Apache MINA's AbstractIoBuffer.resolveClass() method contains two branches for resolving classes during deserialization. One branch, handling static classes or primitive types, does not enforce the classname allowlist, which is designed to restrict deserialization to safe classes. This bypass allows an attacker to deserialize untrusted data leading to arbitrary code execution. The vulnerability affects Apache MINA versions 2.1.0 to 2.1.11 and 2.2.0 to 2.2.6. The fix, introduced in versions 2.1.12 and 2.2.7, applies the classname allowlist earlier to prevent this bypass. Applications using Apache MINA that invoke IoBuffer.getObject() are vulnerable if not updated.

Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code on affected systems without authentication, leading to full compromise (confidentiality, integrity, and availability impact). The CVSS v3.1 score is 9.8 (critical), reflecting the network attack vector, low complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability.

A fix is available in Apache MINA versions 2.1.12 and 2.2.7, which apply the classname allowlist earlier to prevent deserialization of untrusted classes. Users of affected versions (2.1.0 through 2.1.11 and 2.2.0 through 2.2.6) should upgrade to these fixed versions promptly. No vendor advisory content contradicts this; therefore, upgrading is the recommended remediation. There is no indication of alternative mitigations or temporary fixes.