CVE-2023-36480: 
Java vulnerability analysis and mitigation

The Aerospike Java client prior to versions 7.0.0, 6.2.0, 5.2.0, and 4.5.0 contains a vulnerability in its network protocol implementation that allows unsafe deserialization of server responses. The vulnerability was discovered by GitHub CodeQL team members Tony Torralba and Joseph Farebrother and was assigned CVE-2023-36480 (GitHub Advisory, NVD).

The vulnerability exists in the client's handling of messages received from the Aerospike server. When the client encounters Java objects in server responses, it deserializes them without proper validation. The deserialization occurs in multiple code paths, notably through the NettyCommand class's InboundHandler and the Unpacker.unpackBlock method. The vulnerability has been assigned a CVSS v3.1 Base Score of 9.8 CRITICAL (GitHub Advisory).

An attacker who can trick clients into communicating with a malicious server can include specially crafted objects in responses that, when deserialized by the client, allow execution of arbitrary code. This can lead to complete compromise of the machine running the client (GitHub Advisory).

The vulnerability has been patched in versions 7.0.0, 6.2.0, 5.2.0, and 4.5.0. Users should upgrade to these versions or later. All existing database objects that were serialized using the vulnerable format need to be converted to a safer format (such as Aerospike native types, protobuf, msgpack, json, or xml) using a previous client version (GitHub Advisory).