A essential safety vulnerability has been found within the well-liked Java framework pac4j. The vulnerability particularly impacts variations earlier than 4.0 of the pac4j-core module.
This vulnerability, recognized as CVE-2023-25581, exposes methods to potential distant code execution (RCE) assaults as a result of a flaw within the deserialization course of.
Vulnerability Particulars – CVE-2023-25581
The difficulty stems from a Java deserialization vulnerability within the InternalAttributeHandler class of pac4j-core.
The strategy restores inside this class handles numerous knowledge varieties, together with strings, booleans, integers, and extra.
Analyse Any Suspicious Hyperlinks Utilizing ANY.RUN’s New Protected Shopping Software: Strive for Free
Nevertheless, it additionally processes serialized Java objects prefixed with {#sb64} and encoded in Base64.
public Object restore(remaining Object worth) {
if (worth != null && worth instanceof String) {
remaining String sValue = (String) worth;
if (sValue.startsWith(PREFIX)) {
// Dealing with totally different prefixes
// …
else if (sValue.startsWith(PREFIX_SB64)) {
return serializationHelper.unserializeFromBase64(sValue.substring(PREFIX_SB64.size()));
}
}
}
return worth;
}The vulnerability arises as a result of the restore methodology doesn’t adequately confirm whether or not a string attribute already comprises the {#sb64} prefix.
This oversight permits an attacker to craft a malicious attribute that triggers the deserialization of an arbitrary Java class, doubtlessly resulting in RCE.
Coordinated Disclosure Timeline
- 2023-02-02: The vulnerability was reported to the pac4j safety staff.
- 2023-02-14: The event staff acknowledged the report and issued a repair with the discharge of model 4.0.
Impression and Mitigation
Based on a GitHub report, If exploited, this vulnerability may enable attackers to execute arbitrary code on affected methods.
Whereas a RestrictedObjectInputStream is in place to restrict deserialization to sure courses, it nonetheless permits a variety of Java packages, making it doubtlessly exploitable with numerous gadget chains.
To mitigate this danger, customers are strongly suggested to improve to pac4j-core model 4.0 or later, the place this vulnerability has been addressed.
For extra info on insecure deserialization and potential exploit methods, check with sources just like the Ysoserial challenge.
Customers are inspired to overview their methods for potential publicity and promptly apply essential updates.
This discovery underscores the significance of safe coding practices and totally validating user-controlled knowledge in software program improvement.
The right way to Select an final Managed SIEM resolution for Your Safety Crew -> Obtain Free Information(PDF)