The Quarkus Java framework has been found to have a serious security flaw that might be used to execute remote code on vulnerable systems.
Quarkus, developed by Red Hat, is an open-source project that is used for creating Java applications in containerized and serverless environments.
The flaw, identified as CVE-2022-4116, can be trivially exploited by a malicious actor with no privileges. The Dev UI Config Editor has a vulnerability that makes it susceptible to drive-by localhost attacks that could result in remote code execution (RCE).
It should be noted that eventhough this flaw only affects Dev Mode, the impact is still high, because it can lead to an attacker gaining local access to the victim’s development box.
To safeguard against this flaw users are advised to update to versions 2.14.2. Final and 2.13.5.Final. A work around is to move all the non-application endpoints to a random root path.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
Lakshmanan, R. (December 01, 2022). Researchers Disclose Critical RCE Vulnerability Affecting Quarkus Java Framework. Retrieved from Te Hackers News. https://thehackernews.com/2022/12/researchers-disclose-critical-rce.html
Arghire, I. (November 30, 2022). Developers Warned of Critical Remote Code Execution Flaw in Quarkus Java Framework. Retrieved from Security week. https://www.securityweek.com/developers-warned-critical-remote-code-execution-flaw-quarkus-java-framework