Bug 1213660 (CVE-2023-38647)

Summary: VUL-0: CVE-2023-38647: helix: Deserialization vulnerability in Helix workflow and REST
Product: [openSUSE] openSUSE Distribution Reporter: Gianluca Gabrielli <gianluca.gabrielli>
Component: OtherAssignee: Soc Virnyl Estela <uncomfy+openbuildservice>
Status: RESOLVED INVALID QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P3 - Medium    
Version: Leap 15.5   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/373380/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Gianluca Gabrielli 2023-07-26 06:47:17 UTC 
Posted by Junkai Xue on Jul 25Severity: important

Affected versions:

- Apache Helix through 1.2.0

Description:

An attacker can use SnakeYAML to deserialize java.net.URLClassLoader and make it load a JAR from a specified URL, and 
then deserialize javax.script.ScriptEngineManager to load code using that ClassLoader. This unbounded deserialization 
can likely lead to remote code execution. The code can be run in Helix REST start and Workflow creation.

Affect all the...

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38647
https://seclists.org/oss-sec/2023/q3/73
Comment 1 Soc Virnyl Estela 2023-07-26 22:13:44 UTC 
This is for Apache Helix and not the Helix editor.
Comment 2 Gianluca Gabrielli 2023-07-27 06:44:05 UTC 
Thanks for having pointed this out, I'm sorry for the confusion.