CVE-2023-36480

Name of the Vulnerable Software and Affected Versions Aerospike Java Client versions prior to 7.0.0 Aerospike Java Client versions prior to 6.2.0 Aerospike Java Client versions prior to 5.2.0 Aerospike Java Client versions prior to 4.5.0

Description The Aerospike Java client has a vulnerability related to the deserialization of Java objects received from the server. Attackers can trick clients into communicating with a malicious server, which can include crafted objects in its responses that force the client to execute arbitrary code when deserialized. This can be abused to take control of the machine the client is running on. The issue is related to the ObjectInputStream used in the Buffer.bytesToObject method, which deserializes objects from the message bytes without proper validation.

Recommendations For versions prior to 7.0.0, update to version 7.0.0 or later. For versions prior to 6.2.0, update to version 6.2.0 or later. For versions prior to 5.2.0, update to version 5.2.0 or later. For versions prior to 4.5.0, update to version 4.5.0 or later. As a temporary workaround, consider avoiding deserialization of untrusted data if possible, and use other formats like JSON or XML instead of serialized objects. However, be aware that these formats should not be deserialized into complex objects to minimize attack opportunities.