Can an unmodded paper server be affected by unsafe deserialization on modded clients?
I recently was sent a link to github describing a security vulnerability in many mods that if exploited allowed for arbitrary remote code execution on servers and clients. I run a paper server that is completely unmodded, but I'm also not familiar enough with java to know if the exploit could pose an issue to an unmodded server hosting clients with affected client-side mods. Here is the link to the github page: https://github.com/dogboy21/serializationisbad Any help would be very much appreciated.
GitHub
GitHub - dogboy21/serializationisbad: A Minecraft coremod / Java Ag...
A Minecraft coremod / Java Agent aiming to patch serious security vulnerabilities found in many different mods - GitHub - dogboy21/serializationisbad: A Minecraft coremod / Java Agent aiming to pat...
4 Replies
Thanks for asking your question!
Make sure to provide as much helpful information as possible such as logs/what you tried and what your exact issue is
Make sure to mark solved when issue is solved!!!
/close
!close
!solved
!answered
Requested by xwhylophone#0
From my understanding this vulnerability affects older versions of Minecraft on forge.
https://blog.mmpa.info/posts/bleeding-pipe/
Bleeding Pipe: A RCE vulnerability exploited in the wild
A new vulnerability in LogisticsPipes and other mods allowing RCE on clients and servers.
seems like all the known mods with the vulnerability are older but the article also seems to say there’s no reason why newer versions couldnt be affected unless they specifically fixed the issue. My question though is more whether an unmodded server could even be affected by modded clients? My assumption is no, but I’m just curious for a second opinion.
!solved
post closed!
The post/thread has been closed!
Requested by xwhylophone#0