Apache MINA Deserialization Allow-list Bypass Vulnerability

A deserialization vulnerability allowing for an allow-list bypass has been identified in Apache MINA versions 2.0.29, 2.0.13, and 2.2.8. This vulnerability arises when the serialized stream includes a TC_PROXYCLASSDESC, indicating a java.lang.reflect.Proxy. The default implementation of resolveProxyClass in ObjectInputStream is then called, which retrieves each interface name and constructs the proxy class. This process bypasses the accepted classes list, potentially allowing unauthorized classes to be deserialized and used.

Impact

Exploitation of this vulnerability could lead to unauthorized classes being deserialized, allowing for manipulation of objects that could be exploited further, depending on the application's logic and the classes involved.

Remediation

Users of Apache MINA are advised to upgrade to version 2.2.8, 2.1.13, or 2.0.29. After upgrading, it is recommended to configure the CompressionFilter instance to set a maximum decompressed size limit and, if necessary, a maximum decompression ratio.