CVE-2022-36944
published 2022-09-23CVE-2022-36944: Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
8.19%
94.2th percentile
Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | scala | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| scala-lang | scala | >= 2.13.0 < 2.13.9 | 2.13.9 |
| scala-lang | scala-collection-compat | < 2.9.0 | 2.9.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →The deserialization gadget chain in Scala 2.13.x is triggered via LazyList containing a malicious Function0 call; monitor for deserialization of untrusted data invoking Function0 functions in Scala applications ↗
- →The exploit vector is Java object deserialization within an application that uses Scala's LazyList; flag any application endpoint that deserializes untrusted Java objects when Scala 2.13.x (before 2.13.9) is on the classpath ↗
- →The gadget chain resides in Scala's JAR file itself; presence of scala-library 2.13.x < 2.13.9 on the classpath of any service accepting serialized Java objects should be treated as a high-risk condition ↗
- ·The vulnerability cannot be exploited standalone; exploitation requires that the target application performs Java object deserialization of attacker-controlled data — assess only applications with such an attack surface ↗
- ·Mitigation (short of patching to 2.13.9+) is to never permit deserialization of untrusted data in any application using Scala's LazyList ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8LOW
vendor_oracle9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Scala subject to file deletion, code execution due to Java deserialization chain with LazyList object deserialization
osv·2022-09-25
CVE-2022-36944 [CRITICAL] Scala subject to file deletion, code execution due to Java deserialization chain with LazyList object deserialization
Scala subject to file deletion, code execution due to Java deserialization chain with LazyList object deserialization
Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with LazyList object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain.
GHSA
Scala subject to file deletion, code execution due to Java deserialization chain with LazyList object deserialization
ghsa·2022-09-25
CVE-2022-36944 [CRITICAL] CWE-502 Scala subject to file deletion, code execution due to Java deserialization chain with LazyList object deserialization
Scala subject to file deletion, code execution due to Java deserialization chain with LazyList object deserialization
Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with LazyList object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain.
OSV
CVE-2022-36944: Scala 2
osv·2022-09-23·CVSS 9.8
CVE-2022-36944 [CRITICAL] CVE-2022-36944: Scala 2
Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain.
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Installer (Scala) — CVE-2022-36944
vendor_oracle·2024-07-15·CVSS 9.8
CVE-2022-36944 [CRITICAL] Oracle Oracle Financial Services Applications Risk Matrix: Installer (Scala) — CVE-2022-36944
Oracle Oracle Financial Services Applications Risk Matrix: Installer (Scala) vulnerability
CVE: CVE-2022-36944
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2024 (JUL 2024)
Oracle
Oracle Oracle Communications Applications Risk Matrix: Security (Scala) — CVE-2022-36944
vendor_oracle·2024-01-15·CVSS 9.8
CVE-2022-36944 [CRITICAL] Oracle Oracle Communications Applications Risk Matrix: Security (Scala) — CVE-2022-36944
Oracle Oracle Communications Applications Risk Matrix: Security (Scala) vulnerability
CVE: CVE-2022-36944
CVSS: 9.8
Protocol: TCP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2024 (JAN 2024)
Oracle
Oracle Oracle Communications Risk Matrix: CMP (Scala) — CVE-2022-36944
vendor_oracle·2023-10-15·CVSS 9.8
CVE-2022-36944 [CRITICAL] Oracle Oracle Communications Risk Matrix: CMP (Scala) — CVE-2022-36944
Oracle Oracle Communications Risk Matrix: CMP (Scala) vulnerability
CVE: CVE-2022-36944
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuoct2023 (OCT 2023)
Oracle
Oracle Oracle Communications Risk Matrix: Other (Scala) — CVE-2022-36944
vendor_oracle·2023-07-15·CVSS 9.8
CVE-2022-36944 [CRITICAL] Oracle Oracle Communications Risk Matrix: Other (Scala) — CVE-2022-36944
Oracle Oracle Communications Risk Matrix: Other (Scala) vulnerability
CVE: CVE-2022-36944
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2023 (JUL 2023)
Red Hat
scala: deserialization gadget chain
vendor_redhat·2022-09-23·CVSS 9.8
CVE-2022-36944 [CRITICAL] CWE-502 scala: deserialization gadget chain
scala: deserialization gadget chain
Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain.
A flaw was found in Scala's LazyList that permits code execution during deserialization. This issue could allow an attacker to craft a LazyList containing a malicious Function0 call to execute arbitrary code on a server that deserializes untrusted data.
Mitigation: Users of Scala's LazyList should never permit deserialization of untrusted data.
Package: scala (R
Debian
CVE-2022-36944: scala - Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On ...
vendor_debian·2022·CVSS 9.8
CVE-2022-36944 [CRITICAL] CVE-2022-36944: scala - Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On ...
Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
No public exploits indexed.
Qualys
Oracle Critical Patch Update, July 2024 Security Update Review
blogs_qualys·2024-07-17
Oracle Critical Patch Update, July 2024 Security Update Review
## Table of Contents
Qualys QID Coverage
Notable Oracle Vulnerabilities Patched
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Rapid Response with Patch Management (PM)
Oracle released its third quarterly edition of Critical Patch Update, which contains patches for 386 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.
In the third quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 95, constituting about 24% of the total patches released. Oracle Financial Services Applications and Oracle Fusion Middleware foll
Qualys
Oracle Critical Patch Security Update: July 2024 Review | Qualys
blogs_qualys·2024-07-17
Oracle Critical Patch Security Update: July 2024 Review | Qualys
#### Table of Contents
- Qualys QID Coverage
- Notable Oracle Vulnerabilities Patched
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
Oracle released its third quarterly edition of Critical Patch Update, which contains patches for 386 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.
In the third quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 95, constituting about 24% of the total patches released. Oracle Financial Services Applications and Oracle Fusion Middlewa
Qualys
Oracle Patch Update, January 2024 Security Update Review
blogs_qualys·2024-01-17
Oracle Patch Update, January 2024 Security Update Review
## Table of Contents
Qualys QID Coverage
Notable Oracle Vulnerabilities Patched
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Oracle has released its first quarterly edition of Critical Patch Update, which contains patches for 389 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in a wide range of product families, including Oracle code and third-party components included in Oracle products.
In the first quarterly Oracle Critical Patch Update, Oracle Financial Services Applications received the highest number of patches, 71, constituting 18% of the total patches released. Oracle Communications and Oracle Communications Applications follow
Qualys
Oracle Patch Update, January 2024 Security Update Review | Qualys
blogs_qualys·2024-01-17
Oracle Patch Update, January 2024 Security Update Review | Qualys
#### Table of Contents
- Qualys QID Coverage
- Notable Oracle Vulnerabilities Patched
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Oracle has released its first quarterly edition of Critical Patch Update, which contains patches for 389 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in a wide range of product families, including Oracle code and third-party components included in Oracle products.
In the first quarterly Oracle Critical Patch Update, Oracle Financial Services Applications received the highest number of patches, 71, constituting 18% of the total patches released. Oracle Communications and Oracle Communications Applications
Qualys
Oracle Patch Tuesday, October 2023 Security Update Review | Qualys
blogs_qualys·2023-10-18
Oracle Patch Tuesday, October 2023 Security Update Review | Qualys
#### Table of Contents
- Qualys QID Coverage
- Notable Oracle Vulnerabilities Patched
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
Oracle has released its fourth quarterly edition of Critical Patch Update, which contains a group of patches for 387 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in Oracle code and third-party components included in Oracle products.
During the Q4 2023 Oracle Critical Patch Update, Oracle Financial Services Applications received the highest number of 103 patches, constituting 26% of the total patches released. Oracle Communications and Oracle Fusion Middleware fo
Qualys
Oracle Patch Tuesday, October 2023 Security Update Review
blogs_qualys·2023-10-18
Oracle Patch Tuesday, October 2023 Security Update Review
## Table of Contents
Qualys QID Coverage
Notable Oracle Vulnerabilities Patched
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Rapid Response with Patch Management (PM)
Oracle has released its fourth quarterly edition of Critical Patch Update, which contains a group of patches for 387 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in Oracle code and third-party components included in Oracle products.
During the Q4 2023 Oracle Critical Patch Update, Oracle Financial Services Applications received the highest number of 103 patches, constituting 26% of the total patches released. Oracle Communications and Oracle Fusion Middleware followed,
Qualys
Oracle Patch Tuesday, July 2023 Security Update Review
blogs_qualys·2023-07-19
Oracle Patch Tuesday, July 2023 Security Update Review
## Table of Contents
Qualys QID Coverage
Notable Oracle Vulnerabilities Patched
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Rapid Response with Patch Management (PM)
Oracle has released its third quarterly edition of Critical Patch Update, which contains a group of patches for 508 security vulnerabilities. Some of the vulnerabilities addressed this month impact more than one product. These patches address vulnerabilities in Oracle code and third-party components included in Oracle products.
During Q3 2023 Oracle Critical Patch Update, the Oracle Financial Services Applications received the highest number of 147 patches, constituting 29% of the total patches released. Oracle Communications and Oracle Fusion Middleware followed, with
Qualys
Oracle Patch Tuesday, July 2023 Security Update Review | Qualys
blogs_qualys·2023-07-19
Oracle Patch Tuesday, July 2023 Security Update Review | Qualys
#### Table of Contents
- Qualys QID Coverage
- Notable Oracle Vulnerabilities Patched
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
Oracle has released its third quarterly edition of Critical Patch Update, which contains a group of patches for 508 security vulnerabilities. Some of the vulnerabilities addressed this month impact more than one product. These patches address vulnerabilities in Oracle code and third-party components included in Oracle products.
During Q3 2023 Oracle Critical Patch Update, the Oracle Financial Services Applications received the highest number of 147 patches, constituting 29% of the total patches released. Oracle Communications and Oracle Fusion Middleware followe
https://discuss.lightbend.com/t/impact-of-cve-2022-36944-on-akka-cluster-akka-actor-akka-remote/10007/2https://github.com/scala/scala-collection-compat/releases/tag/v2.9.0https://github.com/scala/scala/pull/10118https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6ZOZVWY3X72FZZCCRAKRJYTQOJ6LUD6Z/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3WMKPFAMFQE3HJVRQ5KOJUTWG264SXI/https://www.scala-lang.org/download/https://discuss.lightbend.com/t/impact-of-cve-2022-36944-on-akka-cluster-akka-actor-akka-remote/10007/2https://github.com/scala/scala-collection-compat/releases/tag/v2.9.0https://github.com/scala/scala/pull/10118https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6ZOZVWY3X72FZZCCRAKRJYTQOJ6LUD6Z/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3WMKPFAMFQE3HJVRQ5KOJUTWG264SXI/https://www.scala-lang.org/download/
2022-09-23
Published