Bug#1091530: mina2: CVE-2024-52046

Salvatore Bonaccorso carnil at debian.org
Sat Dec 28 08:59:11 GMT 2024 

Source: mina2
Version: 2.2.1-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerability was published for mina2.

CVE-2024-52046[0]:
| The ObjectSerializationDecoder in Apache MINA uses Java’s native
| deserialization protocol to process incoming serialized data but
| lacks the necessary security checks and defenses. This vulnerability
| allows attackers to exploit the deserialization process by sending
| specially crafted malicious serialized data, potentially leading to
| remote code execution (RCE) attacks.
| This issue affects MINA core versions 2.0.X, 2.1.X and 2.2.X, and
| will be fixed by the releases 2.0.27, 2.1.10 and 2.2.4.      It's
| also important to note that an application using MINA core library
| will only be affected if the IoBuffer#getObject() method is called,
| and this specific method is potentially called when adding a
| ProtocolCodecFilter instance using the
| ObjectSerializationCodecFactory class in the filter chain. If your
| application is specifically using those classes, you have to upgrade
| to the latest version of MINA core library.     Upgrading will  not
| be enough: you also need to explicitly allow the classes the decoder
| will accept in the ObjectSerializationDecoder instance, using one of
| the three new methods:         /**       * Accept class names where
| the supplied ClassNameMatcher matches for       * deserialization,
| unless they are otherwise rejected.       *       * @param
| classNameMatcher the matcher to use       */      public void
| accept(ClassNameMatcher classNameMatcher)         /**       * Accept
| class names that match the supplied pattern for       *
| deserialization, unless they are otherwise rejected.       *       *
| @param pattern standard Java regexp       */      public void
| accept(Pattern pattern)           /**       * Accept the wildcard
| specified classes for deserialization,       * unless they are
| otherwise rejected.       *       * @param patterns Wildcard file
| name patterns as defined by       *                  {@link
| org.apache.commons.io.FilenameUtils#wildcardMatch(String, String)
| FilenameUtils.wildcardMatch}       */      public void
| accept(String... patterns)        By default, the decoder will
| reject *all* classes that will be present in the incoming data.
| Note: The FtpServer, SSHd and Vysper sub-project are not affected by
| this issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-52046
    https://www.cve.org/CVERecord?id=CVE-2024-52046
[1] https://lists.apache.org/thread/4wxktgjpggdbto15d515wdctohb0qmv8

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

More information about the pkg-java-maintainers mailing list