Certain versions of the JBoss Seam 2 framework (<2.2.1CR2) accept and execute JBoss EL (Expression Language) expressions that are passed to the actionOutcome parameter. By leveraging the EL resolver and Java reflection, an attacker is able to achieve remote code execution by either executing shell commands via the Java Runtime or by uploading and executing payloads.
Exploitation
Stages
- The attacker probes the vulnerable JBoss Seam server with HTTP GET/POST and JBoss EL in the URL query for methods in the Java Runtime class.
- The attacker compromises the vulnerable JBoss Seam server by sending HTTP GET/POST with JBoss EL combining and invoking Java Runtime methods to execute shell commands.
- Alternatively, the attacker can send HTTP GET/POST requests with JBoss EL that will write data contained in the URL parameters to executable files anywhere on the server.
Prerequisites
The attacker is able to access Seam API without authentication.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Detection of this threat is provided via Alert Logic ActiveWatch for Web Security Manager service. Depending on your deployment of Web Security Manager, you will receive an incident (for out-of-band deployment) or the threat will be actively blocked and rejected (for the inline Web Security Manager Premier deployment) if an exploit attempt is observed.
Recommendations for Mitigation
Upgrade to a non-vulnerable version to mitigate this vulnerability.
Comments
0 comments
Please sign in to leave a comment.