CVE-2023-35839
📋 TL;DR
CVE-2023-35839 is a critical deserialization vulnerability in Solon's sofa-hessian component that allows remote attackers to execute arbitrary code by sending specially crafted payloads. This affects all systems running Solon versions before 2.3.3 that use the vulnerable component. Attackers can achieve remote code execution without authentication, potentially compromising entire systems.
💻 Affected Systems
- Solon
📦 What is this software?
Solon by Solon
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the affected server, allowing data theft, ransomware deployment, or use as a foothold for lateral movement.
Likely Case
Remote code execution leading to application compromise, data exfiltration, and potential pivoting to other internal systems.
If Mitigated
Limited impact with proper network segmentation, but still potential for application-level compromise if exploited.
🎯 Exploit Status
The vulnerability is a deserialization bypass that can be exploited with crafted payloads. Public references and GitHub commits demonstrate the exploit mechanism.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.3.3 and later
Vendor Advisory: https://github.com/noear/solon/compare/v2.3.2...v2.3.3
Restart Required: Yes
Instructions:
1. Update Solon to version 2.3.3 or later. 2. Update dependencies: 'mvn clean install' or equivalent. 3. Restart the application server. 4. Verify the fix by checking the version.
🔧 Temporary Workarounds
Disable sofa-hessian component
allTemporarily disable or remove the vulnerable sofa-hessian component if not essential for functionality.
Remove or comment out sofa-hessian dependencies in pom.xml or build.gradle
Network segmentation
linuxRestrict network access to affected systems using firewalls or security groups.
iptables -A INPUT -p tcp --dport [application_port] -s [trusted_ips] -j ACCEPT
iptables -A INPUT -p tcp --dport [application_port] -j DROP
🧯 If You Can't Patch
- Implement strict input validation and filtering for all deserialization endpoints
- Deploy web application firewall (WAF) rules to block malicious deserialization payloads
🔍 How to Verify
Check if Vulnerable:
Check Solon version and sofa-hessian component usage. If version < 2.3.3 and using sofa-hessian, system is vulnerable.Check Version:
Check application startup logs or use: java -jar [application.jar] --versionVerify Fix Applied:
Verify Solon version is 2.3.3 or later and review application logs for any deserialization errors post-patch.📡 Detection & Monitoring
Log Indicators:
- Unusual deserialization errors
- Stack traces containing 'sofa-hessian' or deserialization classes
- Unexpected process spawns or network connections
Network Indicators:
- Unusual payloads to deserialization endpoints
- Traffic patterns matching exploit payloads
SIEM Query:
source="application.logs" AND ("sofa-hessian" OR "deserialization" OR "ClassNotFoundException")