Deserialization of Untrusted Data Affecting org.rundeck:rundeck-core package, versions [0,3.3.14)[3.4.0,3.4.3)
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Deserialization of Untrusted Data vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JAVA-ORGRUNDECK-1577142
- published31 Aug 2021
- disclosed31 Aug 2021
- creditRojan Rijal
Introduced: 31 Aug 2021
CVE-2021-39132 (opens in a new tab)How to fix?
Upgrade org.rundeck:rundeck-core to version 3.3.14, 3.4.3 or higher.
Overview
org.rundeck:rundeck-core is an enable Self-Service operations.
Affected versions of this package are vulnerable to Deserialization of Untrusted Data. An authorized user can upload a zip-format plugin with a crafted plugin.yaml, or a crafted aclpolicy yaml file, or upload an untrusted project archive with a crafted aclpolicy yaml file. This can cause the server to run untrusted code.
(On Rundeck Enterprise Edition an authenticated user can make a POST request that can cause the server to act similarly.)
The zip-format plugin issue requires admin level access to the system resource type.
The ACL Policy yaml file upload issues require create, update, or admin level access to a project_acl resource or to the system_acl resource.
Details
Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating objects from a sequence of bytes is called deserialization. Deserialization of untrusted data (CWE-502) occurs when an application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the attacker to control the state or the flow of the execution.
com.fasterxml.jackson.core:jackson-databind allows deserialization of JSON input to Java objects. If an application using this dependency has the ability to deserialize a JSON string from an untrusted source, an attacker could leverage this vulnerability to conduct deserialization attacks.
Exploitation of unsafe deserialization attacks through jackson-databind requires the following prerequisites:
1. The target application allowing JSON user input which is processed by jackson-databind
An application using jackson-databind is only vulnerable if a user-provided JSON data is deserialized.
2. Polymorphic type handling for properties with nominal type are enabled
Polymorphic type handling refers to the addition of enough type information so that the deserializer can instantiate the appropriate subtype of a value. Use of "default typing" is considered dangerous due to the possibility of an untrusted method (gadget) managing to specify a class that is accessible through the class-loader and therefore, exposing a set of methods and/or fields.
3. An exploitable gadget class is available for the attacker to leverage
Gadget chains are specially crafted method sequences that can be created by an attacker in order to change the flow of code execution. These gadgets are often methods introduced by third-party components which an attacker could utilise in order to attack the target application. Not every gadget out there is supported by jackson-databind. The maintainers of jackson-databind proactively blacklists possible serialization gadgets in an attempt to ensure that it is not possible for an attacker to chain gadgets during serialization.