Description

A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve code execution on the server.

Remediation

References

https://bugzilla.redhat.com/show_bug.cgi?id=2065505

https://access.redhat.com/errata/RHSA-2022:6813

https://access.redhat.com/security/cve/CVE-2022-1415

Related Vulnerabilities

CVE-2012-0838 Vulnerability in maven package org.apache.struts.xwork:xwork-core

CVE-2018-1114 Vulnerability in maven package io.undertow:undertow-core

CVE-2016-0779 Vulnerability in maven package org.apache.tomee:openejb-client

CVE-2020-7961 Vulnerability in maven package com.liferay.portal:portal-impl

CVE-2022-36907 Vulnerability in maven package org.jenkins-ci.plugins:openshift-deployer

Severity

Critical

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Issue Tracking Vendor Advisory