CVE-2022-36944
Java deserialization vulnerability in scala-library (Maven)
What is CVE-2022-36944 About?
This Java deserialization vulnerability in Scala 2.13.x exists in its JAR file and can lead to arbitrary code execution or file manipulation. Exploitation requires specific conditions involving `LazyList` object deserialization, increasing its complexity.
Affected Software
Technical Details
Scala 2.13.x versions before 2.13.9 contain a Java deserialization chain within its JAR file. While this chain is not exploitable on its own, it poses a significant risk when combined with LazyList object deserialization within an application. In such a scenario, an attacker can leverage this gadget chain to achieve various malicious outcomes, including erasing the contents of arbitrary files, initiating network connections, or potentially executing arbitrary code. Specifically, this vulnerability can be used to run Function0 functions during deserialization, providing a powerful primitive for arbitrary code execution.
What is the Impact of CVE-2022-36944?
Successful exploitation may allow attackers to execute arbitrary code, erase arbitrary files, or make unauthorized network connections, leading to full system compromise, data loss, or unauthorized access.
What is the Exploitability of CVE-2022-36944?
Exploitation requires the application to perform deserialization of LazyList objects and for an attacker to provide a malicious serialized object. The complexity is high, as it requires knowledge of the application's serialization practices and the ability to craft a working gadget chain. Authentication and privilege requirements depend on where the deserialization occurs; if it's exposed through a public API, it could be remote and unauthenticated. The attack is typically remote if the serialized object can be remoted. A critical prerequisite is the presence of LazyList object deserialization in the target application. The risk is extreme in applications that deserialize untrusted data without strong validation or sandboxing.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| yarocher | Link | POC for the CVE-2022-36944 vulnerability exploit |
What are the Available Fixes for CVE-2022-36944?
Available Upgrade Options
- org.scala-lang:scala-library
- >2.13.0, <2.13.9 → Upgrade to 2.13.9
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3WMKPFAMFQE3HJVRQ5KOJUTWG264SXI/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L3WMKPFAMFQE3HJVRQ5KOJUTWG264SXI
- https://github.com/scala/scala/pull/10118
- https://nvd.nist.gov/vuln/detail/CVE-2022-36944
- https://discuss.lightbend.com/t/impact-of-cve-2022-36944-on-akka-cluster-akka-actor-akka-remote/10007/2
- https://www.scala-lang.org/download/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6ZOZVWY3X72FZZCCRAKRJYTQOJ6LUD6Z/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6ZOZVWY3X72FZZCCRAKRJYTQOJ6LUD6Z
- https://discuss.lightbend.com/t/impact-of-cve-2022-36944-on-akka-cluster-akka-actor-akka-remote/10007/2
- https://github.com/scala/scala-collection-compat/releases/tag/v2.9.0
What are Similar Vulnerabilities to CVE-2022-36944?
Similar Vulnerabilities: CVE-2021-44228 , CVE-2020-25648 , CVE-2019-17558 , CVE-2017-9805 , CVE-2017-3241
