Описание
Redisson is a Java Redis client that uses the Netty framework. Prior to version 3.22.0, some of the messages received from the Redis server contain Java objects that the client deserializes without further validation. Attackers that manage to trick clients into communicating with a malicious server can include especially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running in. Version 3.22.0 contains a patch for this issue.
Some post-fix advice is available. Do NOT use Kryo5Codec as deserialization codec, as it is still vulnerable to arbitrary object deserialization due to the setRegistrationRequired(false) call. On the contrary, KryoCodec is safe to use. The fix applied to SerializationCodec only consists of adding an optional allowlist of class names, even though making this behavior the default is recommended. When instantiating SerializationCodec please use the SerializationCodec(ClassLoader classLoader, Set<String> allowedClasses) constructor to restrict the allowed classes for deserialization.
Deserialization of untrusted data vulnerability was found in Redisson, as some messages received from the Redis server contain Java objects that the client deserializes without further validation. This flaw allows attackers who manage to trick clients into communicating with a malicious server to include specially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This issue can be exploited to take control of the machine the client is running in.
Отчет
This vulnerability in Redisson is a important severity issue because it directly enables remote code execution (RCE) by allowing an attacker to inject malicious objects into the deserialization process. Since deserialization occurs automatically and without proper validation, an attacker can exploit this flaw to execute arbitrary code on the client machine, potentially leading to full system compromise. The impact is particularly severe as it bypasses traditional security controls and can be leveraged to escalate privileges, exfiltrate sensitive data, or disrupt services, making it a significant threat to the security and integrity of affected systems.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat build of Apache Camel for Spring Boot 3 | org.redisson/redisson | Not affected | ||
| Red Hat build of Apache Camel for Spring Boot 4 | org.redisson/redisson | Not affected | ||
| Red Hat Integration Camel K 1 | org.redisson/redisson | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
8.8 High
CVSS3
Связанные уязвимости
Redisson is a Java Redis client that uses the Netty framework. Prior to version 3.22.0, some of the messages received from the Redis server contain Java objects that the client deserializes without further validation. Attackers that manage to trick clients into communicating with a malicious server can include especially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running in. Version 3.22.0 contains a patch for this issue. Some post-fix advice is available. Do NOT use `Kryo5Codec` as deserialization codec, as it is still vulnerable to arbitrary object deserialization due to the `setRegistrationRequired(false)` call. On the contrary, `KryoCodec` is safe to use. The fix applied to `SerializationCodec` only consists of adding an optional allowlist of class names, even though making this behavior the default is recommended. When instantiating `SerializationCodec`
Redisson vulnerable to Deserialization of Untrusted Data
EPSS
8.8 High
CVSS3