CVE-2021-37578— Remote code execution via RMI

Remote code execution via RMI

Apache jUDDI uses several classes related to Java's Remote Method Invocation (RMI) which (as an extension to UDDI) provides an alternate transport for accessing UDDI services. RMI uses the default Java serialization mechanism to pass parameters in RMI invocations. A remote attacker can send a malicious serialized object to the above RMI entries. The objects get deserialized without any check on the incoming data. In the worst case, it may let the attacker run arbitrary code remotely. For both jUDDI web service applications and jUDDI clients, the usage of RMI is disabled by default. Since this is an optional feature and an extension to the UDDI protocol, the likelihood of impact is low. Starting with 3.3.10, all RMI related code was removed.

N/A

可信数据的反序列化

Apache jUDDI 代码问题漏洞

Apache jUDDI是一个服务于WebServices 的UDDI的java实现开源包。 Apache jUDDI 3.3.10之前的版本存在代码问题漏洞。该漏洞源于Apache jUDDI使用了几个与Java的远程方法调用(RMI)相关的类，RMI(作为UDDI的扩展)提供了访问UDDI服务的替代传输。RMI使用默认的Java序列化机制在RMI调用中传递参数。远程攻击者可利用该漏洞向上述RMI条目发送恶意的序列化对象，对象在不检查传入数据的情况下被反序列化。在最坏的情况下，它可能让攻击者远程运行任意

N/A

N/A