It was discovered that the hotrod java client in infinispan automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code execution or conduct other attacks. code link: https://github.com/infinispan/infinispan/blob/master/client/hotrod-client/src/main/java/org/infinispan/client/hotrod/marshall/MarshallerUtil.java#L39
upstream: https://issues.jboss.org/browse/ISPN-7781 PR: https://github.com/infinispan/infinispan/pull/5116 Fixed in: Infinispan 9.1.0.Final
Acknowledgments: Name: Sebastian Olsson (TrueSec)
This issue has been addressed in the following products: Red Hat JBoss Data Grid Via RHSA-2017:3244 https://access.redhat.com/errata/RHSA-2017:3244
reopening flaw bug for adding to RHSAs
This issue has been addressed in the following products: Red Hat Single Sign-On 7.2.1 zip Via RHSA-2018:0501 https://access.redhat.com/errata/RHSA-2018:0501