logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2023-36480 com.aerospike:aerospike-client

Package

Manager: maven
Name: com.aerospike:aerospike-client
Vulnerable Version: >=6.0.0 <6.2.0 || >=5.0.0 <5.2.0 || >=0 <4.5.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.02863 pctl0.85743

Details

Aerospike Java Client vulnerable to unsafe deserialization of server responses # GitHub Security Lab (GHSL) Vulnerability Report: `GHSL-2023-044` The [GitHub Security Lab](https://securitylab.github.com) team has identified a potential security vulnerability in [Aerospike Java Client](https://github.com/aerospike/aerospike-client-java/). We are committed to working with you to help resolve this issue. In this report you will find everything you need to effectively coordinate a resolution of this issue with the GHSL team. If at any point you have concerns or questions about this process, please do not hesitate to reach out to us at `securitylab@github.com` (please include `GHSL-2023-044` as a reference). If you are _NOT_ the correct point of contact for this report, please let us know! ## Summary The Aerospike Java client is a Java application that implements a network protocol to communicate with an Aerospike server. Some of the messages received from the server contain Java objects that the client deserializes when it encounters them without further validation. Attackers that manage to trick clients into communicating with a malicious server can include especially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running on. ## Product Aerospike Java Client ## Tested Version [6.1.7](https://github.com/aerospike/aerospike-client-java/releases/tag/6.1.7) ## Details ### Issue: Unsafe deserialization of server responses (`GHSL-2023-044`) The Aerospike Java client implements different ways of communicating with an Aerospike server to perform several operations. Asynchronous commands can be executed using the Netty framework using the `NettyCommand` class. This class includes an `InboundHandler` that extends Netty's `ChannelInboundHandlerAdapter`, which handles inbound data coming from the Netty channel established with the server. This is implemented in the `channelRead` method: [`client/src/com/aerospike/client/async/NettyCommand.java:1157`](https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L1157) ```java @Override public void channelRead(ChannelHandlerContext ctx, Object msg) { command.read((ByteBuf)msg); } ``` The incoming `msg` object is handled by the `NettyCommand.read` method, which behaves differently depending on the `state` variable. Several states produce paths to the vulnerable code — for instance, we will follow the path through `AsyncCommand.COMMAND_READ_HEADER`: [`/client/src/com/aerospike/client/async/NettyCommand.java:489`](https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L489) ```java private void read(ByteBuf byteBuffer) { eventReceived = true; try { switch (state) { // --snip-- case AsyncCommand.COMMAND_READ_HEADER: if (command.isSingle) { readSingleHeader(byteBuffer); } // --snip-- } // --snip-- } // --snip--- } ``` Some bytes are read from the message buffer and saved in `command.dataBuffer` in the `readSingleHeader` method, after which `parseSingleBody` is called: [`client/src/com/aerospike/client/async/NettyCommand.java:596`](https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/NettyCommand.java#L596) ```java private void readSingleHeader(ByteBuf byteBuffer) { int readableBytes = byteBuffer.readableBytes(); int dataSize = command.dataOffset + readableBytes; // --snip-- byteBuffer.readBytes(command.dataBuffer, 0, dataSize); command.dataOffset = dataSize; if (command.dataOffset >= receiveSize) { parseSingleBody(); } } ``` `parseSingleBody` simply delegates on `AsyncCommand.parseCommandResult`, which unless the message is compressed, directly calls `AsyncCommand.parseResult`. The implementation of this method depends on the command type. For an `AsyncRead` command, we have the following: [`client/src/com/aerospike/client/async/AsyncRead.java:68`](https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/async/AsyncRead.java#L68) ```java @Override protected final boolean parseResult() { validateHeaderSize(); int resultCode = dataBuffer[dataOffset + 5] & 0xFF; int generation = Buffer.bytesToInt(dataBuffer, dataOffset + 6); int expiration = Buffer.bytesToInt(dataBuffer, dataOffset + 10); int fieldCount = Buffer.bytesToShort(dataBuffer, dataOffset + 18); int opCount = Buffer.bytesToShort(dataBuffer, dataOffset + 20); dataOffset += Command.MSG_REMAINING_HEADER_SIZE; if (resultCode == 0) { // --snip-- skipKey(fieldCount); record = parseRecord(opCount, generation, expiration, isOperation); return true; } ``` It can be seen that several fields are read from the message's bytes, and then a call to `Command.parseRecord` happens: [`client/src/com/aerospike/client/command/Command.java:2083`](https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Command.java#L2083) ```java protected final Record parseRecord( int opCount, int generation, int expiration, boolean isOperation ) { Map<String,Object> bins = new LinkedHashMap<>(); for (int i = 0 ; i < opCount; i++) { int opSize = Buffer.bytesToInt(dataBuffer, dataOffset); byte particleType = dataBuffer[dataOffset + 5]; byte nameSize = dataBuffer[dataOffset + 7]; String name = Buffer.utf8ToString(dataBuffer, dataOffset + 8, nameSize); dataOffset += 4 + 4 + nameSize; int particleBytesSize = opSize - (4 + nameSize); Object value = Buffer.bytesToParticle(particleType, dataBuffer, dataOffset, particleBytesSize); ``` `Buffer.bytesToParticle` converts the remaining bytes in the data buffer depending on the `particleType` field. We're interested in the `JBLOB` case: [`client/src/com/aerospike/client/command/Buffer.java:53`](https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Buffer.java#L53) ```java public static Object bytesToParticle(int type, byte[] buf, int offset, int len) throws AerospikeException { switch (type) { // --snip-- case ParticleType.JBLOB: return Buffer.bytesToObject(buf, offset, len); ``` In `bytesToObject`, the deserialization of an object from the message bytes happens: [`client/src/com/aerospike/client/command/Buffer.java:300`](https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/command/Buffer.java#L300) ```java public static Object bytesToObject(byte[] buf, int offset, int length) { // --snip-- try (ByteArrayInputStream bastream = new ByteArrayInputStream(buf, offset, length)) { try (ObjectInputStream oistream = new ObjectInputStream(bastream)) { return oistream.readObject(); } } // --snip-- } ``` NOTE: Take into account that there exists a similar sink, that can be reached in a similar way, in `Unpacker.unpackBlock`: [`client/src/com/aerospike/client/util/Unpacker.java:227`](https://github.com/aerospike/aerospike-client-java/blob/e40a49b3db0d2b3d45068910e1cb9d917c795315/client/src/com/aerospike/client/util/Unpacker.java#L227) ```java private T unpackBlob(int count) throws IOException, ClassNotFoundException { // --snip-- case ParticleType.JBLOB: // --snip-- try (ByteArrayInputStream bastream = new ByteArrayInputStream(buffer, offset, count)) { try (ObjectInputStream oistream = new ObjectInputStream(bastream)) { val = getJavaBlob(oistream.readObject()); } } ``` This vulnerability was discovered with the help of [CodeQL](https://codeql.github.com/). #### Impact This issue may lead to Remote Code Execution (RCE) in the Java client. #### Remediation Avoid deserialization of untrusted data if at all possible. If the architecture permits it then use other formats instead of serialized objects, for example JSON or XML. However, these formats should not be deserialized into complex objects because this provides further opportunities for attack. For example, XML-based deserialization attacks are possible through libraries such as XStream and XmlDecoder. Alternatively, a tightly controlled whitelist can limit the vulnerability of code but be aware of the existence of so-called Bypass Gadgets, which can circumvent such protection measures. #### Resources To exploit this vulnerability, a malicious Aerospike server is needed. For the sake of simplicity, we implemented a mock server with hardcoded responses, with the only goal of reaching the vulnerable code of the client. To be able to easily reproduce this, we used the client's examples with the `-netty` flag, specifically the `AsyncPutGet`, which uses an `AsyncRead`. The examples point to `localhost:3000` by default, so we set up a simple Netty TCP server listening on that port, which replicates responses previously intercepted from a real Aerospike server and returns them to the client, until the `AsyncRead` command happens. Then, our server injects the malicious response: ```java public class AttackChannelHandler extends SimpleChannelInboundHandler<String> { @Override protected void

Metadata

Created: 2023-08-03T19:45:39Z
Modified: 2023-08-08T22:15:13Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-jj95-55cr-9597/GHSA-jj95-55cr-9597.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-jj95-55cr-9597
Finding: F096
Auto approve: 1