CVE-2023-42809

Summary

CVE-2023-42809 is a vulnerability affecting the Java Redis client, Redisson, which uses the Netty framework. Prior to version 3.22.0, the client deserializes Java objects from Redis server responses without validation, leaving it susceptible to arbitrary code execution. Attackers can exploit this by crafting and sending malicious objects to the client, allowing them to take control of the machine. Version 3.22.0 includes a patch to address this issue. It is recommended to avoid using `Kryo5Codec` as the deserialization codec due to its vulnerability to arbitrary object deserialization. Instead, `KryoCodec` is a safer alternative. Redisson's `SerializationCodec` was patched to include an optional allowlist of class names for deserialization, but it is advised to use the constructor `SerializationCodec(ClassLoader classLoader, Set<String> allowedClasses)` to restrict the allowed classes for enhanced security.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.