Cybersecurity specialists report the detection of multiple vulnerabilities in JBoss Enterprise Application Platform (JBoss EAP), an open source platform developed by Red Hat that allows users to create, deploy and host highly transactional Java applications and services. According to the report, successful exploitation of these flaws would allow threat actors to deploy all sorts of hacking tasks, in addition to the fact that there are some publicly available exploits.
Below are brief descriptions of the reported flaws, in addition to their respective tracking keys and scores assigned under the Common Vulnerability Scoring System (CVSS).
CVE-2021-44832: Incorrect input validation would allow remote users with permission to modify the registry configuration file to construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI capable of executing remote code.
This is a flaw of medium severity and received a CVSS score of 5.8/10.
CVE-2021-45046: An incomplete patch in Apache Log4j 2.15.0 for a code injection vulnerability would allow remote threat actors with control over thread context map input data to perform denial of service (DoS) attacks and arbitrary code execution.
This is a high severity flaw and received a CVSS score of 8.1/10. It is worth mentioning that there is a proof-of-concept (PoC) exploit for this vulnerability.
CVE-2021-45105: An infinite loop within the StrSubstitutor class would allow remote hackers to pass a specially crafted entry to the application, which would lead to a DoS condition on the affected system.
The flaw received a CVSS score of 6.7/10 and a publicly available PoC exploit exists.
CVE-2021-4104: Insecure input validation when processing serialized data in JMSAppender would allow hackers with write access to the Log4j configuration to provide TopicBindingName and TopicConnectionFactoryBindingName configurations to make JMSAppender make JNDI requests, which could result in remote code execution (RCE).
This is a flaw of medium severity and received a CVSS score of 7.1/10.
CVE-2022-23307/CVE-2020-9493: Insecure input validation when processing serialized data would allow remote threat actors to pass specially crafted data to the affected application, resulting in arbitrary code execution on the compromised system.
This is a critical vulnerability and received a CVSS score of 8.5/10.
CVE-2022-23302: Insecure input validation when processing serialized data in JMSSink would allow remote attackers to provide a TopicConnectionFactoryBindingName configuration that causes JMSSink to make JNDI requests, triggering arbitrary code execution in affected implementations.
The vulnerability received a CVSS score of 8.5/10.
CVE-2022-23305: Insufficient disinfection of user-provided data in JDBCAppender would allow threat actors to send specially crafted requests to the affected application and execute arbitrary SQL commands, putting sensitive information at risk.
This is a flaw of medium severity and received a CVSS score of 6.4/10.
CVE-2021-44228: Incorrect input validation when processing LDAP requests would allow remote malicious hackers to send specially crafted requests to the affected application and execute arbitrary code on the affected systems.
This is a critical security flaw and received a CVSS score of 9.4/10. There are already known cases of active exploitation of this flaw.
According to the report, the flaws reside in all versions of JBoss Enterprise Application Platform between 7.4.0 and 7.4.3.
The risk associated with these reports is critical and the existence of exploits further increases the risk. The good news is that patches are already available to address these flaws, so Red Hat recommends users of affected deployments upgrade immediately.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
