mchange-commons-java JNDI Deserialization Vulnerability Allowing Remote Code Execution

A vulnerability in mchange-commons-java versions prior to 0.4.0 allows for remote code execution through deserialization of JNDI references. The library's JNDI functionality, which can download and execute code via remote factoryClassLocation values, is exploited when an application is tricked into processing a maliciously crafted javax.naming.Reference or serialized object. This issue arises because mchange-commons-java includes an independent implementation of JNDI dereferencing that can be abused, even after similar vulnerabilities in the JDK were addressed. The vulnerability is particularly relevant for applications using the c3p0 library, which relies on mchange-commons-java and can be manipulated to execute arbitrary code by exploiting the JNDI deserialization process.

Impact

Exploitation of this vulnerability leads to unauthorized remote code execution on the server where the affected application is running.

Reproduction

To reproduce this vulnerability, first create a JNDI reference that includes a remote factoryClassLocation pointing to a location where malicious code is hosted. This can be done by crafting a serialized object that, when deserialized, will trigger a JNDI lookup to an attacker-controlled server. Once the malicious reference is prepared, it can be injected into an application that uses c3p0 and mchange-commons-java. The application will then resolve the reference through the vulnerable JNDI implementation, downloading and executing the hosted malicious code.

Remediation

Users are advised to upgrade to mchange-commons-java version 0.4.0 or later, where this vulnerability has been addressed. For applications using c3p0, version 0.12.0 includes similar mitigations. If upgrading is not possible, c3p0's JNDI-related functionalities can be disabled by setting the appropriate configuration properties.