CVE-2022-1415: Drools: unsafe data deserialization in streamutils
First published: Fri Mar 18 2022(Updated: )
A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve code execution on the server.
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.drools:drools-core | <7.69.0.Final | 7.69.0.Final |
| Redhat Decision Manager | =7.0 | |
| Redhat Drools | =7.69.0 | |
| Redhat Jboss Middleware Text-only Advisories | ||
| Redhat Process Automation | =7.0 | |
| redhat/drools | <7.69.0. | 7.69.0. |
| =7.0 | ||
| =7.69.0 | ||
| =7.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2022-1415?
CVE-2022-1415 is a vulnerability in Drools core that allows an authenticated attacker to construct malicious serialized objects and achieve code execution on the server.
How severe is CVE-2022-1415?
CVE-2022-1415 has a severity rating of 8.8 (high).
Which software versions are affected by CVE-2022-1415?
CVE-2022-1415 affects Redhat Decision Manager 7.0, Redhat Drools 7.69.0, Redhat Process Automation 7.0, and org.drools:drools-core up to version 7.69.0.Final.
How can an attacker exploit CVE-2022-1415?
CVE-2022-1415 allows an authenticated attacker to exploit the vulnerability by constructing and sending malicious serialized objects (gadgets) to the server.
Where can I find more information about CVE-2022-1415?
You can find more information about CVE-2022-1415 at the following references: [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2022:6813) and [CVE-2022-1415 on Red Hat's Security Page](https://access.redhat.com/security/cve/CVE-2022-1415).
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/weakness
- agent/references
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/severity
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-m5q8-58wh-xxq4
- alias/CVE-2022-1415
- agent/last-modified-date
- agent/description
- agent/author
- agent/softwarecombine
- agent/tags
- agent/event
- collector/nvd-cve
- collector/redhat-bugzilla
- source/Red Hat
- collector/github-advisory
- vendor/redhat
- canonical/redhat decision manager
- version/redhat decision manager/7.0
- canonical/redhat drools
- version/redhat drools/7.69.0
- canonical/redhat jboss middleware text-only advisories
- canonical/redhat process automation
- version/redhat process automation/7.0
- package-manager/maven
- package-manager/redhat