Headline
Researchers Disclose Critical RCE Vulnerability Affecting Quarkus Java Framework
A critical security vulnerability has been disclosed in the Quarkus Java framework that could be potentially exploited to achieve remote code execution on affected systems.
Tracked as CVE-2022-4116 (CVSS score: 9.8), the shortcoming could be trivially abused by a malicious actor without any privileges.
“The vulnerability is found in the Dev UI Config Editor, which is vulnerable to drive-by localhost attacks that could lead to remote-code execution (RCE),” Contrast Security researcher Joseph Beeton, who reported the bug, said in a write-up.
Quarkus, developed by Red Hat, is an open source project that’s used for creating Java applications in containerized and serverless environments.
It’s worth pointing out that the issue only impacts developers who are running Quarkus and are tricked into visiting a specially crafted website, which is embedded with malicious JavaScript code designed to install or execute arbitrary payloads.
This could take the form of a spear-phishing or a watering hole attack without requiring any further interaction on the part of the victim. Alternatively, the attack can be pulled off by serving rogue ads on popular websites frequented by developers.
The Dev UI, which is offered through a Dev Mode, is bound to localhost (i.e., the current host) and allows a developer to monitor the status of an application, change the configuration, migrate databases, and clear caches.
Because it’s restricted to the developer’s local machine, the Dev UI also lacks crucial security controls like authentication and cross-origin resource sharing (CORS) to prevent a fraudulent website from reading another site’s data.
The problem identified by Contrast Security lies in the fact that the JavaScript code hosted on a malware-laced website can be weaponized to modify the Quarkus application configuration via an HTTP POST request to trigger code execution.
“While it only affects Dev Mode, the impact is still high, as it could lead to an attacker getting local access to your development box,” Quarkus noted in an independent advisory.
Users are recommended to upgrade to version 2.14.2.Final and 2.13.5.Final to safeguard against the flaw. A potential workaround is to move all the non-application endpoints to a random root path.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3171: protobuf-java: timeout in parser leads to DoS * CVE-2022-4116: quarkus_dev_ui: Dev UI Config Editor is vulnerable to drive-by localhost attacks leading to RCE * CVE-2022-4147: quarkus-vertx-http: Security misconfiguration of CORS : OWASP A05_2021 level in Quarkus * CVE-2022-31197: postgresql: SQL Injection in ResultSet.refreshRow() with mal...
Red Hat Security Advisory 2022-8957-01 - This release of Red Hat build of Quarkus 2.7.6.SP3 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section. Issues addressed include a deserialization vulnerability.
An update is now available for Red Hat build of Quarkus Platform. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-4116: quarkus_dev_ui: Dev UI Config Editor is vulnerable to drive-by localhost attacks leading to RCE * CVE-2022-4147: quarkus-vertx-http: Security misconfiguration of CORS : OWASP A05_2021 level in Quarkus * CVE-2022-45047: mina-sshd: Java unsafe deserialization vulnerability
A critical security vulnerability has been disclosed in the Quarkus Java framework that could be potentially exploited to achieve remote code execution on affected systems. Tracked as CVE-2022-4116 (CVSS score: 9.8), the shortcoming could be trivially abused by a malicious actor without any privileges. "The vulnerability is found in the Dev UI Config Editor, which is vulnerable to drive-by
Red Hat has issued patches for a bug in an open source Java virtual machine software that opens the door to drive-by localhost attacks. Patch now, as it's easy for cyberattackers to exploit.
A vulnerability was found in quarkus. This security flaw happens in Dev UI Config Editor which is vulnerable to drive-by localhost attacks leading to remote code execution.
A vulnerability was found in quarkus. This security flaw happens in Dev UI Config Editor which is vulnerable to drive-by localhost attacks leading to remote code execution.