Vulnerability-Lookup

CNVD-2022-14702

Vulnerability from cnvd - Published: 2022-02-23

Title

Apache Cayenne输入验证错误漏洞

Description

Apache Cayenne是美国阿帕奇（Apache）基金会的一个根据 Apache 许可证许可的开源持久性框架。用于提供对象关系映射和远程处理服务。 Apache Cayenne中存在输入验证错误漏洞，该漏洞源于产品未对用户上传的负载进行安全检查。攻击者可通过该漏洞导致任意代码执行。

Severity

中

Patch Name

Apache Cayenne输入验证错误漏洞的补丁

Patch Description

Apache Cayenne是美国阿帕奇（Apache）基金会的一个根据 Apache 许可证许可的开源持久性框架。用于提供对象关系映射和远程处理服务。 Apache Cayenne中存在输入验证错误漏洞，该漏洞源于产品未对用户上传的负载进行安全检查。攻击者可通过该漏洞导致任意代码执行。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://lists.apache.org/thread/zthjy83t3o66x7xcbygn2vg3yjvlc9vc

Reference

https://nvd.nist.gov/vuln/detail/CVE-2022-24289

Impacted products

Name
Apache Cayenne <4.2

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-24289",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-24289"
    }
  },
  "description": "Apache Cayenne\u662f\u7f8e\u56fd\u963f\u5e15\u5947 \uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u6839\u636e Apache \u8bb8\u53ef\u8bc1\u8bb8\u53ef\u7684\u5f00\u6e90\u6301\u4e45\u6027\u6846\u67b6\u3002\u7528\u4e8e\u63d0\u4f9b\u5bf9\u8c61\u5173\u7cfb\u6620\u5c04\u548c\u8fdc\u7a0b\u5904\u7406\u670d\u52a1\u3002\n\nApache Cayenne\u4e2d\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4ea7\u54c1\u672a\u5bf9\u7528\u6237\u4e0a\u4f20\u7684\u8d1f\u8f7d\u8fdb\u884c\u5b89\u5168\u68c0\u67e5\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u4efb\u610f\u4ee3\u7801\u6267\u884c\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://lists.apache.org/thread/zthjy83t3o66x7xcbygn2vg3yjvlc9vc",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-14702",
  "openTime": "2022-02-23",
  "patchDescription": "Apache Cayenne\u662f\u7f8e\u56fd\u963f\u5e15\u5947 \uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u6839\u636e Apache \u8bb8\u53ef\u8bc1\u8bb8\u53ef\u7684\u5f00\u6e90\u6301\u4e45\u6027\u6846\u67b6\u3002\u7528\u4e8e\u63d0\u4f9b\u5bf9\u8c61\u5173\u7cfb\u6620\u5c04\u548c\u8fdc\u7a0b\u5904\u7406\u670d\u52a1\u3002\r\n\r\nApache Cayenne\u4e2d\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4ea7\u54c1\u672a\u5bf9\u7528\u6237\u4e0a\u4f20\u7684\u8d1f\u8f7d\u8fdb\u884c\u5b89\u5168\u68c0\u67e5\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u4efb\u610f\u4ee3\u7801\u6267\u884c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Cayenne\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Apache Cayenne \u003c4.2"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2022-24289",
  "serverity": "\u4e2d",
  "submitTime": "2022-02-15",
  "title": "Apache Cayenne\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e"
}

CVE-2022-24289 (GCVE-0-2022-24289)

Vulnerability from cvelistv5 – Published: 2022-02-11 12:20 – Updated: 2024-08-03 04:07

Title

Deserialization of untrusted data in the Hessian Component of Apache Cayenne 4.1 with older Java versions

Summary

Hessian serialization is a network protocol that supports object-based transmission. Apache Cayenne's optional Remote Object Persistence (ROP) feature is a web services-based technology that provides object persistence and query functionality to 'remote' applications. In Apache Cayenne 4.1 and earlier, running on non-current patch versions of Java, an attacker with client access to Cayenne ROP can transmit a malicious payload to any vulnerable third-party dependency on the server. This can result in arbitrary code execution.

Severity ?

No CVSS data available.

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

apache

References

URL

Tags

	https://lists.apache.org/thread/zthjy83t3o66x7xcb…	x_refsource_MISC
	http://www.openwall.com/lists/oss-security/2022/02/11/1	mailing-listx_refsource_MLIST

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Cayenne	Affected: 4.1 , ≤ 4.1 (custom)

Credits

Panda

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T04:07:02.369Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/zthjy83t3o66x7xcbygn2vg3yjvlc9vc"
          },
          {
            "name": "[oss-security] 20220211 CVE-2022-24289: Apache Cayenne: Deserialization of untrusted data in the Hessian Component of Apache Cayenne 4.1 with older Java versions",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/02/11/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Cayenne",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "4.1",
              "status": "affected",
              "version": "4.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Panda"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Hessian serialization is a network protocol that supports object-based transmission. Apache Cayenne\u0027s optional Remote Object Persistence (ROP) feature is a web services-based technology that provides object persistence and query functionality to \u0027remote\u0027 applications. In Apache Cayenne 4.1 and earlier, running on non-current patch versions of Java, an attacker with client access to Cayenne ROP can transmit a malicious payload to any vulnerable third-party dependency on the server. This can result in arbitrary code execution."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "other": "moderate"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-02-11T15:06:14.000Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.apache.org/thread/zthjy83t3o66x7xcbygn2vg3yjvlc9vc"
        },
        {
          "name": "[oss-security] 20220211 CVE-2022-24289: Apache Cayenne: Deserialization of untrusted data in the Hessian Component of Apache Cayenne 4.1 with older Java versions",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/02/11/1"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Deserialization of untrusted data in the Hessian Component of Apache Cayenne 4.1 with older Java versions",
      "workarounds": [
        {
          "lang": "en",
          "value": "Either upgrade to Apache Cayenne 4.2 or a patched version of Java (after 6u211, 7u201, 8u191, and 11.0.1)\n\nAll versions of Apache Cayenne 4.2 have whitelisting enabled by default for the Hessian deserialization.  Later versions of Java also have LDAP mitigation in place. Users can either upgrade Java or Apache Cayenne to avoid the issue.\n\nLDAP mitigation is present starting in JDK 6u211, 7u201, 8u191, and 11.0.1 where com.sun.jndi.ldap.object.trustURLCodebase system property is set to false by default to prevent JNDI from loading remote code through LDAP."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2022-24289",
          "STATE": "PUBLIC",
          "TITLE": "Deserialization of untrusted data in the Hessian Component of Apache Cayenne 4.1 with older Java versions"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Cayenne",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "4.1",
                            "version_value": "4.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Panda"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Hessian serialization is a network protocol that supports object-based transmission. Apache Cayenne\u0027s optional Remote Object Persistence (ROP) feature is a web services-based technology that provides object persistence and query functionality to \u0027remote\u0027 applications. In Apache Cayenne 4.1 and earlier, running on non-current patch versions of Java, an attacker with client access to Cayenne ROP can transmit a malicious payload to any vulnerable third-party dependency on the server. This can result in arbitrary code execution."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {
            "other": "moderate"
          }
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-502 Deserialization of Untrusted Data"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread/zthjy83t3o66x7xcbygn2vg3yjvlc9vc",
              "refsource": "MISC",
              "url": "https://lists.apache.org/thread/zthjy83t3o66x7xcbygn2vg3yjvlc9vc"
            },
            {
              "name": "[oss-security] 20220211 CVE-2022-24289: Apache Cayenne: Deserialization of untrusted data in the Hessian Component of Apache Cayenne 4.1 with older Java versions",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2022/02/11/1"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "Either upgrade to Apache Cayenne 4.2 or a patched version of Java (after 6u211, 7u201, 8u191, and 11.0.1)\n\nAll versions of Apache Cayenne 4.2 have whitelisting enabled by default for the Hessian deserialization.  Later versions of Java also have LDAP mitigation in place. Users can either upgrade Java or Apache Cayenne to avoid the issue.\n\nLDAP mitigation is present starting in JDK 6u211, 7u201, 8u191, and 11.0.1 where com.sun.jndi.ldap.object.trustURLCodebase system property is set to false by default to prevent JNDI from loading remote code through LDAP."
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2022-24289",
    "datePublished": "2022-02-11T12:20:15.000Z",
    "dateReserved": "2022-02-01T00:00:00.000Z",
    "dateUpdated": "2024-08-03T04:07:02.369Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2022-14702

CVE-2022-24289 (GCVE-0-2022-24289)

Tags

Sightings

Nomenclature