{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/hyperledger/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["fabric-sdk-java"],"_cs_severities":["critical"],"_cs_tags":["deserialization","rce","java"],"_cs_type":"advisory","_cs_vendors":["Hyperledger"],"content_html":"\u003cp\u003eThe \u003ccode\u003efabric-sdk-java\u003c/code\u003e client SDK, a deprecated component of Hyperledger Fabric, contains a critical vulnerability related to insecure deserialization. Specifically, the \u003ccode\u003eChannel.java\u003c/code\u003e file implements \u003ccode\u003ereadObject()\u003c/code\u003e and exposes \u003ccode\u003edeSerializeChannel()\u003c/code\u003e methods that call \u003ccode\u003eObjectInputStream.readObject()\u003c/code\u003e on untrusted byte arrays without configuring an \u003ccode\u003eObjectInputFilter\u003c/code\u003e. This omission allows an attacker to inject malicious serialized Java objects, leading to remote code execution (RCE). While \u003ccode\u003efabric-sdk-java\u003c/code\u003e has been deprecated since Hyperledger Fabric v2.5 and replaced by \u003ccode\u003eorg.hyperledger.fabric:fabric-gateway\u003c/code\u003e, organizations that have not yet migrated are still vulnerable. This issue highlights the risks associated with using deprecated software and the importance of migrating to supported versions. The vulnerability exists in versions 1.0.0 through 2.2.26.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious serialized Java object using a tool like \u003ccode\u003eysoserial\u003c/code\u003e. For example, \u003ccode\u003ejava -jar ysoserial.jar CommonsCollections6 \u0026quot;touch /tmp/pwned\u0026quot; \u0026gt; malicious_channel.ser\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker gains the ability to supply crafted serialized Channel bytes to the client application. This could involve compromising a local channel file.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious serialized data through an application that accepts Channel bytes from external sources.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003edeSerializeChannel()\u003c/code\u003e method in \u003ccode\u003eChannel.java\u003c/code\u003e is called with the attacker-controlled byte array.\u003c/li\u003e\n\u003cli\u003eInside \u003ccode\u003edeSerializeChannel()\u003c/code\u003e, an \u003ccode\u003eObjectInputStream\u003c/code\u003e is created from the byte array.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ereadObject()\u003c/code\u003e method of \u003ccode\u003eObjectInputStream\u003c/code\u003e is called without any \u003ccode\u003eObjectInputFilter\u003c/code\u003e, deserializing the malicious object.\u003c/li\u003e\n\u003cli\u003eThe deserialization process triggers the execution of a gadget chain embedded in the malicious object.\u003c/li\u003e\n\u003cli\u003eThe gadget chain executes arbitrary code on the server, achieving RCE.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary code on the server running the vulnerable \u003ccode\u003efabric-sdk-java\u003c/code\u003e application. This can lead to complete system compromise, data breaches, and other malicious activities. The severity is critical due to the potential for unauthenticated remote code execution. Organizations still using the deprecated \u003ccode\u003efabric-sdk-java\u003c/code\u003e are at high risk until they migrate to the supported \u003ccode\u003efabric-gateway\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eMigrate to \u003ccode\u003eorg.hyperledger.fabric:fabric-gateway\u003c/code\u003e immediately\u003c/strong\u003e as the primary remediation, as it does not use Java serialization.\u003c/li\u003e\n\u003cli\u003eFor organizations unable to migrate immediately, apply the suggested fix of adding an \u003ccode\u003eObjectInputFilter\u003c/code\u003e to whitelist only expected classes as described in the advisory.\u003c/li\u003e\n\u003cli\u003eImplement runtime monitoring of Java deserialization to detect and prevent exploitation attempts.\u003c/li\u003e\n\u003cli\u003eEnable logging of deserialization events to aid in incident response.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T20:41:58Z","date_published":"2026-04-29T20:41:58Z","id":"/briefs/2024-01-26-fabric-deserialization/","summary":"The deprecated fabric-sdk-java client SDK is vulnerable to Java deserialization RCE due to the use of ObjectInputStream.readObject() without an ObjectInputFilter in Channel.java, allowing remote code execution if an attacker can supply crafted serialized Channel bytes to the client application.","title":"Hyperledger Fabric SDK Java Deserialization RCE","url":"https://feed.craftedsignal.io/briefs/2024-01-26-fabric-deserialization/"}],"language":"en","title":"CraftedSignal Threat Feed — Hyperledger","version":"https://jsonfeed.org/version/1.1"}