Cyber Resilience

CVE-2023-41331

CriticalRCE

Published: 12 September 2023

Published
12 September 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0519 90.1th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-41331 is a critical-severity Expression Language Injection (CWE-917) vulnerability in Sofastack Sofarpc. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 9.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

SOFARPC is a Java RPC framework that uses deserialization of untrusted data during remote procedure calls. Versions prior to 5.11.0 rely on an incomplete blacklist to block dangerous classes, allowing attackers to chain native JDK classes and common third-party libraries into gadget chains that enable JNDI injection or arbitrary system command execution. The vulnerability is tracked as CWE-917 and carries a CVSS 3.1 score of 9.8.

An unauthenticated remote attacker can supply a crafted serialized payload to any exposed SOFARPC endpoint. Successful exploitation grants full control over the target process, including the ability to execute operating-system commands or perform JNDI-based lookups that can load attacker-controlled classes.

The official fix is included in release 5.11.0. The project advisory and release notes also document a workaround that extends the serialization blacklist by setting the JVM argument -Drpc_serialize_blacklist_override=javax.sound.sampled.AudioFileFormat. The associated EPSS score has remained flat at 0.0519 with no material increase after disclosure.

EU & UK References

Vulnerability details

SOFARPC is a Java RPC framework. Versions prior to 5.11.0 are vulnerable to remote command execution. Through a carefully crafted payload, an attacker can achieve JNDI injection or system command execution. In the default configuration of the SOFARPC framework, a…

more

blacklist is used to filter out dangerous classes encountered during the deserialization process. However, the blacklist is not comprehensive, and an actor can exploit certain native JDK classes and common third-party packages to construct gadget chains capable of achieving JNDI injection or system command execution attacks. Version 5.11.0 contains a fix for this issue. As a workaround, users can add `-Drpc_serialize_blacklist_override=javax.sound.sampled.AudioFileFormat` to the blacklist.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sofastack
sofarpc
≤ 5.11.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References