AL2022_81 Critical remote code execution vulnerability affecting Quarkus Java Framework (1st December 2022)

Description  

The Quarkus Java framework has been found to have a serious security flaw that might be used to execute remote code on vulnerable systems.  

Quarkus, developed by Red Hat, is an open-source project that is used for creating Java applications in containerized and serverless environments. 

Summary 

The flaw, identified as CVE-2022-4116, can be trivially exploited by a malicious actor with no privileges. The Dev UI Config Editor has a vulnerability that makes it susceptible to drive-by localhost attacks that could result in remote code execution (RCE). 

The issue only impacts developers who are running Quarkus and are tricked into visiting a specially crafted website, which is embedded with malicious JavaScript code designed to install or execute arbitrary payloads. Without the victim's further involvement, this could take the shape of spear-phishing or a watering hole attack. As an alternative, the assault might be carried out by presenting fake adverts on well-known websites that developers frequently visit. A developer can check the status of an application, make configuration changes, move databases, and clear caches using the Dev UI, which is accessible through a Dev Mode and is bound to localhost. 

The Dev UI lacks essential security measures like authentication and cross-origin resource sharing (CORS) because it is only accessible from the developer's local system, which makes it possible for a malicious website to read data from legitimate websites. The issue is that malicious websites may include JavaScript code that can be weaponized to change the settings of the Quarkus application by sending an HTTP POST request that results in code execution. 

It should be noted that eventhough this flaw only affects Dev Mode, the impact is still high, because it can lead to an attacker gaining local access to the victim’s development box. 

Remediation  

To safeguard against this flaw users are advised to update to versions 2.14.2. Final and 2.13.5.Final. A work around is to move all the non-application endpoints to a random root path. 

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary. 

PDF Download: Critical remote code execution vulnerability affecting Quarkus Java Framework.pdf

References