CRITICAL🇵🇱 Wersja polska

CVE-2024-46983

CVSS 9.8v3.1pub. 2024-09-19upd. 2024-09-25

sofa-hessian is an internal improved version of Hessian3/4 powered by Ant Group CO., Ltd. The SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components. This issue is fixed by an update to the blacklist, users can upgrade to sofahessian version 3.5.5 to avoid this issue. Users unable to upgrade may maintain a blacklist themselves in the directory `external/serialize.blacklist`.

🤖 AI Analysis
How it works

The SOFA Hessian protocol uses a blacklist mechanism to block deserialization of potentially dangerous classes. However, an attacker can exploit a gadget chain built solely from classes available in the standard JDK — without the need to use external libraries — to bypass this protection. Sending a specially crafted deserialization payload allows unauthorized actions to be triggered on the server side. The vulnerability does not require authentication or user interaction.

Impact

An attacker can gain full control over the application — it is possible to compromise confidentiality, integrity and availability of the system, including potentially remote code execution (RCE).

Mitigation & patch

Update sofa-hessian to version 3.5.5, in which the blacklist has been supplemented with entries blocking the known gadget chain. Users who cannot perform the update should independently maintain their own blacklist in a file in the `external/serialize.blacklist` directory.

Who is affected

The sofa-hessian library (Antfin / Ant Group) — versions prior to 3.5.5.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Antfin Sofa Hessian

    APP
    Antfin
    < 3.5.5
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Deserialization
CWE
References

Related vulnerabilities

CVE-2019-9212CRITICAL9.8ten sam produkt

SOFA-Hessian through 4.0.2 allows remote attackers to execute arbitrary commands via a crafted serialized Hess...