CVE-2023-45146 – CVE-2023-45146 is a critical remote code execut... (How to Fix)

Q: What is the severity of CVE-2023-45146?

CVE-2023-45146 has a CVSS score of 9.0 (CRITICAL). CVE-2023-45146 is a critical remote code execution vulnerability in XXL-RPC when configured with Netty and Hessian serialization. Attackers can send malicious serialized objects to execute arbitrary code on vulnerable servers, potentially taking full control. Organizations using XXL-RPC with the vulnerable configuration are affected.

📋 TL;DR

CVE-2023-45146 is a critical remote code execution vulnerability in XXL-RPC when configured with Netty and Hessian serialization. Attackers can send malicious serialized objects to execute arbitrary code on vulnerable servers, potentially taking full control. Organizations using XXL-RPC with the vulnerable configuration are affected.

💻 Affected Systems

Products:

XXL-RPC

Versions: All versions up to and including current (no fix available)

Operating Systems: All operating systems running XXL-RPC

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects configurations using Netty framework with Hessian serialization. Other configurations may not be vulnerable.

📦 What is this software?

Xxl Rpc by Xxl Rpc Project

View all CVEs affecting Xxl Rpc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the server with attacker gaining full system control, data exfiltration, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to service disruption, data theft, and potential ransomware deployment.

🟢

If Mitigated

Limited impact with proper network segmentation and security controls, potentially only service disruption.

🌐 Internet-Facing: HIGH - Directly exploitable over network without authentication when exposed to internet.

🏢 Internal Only: HIGH - Still exploitable from internal network segments by compromised devices or malicious insiders.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires sending specially crafted serialized objects to vulnerable endpoints. Public technical details available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None

Vendor Advisory: https://securitylab.github.com/advisories/GHSL-2023-052_XXL-RPC/

Restart Required: No

Instructions:

No official patch available. Consider workarounds or alternative solutions.

🔧 Temporary Workarounds

Disable Hessian Serialization

all

Switch from Hessian serialization to a safer alternative like JSON or Protocol Buffers

Modify XXL-RPC configuration to use different serialization mechanism

Network Segmentation

linux

Restrict access to XXL-RPC endpoints using firewall rules

iptables -A INPUT -p tcp --dport [XXL-RPC_PORT] -s [TRUSTED_IPS] -j ACCEPT
iptables -A INPUT -p tcp --dport [XXL-RPC_PORT] -j DROP

🧯 If You Can't Patch

Implement strict network access controls to limit XXL-RPC exposure to only trusted sources
Deploy runtime application self-protection (RASP) or WAF with deserialization protection

🔍 How to Verify

Check if Vulnerable:

Check if XXL-RPC is running with Netty+Hessian configuration. Review application configuration files for serialization settings.

Check Version:

Check XXL-RPC version in application logs or configuration files (no specific command as version may be embedded)

Verify Fix Applied:

Verify Hessian serialization is disabled and alternative serialization is configured. Test with network scanning to confirm restricted access.

📡 Detection & Monitoring

Log Indicators:

Unusual deserialization errors
Unexpected Java class loading
Suspicious network connections to XXL-RPC ports

Network Indicators:

Malformed serialized objects sent to XXL-RPC ports
Unexpected outbound connections from XXL-RPC server

SIEM Query:

source="XXL-RPC" AND (event="deserialization_error" OR event="class_not_found")

📊 Metadata

CVE ID: CVE-2023-45146

CVSS v3 Score: 9.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-502

Published: October 18, 2023

Last Updated: November 21, 2024

🔗 References

https://securitylab.github.com/advisories/GHSL-2023-052_XXL-RPC/ Product,Third Party Advisory
https://securitylab.github.com/advisories/GHSL-2023-052_XXL-RPC/ Product,Third Party Advisory
https://www.vicarius.io/vsociety/posts/xxl-rpc-rce-cve-2023-45146

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-45146, you might also want to check these: