Headline
GHSA-px7w-c9gw-7gj3: Apache James server: Privilege escalation via JMX pre-authentication deserialization
Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of untrusted data. Given a deserialisation gadjet, this could be leveraged as part of an exploit chain that could result in privilege escalation. Note that by default JMX endpoint is only bound locally.
We recommend users to:
Upgrade to a non-vulnerable Apache James version
Run Apache James isolated from other processes (docker - dedicated virtual machine)
If possible turn off JMX
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-51518
Apache James server: Privilege escalation via JMX pre-authentication deserialization
Moderate severity GitHub Reviewed Published Feb 27, 2024 to the GitHub Advisory Database • Updated Feb 27, 2024
Package
maven org.apache.james:james-server (Maven)
Affected versions
<= 3.7.4
>= 3.8.0, < 3.8.1
Patched versions
3.7.5
3.8.1
Apache James prior to version 3.7.5 and 3.8.0 exposes a JMX endpoint on localhost subject to pre-authentication deserialisation of untrusted data.
Given a deserialisation gadjet, this could be leveraged as part of an exploit chain that could result in privilege escalation.
Note that by default JMX endpoint is only bound locally.
We recommend users to:
Upgrade to a non-vulnerable Apache James version
Run Apache James isolated from other processes (docker - dedicated virtual machine)
If possible turn off JMX
References
- https://nvd.nist.gov/vuln/detail/CVE-2023-51518
- https://lists.apache.org/thread/wbdm61ch6l0kzjn6nnfmyqlng82qz0or
Published to the GitHub Advisory Database
Feb 27, 2024
Last updated
Feb 27, 2024