Name of the Vulnerable Software and Affected Versions:

SOFARPC versions prior to 5.11.0

Description:

SOFARPC is a Java RPC framework. Through a carefully crafted payload, an attacker can achieve JNDI injection or system command execution. The default configuration of the SOFARPC framework uses a blacklist to filter out dangerous classes during the deserialization process. However, the blacklist is not comprehensive, allowing an actor to exploit certain native JDK classes and common third-party packages to construct gadget chains capable of achieving JNDI injection or system command execution attacks.

Recommendations:

For versions prior to 5.11.0, update to version 5.11.0 to resolve the issue.

As a temporary workaround, users can add `-Drpc serialize blacklist override=javax.sound.sampled.AudioFileFormat` to the blacklist.