Nacos Jraft Hessian Deserialization Remote Code Execution Vulnerability

Jun 12, 2023 GMT+08:00

I. Overview

Recently, Nacos has released an updated version to fix a deserialization remote code execution vulnerability. When processing Jraft-based requests, the Nacos cluster uses hessian for deserialization, but does not restrict the deserialization class, which may allow remote code execution. Currently, the vulnerability exploitation details have been disclosed, and the risk is high.

Nacos is an open-source distributed service discovery, configuration, and management platform. If you are a Nacos user, check your system and implement timely security hardening.

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

1.4.0 <= Nacos < 1.4.6

2.0.0 <= Nacos < 2.2.3

Secure versions:

Nacos 1.4.6

Nacos 2.2.3

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the secure version.

https://github.com/alibaba/nacos/releases/tag/1.4.6

https://github.com/alibaba/nacos/releases/tag/2.2.3

Mitigation measures:

The vulnerability only affects port 7848 (by default), which is typically used as the communication port for Nacos cluster inter-raft protocol and does not handle client requests. Therefore, the risk can be controlled by disabling requests from outside of Nacos clusters in earlier versions.

Huawei Cloud HSS (new version) can detect this vulnerability. Huawei Cloud HSS users can log in to the HSS console to detect host vulnerabilities. For details, see HSS Vulnerability Scan.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.