0, update to version 6.2.0 or later. For versions prior to 5.2.0, update to version 5.2.0 or later. For versions prior to 4.5.0, update to version 4.5.0 or later. As a temporary workaround, consider avoiding deserialization of untrusted data if possible, and use other formats like JSON or XML instead of serialized objects. However, be aware that these formats should not be deserialized into complex objects to minimize attack opportunities.

**Name of the Vulnerable Software and Affected Versions** Apache OFBiz versions prior to 18.12.06 **Description** The issue arises from the way Apache OFBiz handles URLs provided by external, unauthenticated users, making it vulnerable to Regular Expression Denial of Service (ReDoS). **Recommendations** For versions prior to 18.12.06, upgrade to 18.12.06 or apply the necessary patches to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apache Tapestry versions up to 5.8.1 **Description** The issue is related to a Regular Expression Denial of Service (ReDoS) in the way Apache Tapestry handles Content Types. Specially crafted Content Types can cause catastrophic backtracking, taking exponential time to complete, due to the regular expression used on the parameter of the `org.apache.tapestry5.http.ContentType` class. This vulnerability cannot be triggered by web requests in Tapestry code alone and would only occur if non-Tapestry code passes outside input to the `ContentType` class constructor. **Recommendations** For Apache Tapestry versions up to 5.8.1, update to version 5.8.2 to resolve the issue. As a temporary workaround, consider restricting the use of the `org.apache.tapestry5.http.ContentType` class to minimize the risk of exploitation, especially when handling outside input.