From 80e9ebd30a966c3d445575b4d20be77f4b7f8dfb Mon Sep 17 00:00:00 2001
From: Valera V Harseko <vharseko@3a-systems.ru>
Date: Fri, 17 Jul 2026 11:14:50 +0000
Subject: [PATCH] CVE-2026-62373 JMX MBean-argument deserialization without a serial filter

---
 opendj-server-legacy/src/main/java/org/opends/server/protocols/jmx/RmiConnector.java |   52 +++++++++++++++++++++++++++++++++++++++++++++-------
 1 files changed, 45 insertions(+), 7 deletions(-)

diff --git a/opendj-server-legacy/src/main/java/org/opends/server/protocols/jmx/RmiConnector.java b/opendj-server-legacy/src/main/java/org/opends/server/protocols/jmx/RmiConnector.java
index fa14fa0..3b7f82e 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/protocols/jmx/RmiConnector.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/protocols/jmx/RmiConnector.java
@@ -71,10 +71,8 @@
   /**
    * JDK 10+ JMX environment property scoping a JEP 290 deserialization
    * filter to the credentials object passed during {@code newClient()}.
-   * Using the credentials-scoped filter (instead of the connector-wide
-   * {@code jmx.remote.rmi.server.serial.filter.pattern}) avoids breaking
-   * legitimate JMX traffic such as MBean invocations and notifications,
-   * which may legitimately carry non-String types.
+   * It is the tightest of the two filters configured below (it accepts only
+   * the two-element {@code String[]} used for SASL/PLAIN authentication).
    * <p>
    * Note: this property is mutually exclusive with
    * {@code jmx.remote.rmi.server.credential.types}; specifying both makes
@@ -91,6 +89,38 @@
 
 
   /**
+   * JDK 10+ JMX environment property installing a JEP 290 deserialization
+   * filter for the whole RMI connection, in particular the arguments of MBean
+   * operations ({@code invoke}) and attribute values ({@code setAttribute}).
+   * Unlike {@link #JMX_REMOTE_RMI_SERVER_CREDENTIALS_FILTER_PATTERN}, which
+   * only guards the credentials object exchanged during authentication, this
+   * filter closes the post-authentication deserialization surface: without it,
+   * an authenticated client could drive native deserialization of arbitrary
+   * object graphs through MBean operation arguments
+   * (advisory GHSA-qj63-3vrg-vcfx, incomplete fix of CVE-2026-46495).
+   */
+  static final String JMX_REMOTE_RMI_SERVER_SERIAL_FILTER_PATTERN =
+      "jmx.remote.rmi.server.serial.filter.pattern";
+
+
+  /**
+   * Allowlist of the JDK and JMX management types OpenDJ legitimately receives
+   * as MBean operation arguments / attribute values, rejecting everything else
+   * via the trailing {@code !*}. OpenDJ exposes read-only configuration and
+   * monitoring attributes and no MBean operations, so the only types that need
+   * to cross this filter are strings, primitive wrappers and the standard
+   * {@code javax.management} request types ({@code ObjectName},
+   * {@code Attribute}, {@code AttributeList}, {@code QueryExp}, ...).
+   */
+  private static final String JMX_OPERATION_SERIAL_FILTER =
+      "maxdepth=20;"
+      + "java.lang.*;java.math.BigInteger;java.math.BigDecimal;"
+      + "java.util.*;"
+      + "javax.management.*;javax.management.openmbean.*;"
+      + "!*";
+
+
+  /**
    * The MBean server used to handle JMX interaction.
    */
   private MBeanServer mbs;
@@ -398,15 +428,23 @@
 
   static void configureJmxDeserializationProtection(Map<String, Object> env)
   {
-    // Scope the JEP 290 deserialization filter to the credentials object
-    // only, so legitimate JMX RMI traffic (MBean operations, notifications,
-    // etc.) is not affected by the restrictive allowlist.
+    // Tightly constrain the credentials object exchanged during authentication
+    // (CVE-2026-46495): only a two-element String[] is accepted.
     //
     // Do NOT also set "jmx.remote.rmi.server.credential.types": the JDK
     // rejects an environment that defines both properties, which would
     // prevent the RMI connector from starting.
     env.put(JMX_REMOTE_RMI_SERVER_CREDENTIALS_FILTER_PATTERN,
         JMX_CREDENTIAL_SERIAL_FILTER);
+
+    // Additionally constrain the rest of the RMI connection -- in particular
+    // MBean operation arguments and attribute values, which are deserialized
+    // after authentication -- to a small allowlist of JDK and JMX management
+    // types. This closes the post-authentication deserialization surface left
+    // open by the credentials-only filter
+    // (GHSA-qj63-3vrg-vcfx, incomplete fix of CVE-2026-46495).
+    env.put(JMX_REMOTE_RMI_SERVER_SERIAL_FILTER_PATTERN,
+        JMX_OPERATION_SERIAL_FILTER);
   }
 
   /**

--
Gitblit v1.10.0