Major Vulnerability
RealmKebab opened this issue ยท 3 comments
Your mod has a vulnerability, it affects versions 1.8.9-1.12.2 (according to serialization is bad), because your mod is included in MANY modpacks this is a huge major vulnerability. I advise you fix it immediately
https://github.com/dogboy21/serializationisbad
https://blog.mmpa.info/posts/bleeding-pipe/
Bad code at https://github.com/bdew-minecraft/bdlib/blob/mc1.12/src/net/bdew/lib/network/SerializedMessageCodec.scala#L36
this allows instantiation of arbitrary classes which can be escalated to RCE
it should use an input stream that limits which classes can be instantiated
see https://github.com/dogboy21/serializationisbad/blob/master/core/src/main/java/io/dogboy/serializationisbad/core/ClassFilteringObjectInputStream.java
Just so this thread has some actionable advice
Preventative:
- Forge 1.7 to 1.19 - On both server and client, add this mod https://github.com/dogboy21/serializationisbad/releases to your modpack instance. It will auto patch the affected mods. This file has proof that it contains support specifically for bdlib.
- Forge 1.6 or below - Use the Java Agent described in this README - https://github.com/dogboy21/serializationisbad#any-other-instances
- PipeBlocker may also be able to mitigate some of the problems, but I haven't checked it.
Cleanup:
It is currently unknown which anti-malware vendors target some of the malware that has spread through this route. Right now, exercise caution, enable 2fa on your accounts, practice good security, and don't fall for alarmism.
Closing this in favor of #57 which has more information