CVE-2021-29485

Name of the Vulnerable Software and Affected Versions: Ratpack versions prior to 1.9.0

Description: A malicious attacker can achieve Remote Code Execution (RCE) via a maliciously crafted Java deserialization gadget chain leveraged against the Ratpack session store. This issue is known as an "insecure deserialization" vulnerability. Attackers with the ability to write to session data can potentially craft payloads that deserialize unsafe objects, leading to the ability to remotely execute arbitrary code. Ratpack's session mechanism allows storing serialized objects of arbitrary types, and by default, it uses Java's built-in serialization mechanism. To mitigate this vulnerability, Ratpack now employs a "strict allow-list" when deserializing (and serializing) objects to session data.

Recommendations: For versions prior to 1.9.0, the simplest mitigation is to reduce the likelihood of attackers being able to write to the session data store. Alternatively or additionally, the allow-list mechanism could be manually backported by providing an alternative implementation of SessionSerializer that uses an allow-list. For version 1.9.0 and later, users of the built-in serialization mechanism will need to change their application to declare all types currently being serialized as being safe using the new SessionModule.allowTypes() method.