MyBatis 远程代码执行漏洞CVE-2020-26945

mybatis缓存 报错

We have received another security vulnerability report caused by object stream deserialization.

When all of the following conditions are met, the attacker can trigger RCE (remote code execution).

the user enabled the built-in 2nd level cache [1]
the user did not setup JEP-290 filter
the attacker found a way to modify entries of the private Map field i.e. org.apache.ibatis.cache.impl.PerpetualCache.cache and a valid cache key
We thank clanceyzzz of JD Sprite Team for reporting the issue!

Once this PR gets merged, MyBatis outputs WARN level log message when deserializing object.

As you are using functionality that deserializes object streams, it is recommended to define the JEP-290 serial filter. Please refer to https://docs.oracle.com/pls/topic/lookup?ctx=javase15&id=GUID-8296D8E8-2B93-4B9A-856E-0A65AF9B8C66

Note that:

the message is not logged when the JEP-290 filter is already defined
the message is logged just once right before the first deserialization
If WARN message is not enough, we can throw an exception instead, but that may surprise users a little bit.

[1] Some of the custom cache implementations also perform deserialization (e.g. mybatis-redis-cache). I plan to look into it later, but the recommended solution is the same i.e. the JEP-290 filter.

MyBatis组件介绍
MyBatis 本是Apache的一个开源项目iBatis, 2010年这个项目由Apache Software Foundation 迁移到了Google Code，并且改名为MyBatis。

MyBatis是一款优秀的持久层框架，它支持定制化SQL、存储过程以及高级映射。MyBatis避免了几乎所有的JDBC代码和手动设置参数以及获取结果集。MyBatis可以使用简单的XML或注解来配置和映射原生信息，将接口和 Java 的 POJOs(Plain Ordinary Java Object,普通的 Java对象)映射成数据库中的记录。

漏洞描述
2020年10月6日，MyBatis官方发布了MyBatis 3.5.6版本，修复了一个远程代码执行漏洞，该漏洞编号为CVE-2020-26945。

在满足以下三个条件的时候，攻击者可以触发远程代码执行：

1、用户启用了内置的二级缓存

2、用户未设置JEP-290过滤器

3、攻击者找到了一种修改私有Map字段条目的方法，即修改

org.apache.ibatis.cache.impl.PerpetualCache.cache有效的缓存密钥

影响范围
目前受影响的MyBatis版本：

Mybatis < 3.5.6

修复建议
目前厂商已发布升级补丁修复漏洞，请受影响用户尽快进行升级加固。补丁获取链接：

https://github.com/mybatis/mybatis-3

时间轴
2020/10/06 MyBatis 官方发布修复补丁。