CVE-2022-24289 - OpenCVE

Hessian serialization is a network protocol that supports object-based transmission. Apache Cayenne's optional Remote Object Persistence (ROP) feature is a web services-based technology that provides object persistence and query functionality to 'remote' applications. In Apache Cayenne 4.1 and earlier, running on non-current patch versions of Java, an attacker with client access to Cayenne ROP can transmit a malicious payload to any vulnerable third-party dependency on the server. This can result in arbitrary code execution.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Apache	Cayenne

Configuration 1 [-]

cpe:2.3:a:apache:cayenne:*:*:*:*:*:*:*:*

References

Link	Resource
http://www.openwall.com/lists/oss-security/2022/02/11/1	Mailing List Third Party Advisory
https://lists.apache.org/thread/zthjy83t3o66x7xcbygn2vg3yjvlc9vc	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apache

Published: 2022-02-11T12:20:15

Updated: 2022-02-11T15:06:14

Reserved: 2022-02-01T00:00:00

Link: CVE-2022-24289

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-02-11T13:15:08.237

Modified: 2022-02-18T01:34:11.623

Link: CVE-2022-24289

JSON object: View

Redhat Information

No data.

CWE

CWE-502

{"containers": {"cna": {"affected": [{"product": "Apache Cayenne", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "4.1", "status": "affected", "version": "4.1", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Panda"}], "descriptions": [{"lang": "en", "value": "Hessian serialization is a network protocol that supports object-based transmission. Apache Cayenne's optional Remote Object Persistence (ROP) feature is a web services-based technology that provides object persistence and query functionality to 'remote' applications. In Apache Cayenne 4.1 and earlier, running on non-current patch versions of Java, an attacker with client access to Cayenne ROP can transmit a malicious payload to any vulnerable third-party dependency on the server. This can result in arbitrary code execution."}], "metrics": [{"other": {"content": {"other": "moderate"}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-02-11T15:06:14", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread/zthjy83t3o66x7xcbygn2vg3yjvlc9vc"}, {"name": "[oss-security] 20220211 CVE-2022-24289: Apache Cayenne: Deserialization of untrusted data in the Hessian Component of Apache Cayenne 4.1 with older Java versions", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2022/02/11/1"}], "source": {"discovery": "UNKNOWN"}, "title": "Deserialization of untrusted data in the Hessian Component of Apache Cayenne 4.1 with older Java versions", "workarounds": [{"lang": "en", "value": "Either upgrade to Apache Cayenne 4.2 or a patched version of Java (after 6u211, 7u201, 8u191, and 11.0.1)\n\nAll versions of Apache Cayenne 4.2 have whitelisting enabled by default for the Hessian deserialization. Later versions of Java also have LDAP mitigation in place. Users can either upgrade Java or Apache Cayenne to avoid the issue.\n\nLDAP mitigation is present starting in JDK 6u211, 7u201, 8u191, and 11.0.1 where com.sun.jndi.ldap.object.trustURLCodebase system property is set to false by default to prevent JNDI from loading remote code through LDAP."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2022-24289", "STATE": "PUBLIC", "TITLE": "Deserialization of untrusted data in the Hessian Component of Apache Cayenne 4.1 with older Java versions"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Cayenne", "version": {"version_data": [{"version_affected": "<=", "version_name": "4.1", "version_value": "4.1"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "Panda"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Hessian serialization is a network protocol that supports object-based transmission. Apache Cayenne's optional Remote Object Persistence (ROP) feature is a web services-based technology that provides object persistence and query functionality to 'remote' applications. In Apache Cayenne 4.1 and earlier, running on non-current patch versions of Java, an attacker with client access to Cayenne ROP can transmit a malicious payload to any vulnerable third-party dependency on the server. This can result in arbitrary code execution."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{"other": "moderate"}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-502 Deserialization of Untrusted Data"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread/zthjy83t3o66x7xcbygn2vg3yjvlc9vc", "refsource": "MISC", "url": "https://lists.apache.org/thread/zthjy83t3o66x7xcbygn2vg3yjvlc9vc"}, {"name": "[oss-security] 20220211 CVE-2022-24289: Apache Cayenne: Deserialization of untrusted data in the Hessian Component of Apache Cayenne 4.1 with older Java versions", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2022/02/11/1"}]}, "source": {"discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "Either upgrade to Apache Cayenne 4.2 or a patched version of Java (after 6u211, 7u201, 8u191, and 11.0.1)\n\nAll versions of Apache Cayenne 4.2 have whitelisting enabled by default for the Hessian deserialization. Later versions of Java also have LDAP mitigation in place. Users can either upgrade Java or Apache Cayenne to avoid the issue.\n\nLDAP mitigation is present starting in JDK 6u211, 7u201, 8u191, and 11.0.1 where com.sun.jndi.ldap.object.trustURLCodebase system property is set to false by default to prevent JNDI from loading remote code through LDAP."}]}}}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2022-24289", "datePublished": "2022-02-11T12:20:15", "dateReserved": "2022-02-01T00:00:00", "dateUpdated": "2022-02-11T15:06:14", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:cayenne:*:*:*:*:*:*:*:*", "matchCriteriaId": "F4D5F712-3D44-4C46-8963-7CE10C4D1228", "versionEndExcluding": "4.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Hessian serialization is a network protocol that supports object-based transmission. Apache Cayenne's optional Remote Object Persistence (ROP) feature is a web services-based technology that provides object persistence and query functionality to 'remote' applications. In Apache Cayenne 4.1 and earlier, running on non-current patch versions of Java, an attacker with client access to Cayenne ROP can transmit a malicious payload to any vulnerable third-party dependency on the server. This can result in arbitrary code execution."}, {"lang": "es", "value": "Hessian serialization es un protocolo de red que soporta la transmisi\u00f3n basada en objetos. La funcionalidad opcional Remote Object Persistence (ROP) de Apache Cayenne es una tecnolog\u00eda basada en servicios web que proporciona persistencia de objetos y funcionalidad de consulta a aplicaciones \"remote\". En Apache Cayenne versiones 4.1 y anteriores, que es ejecutado en versiones de parches no actuales de Java, un atacante con acceso al cliente a Cayenne ROP puede transmitir una carga \u00fatil maliciosa a cualquier dependencia vulnerable de terceros en el servidor. Esto puede resultar en una ejecuci\u00f3n de c\u00f3digo arbitrario"}], "id": "CVE-2022-24289", "lastModified": "2022-02-18T01:34:11.623", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-02-11T13:15:08.237", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/02/11/1"}, {"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://lists.apache.org/thread/zthjy83t3o66x7xcbygn2vg3yjvlc9vc"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-502"}], "source": "security@apache.org", "type": "Secondary"}]}