CVE-2024-23636
📋 TL;DR
CVE-2024-23636 is a critical deserialization vulnerability in SOFARPC that allows remote code execution by bypassing the SOFA Hessian protocol's blacklist protection. Attackers can exploit this using gadget chains built solely from JDK classes, requiring no third-party dependencies. All SOFARPC users running versions before 5.12.0 with default configurations are affected.
💻 Affected Systems
- SOFARPC
📦 What is this software?
Sofarpc by Sofastack
⚠️ Risk & Real-World Impact
Worst Case
Remote unauthenticated attacker achieves full system compromise, executing arbitrary code with the application's privileges, leading to data theft, system takeover, or ransomware deployment.
Likely Case
Remote code execution leading to application compromise, data exfiltration, and lateral movement within the network.
If Mitigated
Limited impact with proper network segmentation and strict access controls, potentially only affecting the vulnerable application instance.
🎯 Exploit Status
Exploitation requires sending malicious serialized data to SOFARPC endpoints. The advisory suggests the vulnerability is easily exploitable given the CVSS score of 9.8.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.12.0
Vendor Advisory: https://github.com/sofastack/sofa-rpc/security/advisories/GHSA-7q8p-9953-pxvr
Restart Required: Yes
Instructions:
1. Upgrade SOFARPC to version 5.12.0 or later. 2. Update dependencies in your project configuration (Maven pom.xml or Gradle build.gradle). 3. Rebuild and redeploy your application. 4. Restart all SOFARPC services.
🔧 Temporary Workarounds
Add custom blacklist via JVM argument
allAdd additional classes to the deserialization blacklist to block known gadget chains
-Drpc_serialize_blacklist_override=org.apache.xpath.
🧯 If You Can't Patch
- Implement strict network access controls to limit SOFARPC endpoints to trusted sources only.
- Monitor for unusual deserialization patterns and implement application-level input validation for SOFARPC requests.
🔍 How to Verify
Check if Vulnerable:
Check your SOFARPC version in application dependencies or by examining the JAR file metadata. Versions below 5.12.0 are vulnerable.Check Version:
Check Maven: mvn dependency:tree | grep sofa-rpc-core. Check JAR: java -jar your-app.jar --version or examine MANIFEST.MF.Verify Fix Applied:
Confirm SOFARPC version is 5.12.0 or higher in your application dependencies and deployed artifacts.📡 Detection & Monitoring
Log Indicators:
- Unusual deserialization errors in SOFARPC logs
- Stack traces containing suspicious class names like those from org.apache.xpath
- Unexpected process spawning or network connections from Java processes
Network Indicators:
- Unusual SOFARPC protocol traffic patterns
- Requests to SOFARPC endpoints from unexpected sources
SIEM Query:
source="sofa-rpc.log" AND ("deserialization" OR "blacklist" OR "ClassNotFoundException")🔗 References
- https://github.com/sofastack/sofa-rpc/commit/42d19b1b1d14a25aafd9ef7c219c04a19f90fc76
- https://github.com/sofastack/sofa-rpc/security/advisories/GHSA-7q8p-9953-pxvr
- https://github.com/sofastack/sofa-rpc/commit/42d19b1b1d14a25aafd9ef7c219c04a19f90fc76
- https://github.com/sofastack/sofa-rpc/security/advisories/GHSA-7q8p-9953-pxvr
