Bug 2065505 (CVE-2022-1415)

Summary: CVE-2022-1415 drools: unsafe data deserialization in StreamUtils
Product: [Other] Security Response Reporter: Chess Hazlett <chazlett>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, alazarot, anstephe, asoldano, avibelli, bbaranow, bgeorges, bmaxwell, brian.stansberry, cdewolf, chazlett, clement.escoffier, cmiranda, dandread, darran.lofthouse, dhanak, dkreling, dosoudil, dward, ecerquei, emingora, etirelli, fjuma, fmariani, fmongiar, gjospin, gmalinko, gsmet, ibek, istudens, ivassile, iweiss, janstey, jmartisk, jnethert, jochrist, jolee, jpoth, jrokos, jschatte, jstastny, jwon, krathod, kverlaen, lgao, lthon, manderse, mnovotny, mosmerov, msochure, msvehla, nwallace, olubyans, pantinor, pcongius, pdelbell, peholase, pgallagh, pjindal, pmackay, probinso, rguimara, rruss, rstancel, rstepani, rsvoboda, sausingh, sbiarozk, sdouglas, smaestri, tcunning, tkobayas, tom.jenkinson, tqvarnst, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: drools 7.69.0.Final Doc Type: If docs needed, set a value
Doc Text:
A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve code execution on the server.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2036926    

Description Chess Hazlett 2022-03-18 01:37:24 UTC 
It was found that some utility classes in Drools core did not use proper safeguards when deserializing data. An authed attacker could construct malicious serialized objects (usually called gadgets) and use this flaw to achieve code execution on the server.