Articles in this section

CVE-2023-36480 - Aerospike Java Client vulnerable to unsafe deserialization of server responses

Tasneem

Detail

CVE-2023-36480 - Aerospike Java Client vulnerable to unsafe deserialization of server responses

Answer

On August 4th, 2023, GitHub published CVE-2023-36480, a high severity vulnerability in our Aerospike Java client. GitHub Security Lab had previously notified us that the client is vulnerable to CWE-502. Upon confirming a fix in the latest Aerospike Java client version 7.0.0, the CVE was published.

Which clients are potentially impacted by CWE-502?

When one of the Aerospike client’s write methods are called by an application, the application-side data types are converted to matching Aerospike server data types such as string, integer, double, boolean, map, list, geoJSON, or blob.

The Java, C#, and Python clients also automatically serialize unknown data types into client-specific blobs, such as AS_PARTICLE_TYPE_JAVA_BLOB, AS_PARTICLE_TYPE_CSHARP_BLOB, or AS_PARTICLE_TYPE_PYTHON_BLOB. For example, if one of the bins passed to the Java client’s put() method is assigned an instance of class User, that object gets serialized into a ParticleType.JBLOB.

When one of these clients retrieves a record with such a bin, it automatically deserializes it. This means that it is potentially vulnerable to arbitrary code execution, if the bin data isn’t sanitized ahead of being written to the database.

Which applications might be affected by a CWE-502 exploit?

For an application to be vulnerable, it must satisfy the following criteria:

  1. The application uses one of these clients:
    1. Aerospike Java client version < 7.0.0
    2. Aerospike C# client version < 6.0.0
    3. Aerospike Python client < 13.0.0
  2. The application assigns unsupported data types to Aerospike record bins. Supported data types are string, integer, double, boolean, map, list, geoJSON, or blob
  3. The application does not sanitize unsupported data before assigning it to a bin

In other words, CVE-2023-36480 is a false positive when this criteria isn’t met.

Vulnerability scanning false positive results:

Vulnerability scanners such as Snyk will mark applications such as Aerospike connectors as having the CVE-2023-36480 vulnerability due to their use of the Java client. We have verified that vulnerability alerts for the following are false positives:

  • Aerospike Connect inbound connectors
    • JMS, Kafka, Pulsar
  • Aerospike Connect outbound connectors
    • JMS, Kafka, Pulsar, ESP, Elasticsearch, XDR Proxy
These applications do not use the Java client’s automatic serialization of unknown data types when writing to Aerospike, nor do they read data from Aerospike using the Java client.
 

Mitigation

In Java client versions >= 6.1.0  and < 7.0.0 CWE-502 can be avoided by disabling the automating serialization and deserialization behavior for unsupported types.
 

Value.DisableSerializer = false;
Value.DisableDeserializer = false; 


New releases

The following new releases provide a fix for this CVE. Please upgrade your software accordingly.
 

Note: new Java clients with a fix for CVE-2023-36480 (v4.6.0, v5.3.0, v6.3.0 and versions >= 7.1.0) read records with Particle.JBLOB (unknown data types that were previously auto-serialized) as regular byte arrays, and do not automatically deserialize them. You will need to deserialize them yourself, or otherwise convert them to a supported data type (map, list, etc).

Use the blobfinder tool to identify records and bins that contain serialized language blobs  Particle.JBLOB, Particle.CSHARP_BLOB, Particle.PYTHON_BLOB.

java -jar ./aerospike-blob-finder-6.1.11-jar-with-dependencies.jar -u

 

  • Java Client 7.1.0
  • Java Client 6.3.0
  • Java Client 5.3.0
  • Java Client 4.6.0
  • REST Gateway 2.1.2
  • Aerospike Loader 4.0.1
  • Reactive Java Client 7.0.0
  • Java Object Mapper 2.3.1
  • Java Document API 2.0.1
  • Spring Data Aerospike 4.5.0
  • Aerospike JDBC Driver 1.7.4
  • Aerospike JDBC Driver 1.7.3
  • Aerospike Graph Service 1.0.3
  • Aerospike Connect for Elasticsearch 2.1.1
  • Aerospike Connect for Event Stream Processing (ESP) 2.2.1
  • Aerospike Connect for JMS - Inbound 3.0.0
  • Aerospike Connect for JMS - Outbound 4.1.1
  • Aerospike Connect for Kafka - Inbound 3.0.0
  • Aerospike Connect for Kafka - Outbound 5.1.2
  • Aerospike Connect for Pulsar - Inbound 2.0.0
  • Aerospike Connect for Pulsar - Outbound 3.2.1
  • Aerospike Connect XDR-Proxy 3.0.0

Not directly affected by CVE-2023-36480 but fixing a similar CWE-502 behavior

Aerospike always recommends upgrading to the latest hotfix version of a lineage. Subscribe to the Announcements / Releases topic to be notified of any major, hotfix, database or client release by using the notification bell at the top of the screen.
 

If you have further questions, you can contact us via the Support Portal (or via email: support@aerospike.com).

Applies To Earliest Version

Pre 4.9

Applies To Latest Version

Current Version
Was this article helpful?
0 out of 0 found this helpful