CVE-2023-24621 – CVE-2023-24621 is a deserialization vulnerabili... (How to Fix)

Q: What is the severity of CVE-2023-24621?

CVE-2023-24621 has a CVSS score of 7.8 (HIGH). CVE-2023-24621 is a deserialization vulnerability in Esoteric YamlBeans that allows attackers to execute arbitrary Java code by crafting malicious YAML documents. This affects applications using YamlBeans to parse untrusted YAML input. The vulnerability exists because YamlBeans deserializes to arbitrary Java classes by default without proper validation.

📋 TL;DR

CVE-2023-24621 is a deserialization vulnerability in Esoteric YamlBeans that allows attackers to execute arbitrary Java code by crafting malicious YAML documents. This affects applications using YamlBeans to parse untrusted YAML input. The vulnerability exists because YamlBeans deserializes to arbitrary Java classes by default without proper validation.

💻 Affected Systems

Products:

Esoteric YamlBeans

Versions: All versions through 1.15

Operating Systems: All platforms running Java

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable by default when processing YAML from untrusted sources. Applications using YamlBeans for configuration or data parsing are affected.

📦 What is this software?

Yamlbeans by Esotericsoftware

View all CVEs affecting Yamlbeans →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Arbitrary code execution within the application context, potentially leading to data exposure or lateral movement.

🟢

If Mitigated

Limited impact if only trusted YAML sources are processed or proper input validation is implemented.

🌐 Internet-Facing: HIGH - Applications accepting YAML input from external sources are directly exploitable.

🏢 Internal Only: MEDIUM - Internal applications processing YAML from untrusted sources remain vulnerable.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the ability to supply malicious YAML content to a vulnerable application. No authentication needed if YAML input is accepted from untrusted sources.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 1.16 or later

Vendor Advisory: https://github.com/Contrast-Security-OSS/yamlbeans/blob/main/SECURITY.md

Restart Required: Yes

Instructions:

1. Update YamlBeans dependency to version 1.16 or later. 2. Rebuild and redeploy affected applications. 3. Restart services using the updated library.

🔧 Temporary Workarounds

Disable unsafe deserialization

all

Configure YamlConfig to restrict deserialization to safe classes only

YamlConfig config = new YamlConfig();
config.setClassTags(false);
YamlReader reader = new YamlReader(yamlString, config);

Input validation and sanitization

all

Validate and sanitize YAML input before processing

// Implement input validation to reject suspicious YAML content
// Use allowlists for expected YAML structures

🧯 If You Can't Patch

Implement strict input validation to reject YAML containing Java class tags or suspicious patterns
Isolate vulnerable applications in network segments with restricted access and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check if YamlBeans version is 1.15 or earlier in your project dependencies (Maven pom.xml, Gradle build.gradle, or JAR manifest).

Check Version:

mvn dependency:tree | grep yamlbeans  OR  grep -r "yamlbeans" build.gradle OR  java -jar your-app.jar --version

Verify Fix Applied:

Verify YamlBeans version is 1.16 or later and test with known malicious YAML payloads to ensure safe deserialization.

📡 Detection & Monitoring

Log Indicators:

Unexpected Java class loading during YAML parsing
Stack traces containing deserialization errors
Unusual process execution from application context

Network Indicators:

Inbound YAML content containing Java class references
Outbound connections from application to unexpected destinations

SIEM Query:

source="application.logs" AND ("ClassNotFoundException" OR "yamlbeans" OR "deserialization")

📊 Metadata

CVE ID: CVE-2023-24621

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: August 25, 2023

Last Updated: November 21, 2024

🔗 References

https://contrastsecurity.com Third Party Advisory
https://github.com/Contrast-Security-OSS/yamlbeans/blob/main/SECURITY.md Exploit,Third Party Advisory
https://github.com/EsotericSoftware Third Party Advisory
https://contrastsecurity.com Third Party Advisory
https://github.com/Contrast-Security-OSS/yamlbeans/blob/main/SECURITY.md Exploit,Third Party Advisory
https://github.com/EsotericSoftware Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-24621, you might also want to check these: