CVE-2024-52046

The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process<br /> incoming serialized data but lacks the necessary security checks and defenses. This vulnerability allows<br /> attackers to exploit the deserialization process by sending specially crafted malicious serialized data,<br /> potentially leading to remote code execution (RCE) attacks.<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> This issue affects MINA core versions 2.0.X, 2.1.X and 2.2.X, and will be fixed by the releases 2.0.27, 2.1.10 and 2.2.4.<br /> <br /> <br /> <br /> <br /> <br /> It&amp;#39;s also important to note that an application using MINA core library will only be affected if the IoBuffer#getObject() method is called, and this specific method is potentially called when adding a ProtocolCodecFilter instance using the ObjectSerializationCodecFactory class in the filter chain. If your application is specifically using those classes, you have to upgrade to the latest version of MINA core library.<br /> <br /> <br /> <br /> <br /> Upgrading will  not be enough: you also need to explicitly allow the classes the decoder will accept in the ObjectSerializationDecoder instance, using one of the three new methods:<br /> <br /> <br /> <br /> <br /> /**<br /> <br />      * Accept class names where the supplied ClassNameMatcher matches for<br /> <br /> * deserialization, unless they are otherwise rejected.<br /> <br /> *<br /> <br /> * @param classNameMatcher the matcher to use<br /> <br /> */<br /> <br /> public void accept(ClassNameMatcher classNameMatcher)<br /> <br /> <br /> <br /> <br /> /**<br /> <br /> * Accept class names that match the supplied pattern for<br /> <br /> * deserialization, unless they are otherwise rejected.<br /> <br /> *<br /> <br /> * @param pattern standard Java regexp<br /> <br /> */<br /> <br /> public void accept(Pattern pattern) <br /> <br /> <br /> <br /> <br /> <br /> /**<br /> <br /> * Accept the wildcard specified classes for deserialization,<br /> <br /> * unless they are otherwise rejected.<br /> <br /> *<br /> <br /> * @param patterns Wildcard file name patterns as defined by<br /> <br /> * {@link org.apache.commons.io.FilenameUtils#wildcardMatch(String, String) FilenameUtils.wildcardMatch}<br /> <br /> */<br /> <br /> public void accept(String... patterns)<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> By default, the decoder will reject *all* classes that will be present in the incoming data.<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> Note: The FtpServer, SSHd and Vysper sub-project are not affected by this issue.