From 80e9ebd30a966c3d445575b4d20be77f4b7f8dfb Mon Sep 17 00:00:00 2001
From: Valera V Harseko <vharseko@3a-systems.ru>
Date: Fri, 17 Jul 2026 11:14:50 +0000
Subject: [PATCH] CVE-2026-62373 JMX MBean-argument deserialization without a serial filter
---
opendj-server-legacy/src/main/java/org/opends/server/protocols/jmx/RmiConnector.java | 52 +++++++++++++++++++++++++++++++++++++++++++++-------
1 files changed, 45 insertions(+), 7 deletions(-)
diff --git a/opendj-server-legacy/src/main/java/org/opends/server/protocols/jmx/RmiConnector.java b/opendj-server-legacy/src/main/java/org/opends/server/protocols/jmx/RmiConnector.java
index fa14fa0..3b7f82e 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/protocols/jmx/RmiConnector.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/protocols/jmx/RmiConnector.java
@@ -71,10 +71,8 @@
/**
* JDK 10+ JMX environment property scoping a JEP 290 deserialization
* filter to the credentials object passed during {@code newClient()}.
- * Using the credentials-scoped filter (instead of the connector-wide
- * {@code jmx.remote.rmi.server.serial.filter.pattern}) avoids breaking
- * legitimate JMX traffic such as MBean invocations and notifications,
- * which may legitimately carry non-String types.
+ * It is the tightest of the two filters configured below (it accepts only
+ * the two-element {@code String[]} used for SASL/PLAIN authentication).
* <p>
* Note: this property is mutually exclusive with
* {@code jmx.remote.rmi.server.credential.types}; specifying both makes
@@ -91,6 +89,38 @@
/**
+ * JDK 10+ JMX environment property installing a JEP 290 deserialization
+ * filter for the whole RMI connection, in particular the arguments of MBean
+ * operations ({@code invoke}) and attribute values ({@code setAttribute}).
+ * Unlike {@link #JMX_REMOTE_RMI_SERVER_CREDENTIALS_FILTER_PATTERN}, which
+ * only guards the credentials object exchanged during authentication, this
+ * filter closes the post-authentication deserialization surface: without it,
+ * an authenticated client could drive native deserialization of arbitrary
+ * object graphs through MBean operation arguments
+ * (advisory GHSA-qj63-3vrg-vcfx, incomplete fix of CVE-2026-46495).
+ */
+ static final String JMX_REMOTE_RMI_SERVER_SERIAL_FILTER_PATTERN =
+ "jmx.remote.rmi.server.serial.filter.pattern";
+
+
+ /**
+ * Allowlist of the JDK and JMX management types OpenDJ legitimately receives
+ * as MBean operation arguments / attribute values, rejecting everything else
+ * via the trailing {@code !*}. OpenDJ exposes read-only configuration and
+ * monitoring attributes and no MBean operations, so the only types that need
+ * to cross this filter are strings, primitive wrappers and the standard
+ * {@code javax.management} request types ({@code ObjectName},
+ * {@code Attribute}, {@code AttributeList}, {@code QueryExp}, ...).
+ */
+ private static final String JMX_OPERATION_SERIAL_FILTER =
+ "maxdepth=20;"
+ + "java.lang.*;java.math.BigInteger;java.math.BigDecimal;"
+ + "java.util.*;"
+ + "javax.management.*;javax.management.openmbean.*;"
+ + "!*";
+
+
+ /**
* The MBean server used to handle JMX interaction.
*/
private MBeanServer mbs;
@@ -398,15 +428,23 @@
static void configureJmxDeserializationProtection(Map<String, Object> env)
{
- // Scope the JEP 290 deserialization filter to the credentials object
- // only, so legitimate JMX RMI traffic (MBean operations, notifications,
- // etc.) is not affected by the restrictive allowlist.
+ // Tightly constrain the credentials object exchanged during authentication
+ // (CVE-2026-46495): only a two-element String[] is accepted.
//
// Do NOT also set "jmx.remote.rmi.server.credential.types": the JDK
// rejects an environment that defines both properties, which would
// prevent the RMI connector from starting.
env.put(JMX_REMOTE_RMI_SERVER_CREDENTIALS_FILTER_PATTERN,
JMX_CREDENTIAL_SERIAL_FILTER);
+
+ // Additionally constrain the rest of the RMI connection -- in particular
+ // MBean operation arguments and attribute values, which are deserialized
+ // after authentication -- to a small allowlist of JDK and JMX management
+ // types. This closes the post-authentication deserialization surface left
+ // open by the credentials-only filter
+ // (GHSA-qj63-3vrg-vcfx, incomplete fix of CVE-2026-46495).
+ env.put(JMX_REMOTE_RMI_SERVER_SERIAL_FILTER_PATTERN,
+ JMX_OPERATION_SERIAL_FILTER);
}
/**
--
Gitblit v1.10.0