CVE-2023-45146: 
Java vulnerability analysis and mitigation

XXL-RPC, a high performance distributed RPC framework, contains a critical vulnerability (CVE-2023-45146) discovered in October 2023. The vulnerability affects all versions up to and including 1.7.0 when using the Netty framework with Hessian serialization mechanism. This vulnerability has not been fixed as of the latest reports (GitHub Advisory, NVD).

The vulnerability stems from unsafe deserialization in HessianSerializer.java. When configured with a Netty server and Hessian deserializer, the system directly passes incoming message data to Hessian2Input.readObject for deserialization without proper validation. XXL-RPC uses com.caucho's implementation of Hessian, which is known to be vulnerable to unsafe deserialization. The vulnerability has been assigned a CVSS v3.1 base score of 10.0 (CRITICAL) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H and is classified as CWE-502 (Deserialization of Untrusted Data) (GitHub Advisory, NVD).

This vulnerability can lead to Remote Code Execution (RCE), allowing attackers to take control of the machine running the server. When exploited, attackers can connect to the server and provide malicious serialized objects that, once deserialized, force the system to execute arbitrary code (GitHub Advisory).

Currently, there is no official fix available for this vulnerability. The issue remains unpatched in the latest versions of XXL-RPC. While some alternative implementations like sofa-hessian attempt to mitigate similar issues through disallow lists of forbidden objects, this approach is not considered a perfect solution (GitHub Advisory).