CVE-2024-23636: 
Java vulnerability analysis and mitigation

SOFARPC, a Java RPC framework, contains a vulnerability (CVE-2024-23636) in versions prior to 5.12.0. The framework defaults to using the SOFA Hessian protocol for data deserialization, which implements a blacklist mechanism to restrict potentially dangerous class deserialization. However, a discovered gadget chain can bypass this protection mechanism using only JDK components without requiring third-party dependencies (GitHub Advisory).

The vulnerability stems from insufficient protection in the SOFA Hessian protocol's blacklist mechanism. The issue specifically involves a gadget chain that can circumvent the existing security controls, potentially leading to unauthorized deserialization of dangerous classes. This vulnerability is particularly concerning as it only requires JDK components to exploit, making it more accessible to potential attackers (GitHub Advisory).

If exploited, this vulnerability could potentially lead to Remote Code Execution (RCE) on affected systems. The severity is classified as Low, but the potential for remote code execution makes it significant for systems using the affected versions of SOFARPC (GitHub Advisory).

The vulnerability has been patched in SOFARPC version 5.12.0. For users unable to upgrade immediately, a workaround is available by adding additional blacklist entries. This can be done by adding specific class restrictions using the system property -Drpc_serialize_blacklist_override=org.apache.xpath. Users are strongly advised to upgrade to version 5.12.0 for complete protection (GitHub Advisory).