Authors:Man Yue Mo Risk：High CVE：CVE-2018-1295 0day:Arbitrary Code Execution 0day-id:0DAY-1295 Date：2018-04-12
In Apache Ignite 2.3 or earlier, the serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3-rd party vulnerable classes are present in Ignite classpath. The vulnerability can be exploited if the one sends a specially prepared form of a serialized object to one of the deserialization endpoints of some Ignite components – discovery SPI, Ignite persistence, Memcached endpoint, socket steamer.
Ignite classpath contains arbitrary vulnerable classes.
Apache Ignite 2.3 or earlier
• All Ignite versions: make sure there are no vulnerable classes among your custom code used in Apache Ignite. • Ignite 2.3 or earlier users: upgrade to Ignite 2.4 and use IGNITE_MARSHALLER_WHITELIST and/or IGNITE_MARSHALLER_BLACKLIST system properties to define classes allowed for deserialization
The vulnerability was discovered by Man Yue Mo of lgtm.com.