CVE-2023-42809— Redisson 代码问题漏洞

Redisson unsafe deserialization vulnerability

Redisson is a Java Redis client that uses the Netty framework. Prior to version 3.22.0, some of the messages received from the Redis server contain Java objects that the client deserializes without further validation. Attackers that manage to trick clients into communicating with a malicious server can include especially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running in. Version 3.22.0 contains a patch for this issue. Some post-fix advice is available. Do NOT use `Kryo5Codec` as deserialization codec, as it is still vulnerable to arbitrary object deserialization due to the `setRegistrationRequired(false)` call. On the contrary, `KryoCodec` is safe to use. The fix applied to `SerializationCodec` only consists of adding an optional allowlist of class names, even though making this behavior the default is recommended. When instantiating `SerializationCodec` please use the `SerializationCodec(ClassLoader classLoader, Set<String> allowedClasses)` constructor to restrict the allowed classes for deserialization.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

可信数据的反序列化

Redisson 代码问题漏洞

Redisson是Redisson开源的一个Java驻内存数据网格。 Redisson 3.22.0版本存在代码问题漏洞，该漏洞源于从 Redis 服务器接收到的一些消息包含客户端反序列化的 Java 对象，而无需进一步验证，攻击者利用该漏洞可以在其响应中包含特制的对象，这些对象一旦被客户端反序列化，就会强制其执行任意代码。

N/A

N/A