### Critical Vulnerability Information #### Vulnerability Overview - **Vulnerability Name**: Unsafe PHP Deserialization in Gearman Worker Allows Conditional Object Injection - **Risk Level**: High - **CVE ID**: CVE-2026-24891 #### Affected Products and Versions - **Product**: openITCOCKPIT Community Edition - **Affected Versions**: 5.3.1 - **Fixed Version**: 5.4.0 #### Vulnerability Cause 1. Direct use of `unserialize()` function on externally provided data 2. Lack of `allowed_classes` restriction 3. Reliance on deployment-level trust assumptions instead of enforced validation 4. Use of PHP serialization as IPC format at the message queue boundary #### Attack Scenario If the Gearman daemon or worker is accessible to an attacker (e.g., due to network exposure, misconfigured containers, or missing firewall rules), the attacker can submit arbitrary serialized payloads to the `oipc_gearman` function. #### Proof of Concept 1. Generate payloads from existing gadget chains, e.g., using Ambionics' phpggc tool. 2. Trigger unsafe deserialization by directly sending the payload. #### Impact Successful exploitation may allow an attacker to: - Instantiate arbitrary PHP objects - Trigger magic methods (`__wakeup`, `__destruct`) - Execute gadget chains leading to remote code execution, file system modification, credential leakage, and persistent compromise of the working environment #### Mitigation and Recommendations - **Code Level**: Replace unsafe deserialization with more secure alternatives; use structural formats (e.g., JSON) for inter-process communication, and validate payload structure and origin. - **Deployment Level** (Defense in Depth): Restrict Gearman access to localhost or private networks; enforce strict firewall rules for Gearman services; avoid exposing Gearman to untrusted or multi-tenant networks.