-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability is a classic case of deserialization of untrusted data (CWE-502) within Apache Seata's Raft-based clustering mechanism. The root cause lies in the org.apache.seata.server.cluster.raft.serializer.CustomDeserializer.deserialize method. This method was responsible for converting a class name from a JSON stream into a Class object using Class.forName() without any validation on the provided class name. This allowed an attacker to load arbitrary classes from the server's classpath, which could be leveraged for remote code execution if a suitable 'gadget' class was available.
The patch addresses this by introducing a whitelist in the CustomDeserializer, restricting class loading to only those classes within the org.apache.seata package. This prevents attackers from loading malicious gadget classes.
The functions RaftSnapshotSerializer.decode and RaftSyncMessageSerializer.decode are the primary entry points where this vulnerability can be triggered. These methods read byte streams corresponding to Raft snapshots and synchronization messages, respectively, and use ObjectInputStream.readObject() to deserialize them. This deserialization process, in turn, invokes the vulnerable CustomDeserializer. An attacker could craft a malicious Raft message and send it to a Seata server, which would then be processed by one of these decode methods, triggering the exploit. The changes in the patch to the exception handling in these methods are a direct consequence of needing to handle the new security exceptions thrown by the patched deserializer, confirming their role in the exploitation path.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.apache.seata:seata-config-core | maven | >= 2.0.0, < 2.3.0 | 2.3.0 |