CVE-2023-28754

Name of the Vulnerable Software and Affected Versions ShardingSphere-Agent versions through 5.3.2

Description The Deserialization of Untrusted Data issue in Apache ShardingSphere-Agent allows attackers to execute arbitrary code by constructing a special YAML configuration file. An attacker must have permission to modify the ShardingSphere Agent YAML configuration file on the target machine, and the target machine must be able to access the URL with the arbitrary code JAR. The attacker can use SnakeYAML to deserialize java.net.URLClassLoader and make it load a JAR from a specified URL, and then deserialize javax.script.ScriptEngineManager to load code using that ClassLoader. When the ShardingSphere JVM process starts and uses the ShardingSphere-Agent, the arbitrary code specified by the attacker will be executed during the deserialization of the YAML configuration file by the Agent.

Recommendations For ShardingSphere-Agent versions through 5.3.2, update to Apache ShardingSphere 5.4.0 to fix the vulnerability. As a temporary workaround, consider restricting access to the ShardingSphere Agent YAML configuration file to prevent modification by unauthorized users. Additionally, restrict the target machine's access to URLs with arbitrary code JARs to minimize the risk of exploitation.