1213660 – (CVE-2023-38647) VUL-0: CVE-2023-38647: helix: Deserialization vulnerability in Helix workflow and REST

Bug 1213660 (CVE-2023-38647) - VUL-0: CVE-2023-38647: helix: Deserialization vulnerability in Helix workflow and REST

Summary: VUL-0: CVE-2023-38647: helix: Deserialization vulnerability in Helix workflow...

Status:	RESOLVED INVALID

Alias:	CVE-2023-38647

Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Other (show other bugs)
Version:	Leap 15.5
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal (vote)
Target Milestone:	---
Assignee:	Soc Virnyl Estela
QA Contact:	E-mail List

URL:	https://smash.suse.de/issue/373380/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-07-26 06:47 UTC by Gianluca Gabrielli
Modified:	2023-07-27 06:44 UTC (History)
CC List:	0 users

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gianluca Gabrielli 2023-07-26 06:47:17 UTC

Posted by Junkai Xue on Jul 25Severity: important

Affected versions:

- Apache Helix through 1.2.0

Description:

An attacker can use SnakeYAML to deserialize java.net.URLClassLoader and make it load a JAR from a specified URL, and 
then deserialize javax.script.ScriptEngineManager to load code using that ClassLoader. This unbounded deserialization 
can likely lead to remote code execution. The code can be run in Helix REST start and Workflow creation.

Affect all the...

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38647
https://seclists.org/oss-sec/2023/q3/73

Comment 1 Soc Virnyl Estela 2023-07-26 22:13:44 UTC

This is for Apache Helix and not the Helix editor.

Comment 2 Gianluca Gabrielli 2023-07-27 06:44:05 UTC

Thanks for having pointed this out, I'm sorry for the confusion.