Unsafe Deserialization Vulnerability in EthereumJ by Ethereum
CVE-2018-15890

9.8CRITICAL

Key Information:

Vendor

Ethereum

Status
Ethereumj
Vendor
CVE Published:
20 June 2019

What is CVE-2018-15890?

A vulnerability exists in EthereumJ 1.8.2 due to unsafe deserialization techniques utilized in the code. Specifically, issues are found in the ois.readObject method within mine/Ethash.java and in decoder.readObject within crypto/ECKey.java. Exploiting this vulnerability during node synchronization and block mining could allow an attacker to execute arbitrary operating system commands on the server, posing serious security risks.

References

https://github.com/ethereum/ethereumj
x_refsource_MISC
https://github.com/frohoff/ysoserial/
x_refsource_MISC
https://github.com/ethereum/ethereumj/issues/1161
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2018-15890 : Unsafe Deserialization Vulnerability in EthereumJ by Ethereum