CVE-2024-23636

Name of the Vulnerable Software and Affected Versions SOFARPC versions prior to 5.12.0

Description SOFARPC is a Java RPC framework that defaults to using the SOFA Hessian protocol to deserialize received data. The SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. However, prior to version 5.12.0, there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components.

Recommendations For SOFARPC versions prior to 5.12.0, upgrade to version 5.12.0 to fix the issue. As a temporary workaround, users can add additional blacklists by using the -Drpc serialize blacklist override parameter, for example, -Drpc serialize blacklist override=org.apache.xpath.