cnvd-2022-01778
Vulnerability from cnvd
Title
Apache DB DdlUtils代码问题漏洞
Description
Apache DB DdlUtils是美国阿帕奇(Apache)基金会的一个易于使用的小型组件,用于处理数据库定义 (DDL) 文件。 Apache DB DdlUtils 1.0存在代码问题漏洞,该漏洞源于BinaryObjectsHelper类不安全,使用 ObjectInputStream.readObject 时未能验证输入数据是否可以安全地反序列化。攻击者可以利用漏洞造成远程代码执行。
Severity
Patch Name
Apache DB DdlUtils代码问题漏洞的补丁
Patch Description
Apache DB DdlUtils是美国阿帕奇(Apache)基金会的一个易于使用的小型组件,用于处理数据库定义 (DDL) 文件。 Apache DB DdlUtils 1.0存在代码问题漏洞,该漏洞源于BinaryObjectsHelper类不安全,使用 ObjectInputStream.readObject 时未能验证输入数据是否可以安全地反序列化。攻击者可以利用漏洞造成远程代码执行。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description

目前厂商已发布升级补丁以修复漏洞,补丁获取链接: https://lists.apache.org/thread.html/r3d7a8303a820144f5e2d1fd0b067e18d419421b58346b53b58d3fa72%40%3Cannounce.apache.org%3E

Reference
https://nvd.nist.gov/vuln/detail/CVE-2021-41616
Impacted products
Name
Apache Apache DB DdlUtils 1.0
Show details on source website

To clipboard 

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-41616",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-41616"
    }
  },
  "description": "Apache DB DdlUtils\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u6613\u4e8e\u4f7f\u7528\u7684\u5c0f\u578b\u7ec4\u4ef6\uff0c\u7528\u4e8e\u5904\u7406\u6570\u636e\u5e93\u5b9a\u4e49 (DDL) \u6587\u4ef6\u3002\n\nApache DB DdlUtils 1.0\u5b58\u5728\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eBinaryObjectsHelper\u7c7b\u4e0d\u5b89\u5168\uff0c\u4f7f\u7528 ObjectInputStream.readObject \u65f6\u672a\u80fd\u9a8c\u8bc1\u8f93\u5165\u6570\u636e\u662f\u5426\u53ef\u4ee5\u5b89\u5168\u5730\u53cd\u5e8f\u5217\u5316\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6f0f\u6d1e\u9020\u6210\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://lists.apache.org/thread.html/r3d7a8303a820144f5e2d1fd0b067e18d419421b58346b53b58d3fa72%40%3Cannounce.apache.org%3E",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-01778",
  "openTime": "2022-01-08",
  "patchDescription": "Apache DB DdlUtils\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u6613\u4e8e\u4f7f\u7528\u7684\u5c0f\u578b\u7ec4\u4ef6\uff0c\u7528\u4e8e\u5904\u7406\u6570\u636e\u5e93\u5b9a\u4e49 (DDL) \u6587\u4ef6\u3002\r\n\r\nApache DB DdlUtils 1.0\u5b58\u5728\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eBinaryObjectsHelper\u7c7b\u4e0d\u5b89\u5168\uff0c\u4f7f\u7528 ObjectInputStream.readObject \u65f6\u672a\u80fd\u9a8c\u8bc1\u8f93\u5165\u6570\u636e\u662f\u5426\u53ef\u4ee5\u5b89\u5168\u5730\u53cd\u5e8f\u5217\u5316\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6f0f\u6d1e\u9020\u6210\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache DB DdlUtils\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Apache Apache DB DdlUtils 1.0"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-41616",
  "serverity": "\u9ad8",
  "submitTime": "2021-10-14",
  "title": "Apache DB DdlUtils\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.