CVE-2023-41331
Published: 12 September 2023
Summary
CVE-2023-41331 is a critical-severity Expression Language Injection (CWE-917) vulnerability in Sofastack Sofarpc. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 9.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
SOFARPC is a Java RPC framework that uses deserialization of untrusted data during remote procedure calls. Versions prior to 5.11.0 rely on an incomplete blacklist to block dangerous classes, allowing attackers to chain native JDK classes and common third-party libraries into gadget chains that enable JNDI injection or arbitrary system command execution. The vulnerability is tracked as CWE-917 and carries a CVSS 3.1 score of 9.8.
An unauthenticated remote attacker can supply a crafted serialized payload to any exposed SOFARPC endpoint. Successful exploitation grants full control over the target process, including the ability to execute operating-system commands or perform JNDI-based lookups that can load attacker-controlled classes.
The official fix is included in release 5.11.0. The project advisory and release notes also document a workaround that extends the serialization blacklist by setting the JVM argument -Drpc_serialize_blacklist_override=javax.sound.sampled.AudioFileFormat. The associated EPSS score has remained flat at 0.0519 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-45841
Vulnerability details
SOFARPC is a Java RPC framework. Versions prior to 5.11.0 are vulnerable to remote command execution. Through a carefully crafted payload, an attacker can achieve JNDI injection or system command execution. In the default configuration of the SOFARPC framework, a…
more
blacklist is used to filter out dangerous classes encountered during the deserialization process. However, the blacklist is not comprehensive, and an actor can exploit certain native JDK classes and common third-party packages to construct gadget chains capable of achieving JNDI injection or system command execution attacks. Version 5.11.0 contains a fix for this issue. As a workaround, users can add `-Drpc_serialize_blacklist_override=javax.sound.sampled.AudioFileFormat` to the blacklist.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.