CVE-2022-36944
First published: Fri Sep 23 2022(Updated: )
Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Scala-lang Scala | >=2.13.0<2.13.9 | |
| Scala-lang Scala-collection-compat | <2.9.0 | |
| Fedoraproject Fedora | =35 | |
| Fedoraproject Fedora | =36 | |
| redhat/scala | <2.13.9 | 2.13.9 |
| IBM IBM® Engineering Requirements Management DOORS | <=9.7.2.7 | |
| IBM IBM® Engineering Requirements Management DOORS Web Access | <=9.7.2.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://discuss.lightbend.com/t/impact-of-cve-2022-36944-on-akka-cluster-akka-actor-akka-remote/10007/2
- https://github.com/scala/scala-collection-compat/releases/tag/v2.9.0
- https://github.com/scala/scala/pull/10118
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6ZOZVWY3X72FZZCCRAKRJYTQOJ6LUD6Z/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L3WMKPFAMFQE3HJVRQ5KOJUTWG264SXI/
- https://www.scala-lang.org/download/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2129810
- https://access.redhat.com/errata/RHSA-2023:3223
- https://access.redhat.com/errata/RHSA-2023:5165
- https://bugzilla.redhat.com/show_bug.cgi?id=2129809
- https://exchange.xforce.ibmcloud.com/vulnerabilities/237018
- https://www.ibm.com/support/pages/node/7124058 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3WMKPFAMFQE3HJVRQ5KOJUTWG264SXI/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6ZOZVWY3X72FZZCCRAKRJYTQOJ6LUD6Z/
Frequently Asked Questions
What is CVE-2022-36944?
CVE-2022-36944 is a vulnerability in Scala 2.13.x before version 2.13.9 that allows attackers to erase contents of arbitrary files and make network connections.
How can CVE-2022-36944 be exploited?
CVE-2022-36944 can only be exploited in conjunction with Java object deserialization within an application.
What is the severity of CVE-2022-36944?
The severity of CVE-2022-36944 is critical.
Which software versions are affected by CVE-2022-36944?
Scala 2.13.x versions from 2.13.0 to 2.13.9 are affected by CVE-2022-36944.
How do I fix CVE-2022-36944?
To fix CVE-2022-36944, upgrade Scala to version 2.13.9 or higher.
- collector/nvd-index
- agent/author
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/remedy
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-36944
- agent/software-canonical-lookup
- agent/event
- agent/references
- agent/severity
- agent/last-modified-date
- agent/description
- agent/softwarecombine
- agent/tags
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup-request
- collector/nvd-api
- collector/mitre-cve
- source/MITRE
- vendor/scala-lang
- canonical/scala-lang scala
- version/scala-lang scala/2.13.0
- canonical/scala-lang scala-collection-compat
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/35
- version/fedoraproject fedora/36
- package-manager/redhat
- vendor/ibm
- canonical/ibm ibm® engineering requirements management doors
- version/ibm ibm® engineering requirements management doors/9.7.2.7
- canonical/ibm ibm® engineering requirements management doors web access
- version/ibm ibm® engineering requirements management doors web access/9.7.2.7