CVE-2023-42809

Redisson is a Java Redis client that uses the Netty framework. Prior to version 3.22.0, some of the messages received from the Redis server contain Java objects that the client deserializes without further validation. Attackers that manage to trick clients into communicating with a malicious server can include especially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running in. Version 3.22.0 contains a patch for this issue. Some post-fix advice is available. Do NOT use `Kryo5Codec` as deserialization codec, as it is still vulnerable to arbitrary object deserialization due to the `setRegistrationRequired(false)` call. On the contrary, `KryoCodec` is safe to use. The fix applied to `SerializationCodec` only consists of adding an optional allowlist of class names, even though making this behavior the default is recommended. When instantiating `SerializationCodec` please use the `SerializationCodec(ClassLoader classLoader, Set<String> allowedClasses)` constructor to restrict the allowed classes for deserialization.

CVSS v3 9.6 CRITICAL

9.6^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.8 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/redisson/redisson/commit/fe6a2571801656ff1599ef87bdee20f519a5d1fe	Patch
https://securitylab.github.com/advisories/GHSL-2023-053_Redisson/	Exploit Third Party Advisory
https://github.com/redisson/redisson/commit/fe6a2571801656ff1599ef87bdee20f519a5d1fe	Patch
https://securitylab.github.com/advisories/GHSL-2023-053_Redisson/	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:redisson:redisson:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:23

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-10-04 20:15

Updated : 2024-11-21 08:23

NVD link : CVE-2023-42809

Mitre link : CVE-2023-42809

CVE.ORG link : CVE-2023-42809

JSON object : View

Products Affected

redisson

redisson

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2023-42809", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2023-10-04T20:15:10.263", "references": [{"url": "https://github.com/redisson/redisson/commit/fe6a2571801656ff1599ef87bdee20f519a5d1fe", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://securitylab.github.com/advisories/GHSL-2023-053_Redisson/", "tags": ["Exploit", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/redisson/redisson/commit/fe6a2571801656ff1599ef87bdee20f519a5d1fe", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://securitylab.github.com/advisories/GHSL-2023-053_Redisson/", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "Redisson is a Java Redis client that uses the Netty framework. Prior to version 3.22.0, some of the messages received from the Redis server contain Java objects that the client deserializes without further validation. Attackers that manage to trick clients into communicating with a malicious server can include especially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running in. Version 3.22.0 contains a patch for this issue.\n\nSome post-fix advice is available. Do NOT use `Kryo5Codec` as deserialization codec, as it is still vulnerable to arbitrary object deserialization due to the `setRegistrationRequired(false)` call. On the contrary, `KryoCodec` is safe to use. The fix applied to `SerializationCodec` only consists of adding an optional allowlist of class names, even though making this behavior the default is recommended. When instantiating `SerializationCodec` please use the `SerializationCodec(ClassLoader classLoader, Set<String> allowedClasses)` constructor to restrict the allowed classes for deserialization."}, {"lang": "es", "value": "Redisson es un cliente Java Redis que utiliza el framework Netty. Antes de la versi\u00f3n 3.22.0, algunos de los mensajes recibidos del servidor Redis contienen objetos Java que el cliente deserializa sin mayor validaci\u00f3n. Los atacantes que logran enga\u00f1ar a los clientes para que se comuniquen con un servidor malicioso pueden incluir objetos especialmente manipulados en sus respuestas que, una vez deserializados por el cliente, lo obligan a ejecutar c\u00f3digo arbitrario. Se puede abusar de esto para tomar el control de la m\u00e1quina en la que se ejecuta el cliente. La versi\u00f3n 3.22.0 contiene un parche para este problema. Se encuentran disponibles algunos consejos posteriores a la reparaci\u00f3n. NO utilice `Kryo5Codec` como c\u00f3dec de deserializaci\u00f3n, ya que a\u00fan es vulnerable a la deserializaci\u00f3n arbitraria de objetos debido a la llamada `setRegistrationRequired(false)`. Por el contrario, \"KryoCodec\" es seguro de usar. La soluci\u00f3n aplicada a `SerializationCodec` solo consiste en agregar una lista opcional de nombres de clases de permitidos, aunque se recomienda que este comportamiento sea el predeterminado. Al crear una instancia de `SerializationCodec`, utilice el constructor `SerializationCodec(ClassLoader classLoader, Set AllowClasses)` para restringir las clases permitidas para la deserializaci\u00f3n."}], "lastModified": "2024-11-21T08:23:12.200", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redisson:redisson:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9E83B6EC-FF08-4044-9EAA-769C599F95BA", "versionEndExcluding": "3.22.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}