Drools: unsafe data deserialization in streamutils
CVE-2022-1415

8.1HIGH

Key Information:

Vendor
Red Hat
Status
RHPam 7.13.1 Async
Red Hat Build Of Apache Camel For Spring Boot
Red Hat Build Of Quarkus
Red Hat Decision Manager 7
Vendor
CVE Published:
11 September 2023

Summary

A security flaw exists in Drools Core where certain utility classes fail to implement appropriate safety measures during data deserialization. This vulnerability permits an authenticated attacker to craft malicious serialized objects, often referred to as gadgets, which can then lead to unauthorized code execution on the server. Proper safeguards should be implemented to mitigate risks associated with this vulnerability.

References

https://access.redhat.com/errata/RHSA-2022:6813
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2022-1415
vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2065505
issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database

Credit

Red Hat would like to thank Paulino Calderon (Websec) for reporting this issue.
.