25/7/2023
26/7/2023
26/7/2023
2/10/2024
CVE-2023-38647: Apache Helix: Deserialization vulnerability in Helix workflow and REST
First published: Tue Jul 25 2023(Updated: )
An attacker can use SnakeYAML to deserialize java.net.URLClassLoader and make it load a JAR from a specified URL, and then deserialize javax.script.ScriptEngineManager to load code using that ClassLoader. This unbounded deserialization can likely lead to remote code execution. The code can be run in Helix REST start and Workflow creation.
Affect all the versions lower and include 1.2.0.
Affected products: helix-core, helix-rest
Mitigation: Short term, stop using any YAML based configuration and workflow creation.
Long term, all Helix version bumping up to 1.3.0
Credit: security@apache.org security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|
Apache Helix | <1.3.0 | |
maven/org.apache.helix:helix-rest | <1.3.0 | 1.3.0 |
maven/org.apache.helix:helix-core | <1.3.0 | 1.3.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2023-38647?
CVE-2023-38647 is a vulnerability in Apache Helix that allows remote code execution through unbounded deserialization.
How severe is the CVE-2023-38647 vulnerability?
The severity of the CVE-2023-38647 vulnerability is critical with a CVSS score of 9.8.
Which software versions are affected by CVE-2023-38647?
The versions affected by CVE-2023-38647 are Apache Helix 1.3.0 and earlier.
How can I fix the CVE-2023-38647 vulnerability?
To fix the CVE-2023-38647 vulnerability, update Apache Helix to version 1.3.0 or later.
Where can I find more information about CVE-2023-38647?
You can find more information about CVE-2023-38647 in the Apache Helix mailing list, NVD, and GitHub commit references.
- collector/oss-sec
- alias/CVE-2023-38647
- collector/nvd-index
- agent/softwarecombine
- agent/first-publish-date
- agent/type
- collector/nvd-latest
- agent/software-canonical-lookup-request
- agent/title
- agent/references
- agent/weakness
- agent/severity
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-jhcr-hph9-g7wm
- agent/last-modified-date
- collector/nvd-cve
- agent/author
- collector/github-advisory
- agent/tags
- agent/trending
- vendor/apache
- canonical/apache helix
- package-manager/maven
Contact
SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.coBy using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203