Description
Redisson is a Java Redis client that uses the Netty framework. Prior to version 3.22.0, some of the messages received from the Redis server contain Java objects that the client deserializes without further validation. Attackers that manage to trick clients into communicating with a malicious server can include especially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running in. Version 3.22.0 contains a patch for this issue. Some post-fix advice is available. Do NOT use `Kryo5Codec` as deserialization codec, as it is still vulnerable to arbitrary object deserialization due to the `setRegistrationRequired(false)` call. On the contrary, `KryoCodec` is safe to use. The fix applied to `SerializationCodec` only consists of adding an optional allowlist of class names, even though making this behavior the default is recommended. When instantiating `SerializationCodec` please use the `SerializationCodec(ClassLoader classLoader, Set<String> allowedClasses)` constructor to restrict the allowed classes for deserialization.
EPSS Score:
1%
Comprehensive Technical Analysis of EUVD-2024-2493
1. Vulnerability Assessment and Severity Evaluation
Vulnerability Overview: The vulnerability in Redisson, a Java Redis client using the Netty framework, allows for unvalidated deserialization of Java objects received from a Redis server. This can lead to arbitrary code execution if an attacker can manipulate the client into communicating with a malicious server.
Severity Evaluation:
- CVSS Base Score: 9.7
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
The high base score indicates a critical vulnerability due to the following factors:
- Attack Vector (AV:N): Network exploitable.
- Attack Complexity (AC:L): Low complexity required for exploitation.
- Privileges Required (PR:N): No privileges required.
- User Interaction (UI:R): Requires user interaction.
- Scope (S:C): Change in scope.
- Confidentiality (C:H), Integrity (I:H), Availability (A:H): High impact on all three.
2. Potential Attack Vectors and Exploitation Methods
Attack Vectors:
- Man-in-the-Middle (MitM) Attack: An attacker could intercept and modify the communication between the Redis client and server.
- Malicious Redis Server: An attacker could set up a malicious Redis server that the client connects to, sending crafted responses to exploit the vulnerability.
Exploitation Methods:
- Deserialization Exploit: The attacker sends specially crafted Java objects in the Redis server responses. When deserialized by the client, these objects execute arbitrary code.
- Kryo5Codec Usage: Using
Kryo5Codecfor deserialization without proper validation can also lead to arbitrary code execution.
3. Affected Systems and Software Versions
Affected Software:
- Redisson versions prior to 3.22.0.
Affected Systems:
- Any system running a vulnerable version of Redisson, particularly those that communicate with untrusted or potentially compromised Redis servers.
4. Recommended Mitigation Strategies
Immediate Mitigation:
- Upgrade: Upgrade to Redisson version 3.22.0 or later, which includes a patch for this issue.
- Avoid Kryo5Codec: Do not use
Kryo5Codecfor deserialization due to its vulnerability. - Use Safe Codecs: Use
KryoCodecorSerializationCodecwith proper configuration.
Configuration Recommendations:
- SerializationCodec: Use the constructor
SerializationCodec(ClassLoader classLoader, Set<String> allowedClasses)to restrict the allowed classes for deserialization. - Default Behavior: Make the allowlist behavior the default to enhance security.
Additional Security Measures:
- Network Security: Implement strong network security measures to prevent MitM attacks.
- Server Validation: Ensure that the Redis server is trusted and validate its identity before communication.
5. Impact on European Cybersecurity Landscape
Potential Impact:
- Widespread Use: Redisson is widely used in Java applications that interact with Redis, making this vulnerability a significant risk.
- Critical Infrastructure: Organizations relying on Redis for critical operations, including financial services, healthcare, and government agencies, are at high risk.
- Compliance: Non-compliance with security standards could lead to legal and financial repercussions.
Mitigation in European Context:
- Regulatory Compliance: Ensure compliance with GDPR and other relevant regulations by implementing robust security measures.
- Collaboration: Collaborate with European cybersecurity agencies and CERTs to share information and best practices.
6. Technical Details for Security Professionals
Vulnerability Details:
- Deserialization Issue: The core issue is the deserialization of unvalidated Java objects, which can lead to arbitrary code execution.
- Patch Information: The patch in version 3.22.0 includes an optional allowlist of class names for
SerializationCodecto restrict deserialization to trusted classes.
Code Review:
- Kryo5Codec: Avoid using
Kryo5Codecdue to its vulnerability to arbitrary object deserialization. - KryoCodec: Safe to use as it does not have the same vulnerability.
- SerializationCodec: Ensure proper configuration to restrict allowed classes.
Example Configuration:
Set<String> allowedClasses = new HashSet<>();
allowedClasses.add("com.example.MyClass");
SerializationCodec codec = new SerializationCodec(getClass().getClassLoader(), allowedClasses);
References:
By following these recommendations and understanding the technical details, organizations can effectively mitigate the risks associated with this vulnerability and enhance their overall cybersecurity posture.