Vulnerability Affecting Server Environments On Java 1.8 on Updates lower than 1.8u191
Published on 28 Mar 2023by Fabio Turizo
We work hard to ensure Payara Platform is as secure as possible. In our due diligence, we discovered a vulnerability in Payara Plaform. The vulnerability only affects very specific scenarios, and its mitigation is easy to setup.
The vulnerability in question is CVE-2023-28462, which was requested directly by Payara.
It is a JNDI Exploit using 'context.rebind` method when running Payara Server on an older JDK 8 Update. The JNDI exploit can be triggered via access to insecure ORB listeners exposed by a Payara Server installation.
This vulnerability allows remote attackers to load malicious code into a Payara Server installation that is public facing (exposed on the Internet) using remote JNDI access via unsecured ORB listeners. The vulnerability is dangerous in the sense that it allows attackers to load the remote exploit only by knowing the location of any unsecured ORB listener (hostname and port).
However, the vulnerability only affects server environments running on Java 1.8 on running on updates lower than 1.8u191. If the server environment runs in a newer update or if it runs on JDK11+ the exploit cannot be triggered under any circumstance.
To deal with this vulnerability, follow these instructions:
- If a Payara Enterprise customer is running a Payara Server 4.x or 5.x environment using Java 1.8, they should be running it on its latest update.
- Reminder: Payara Enterprise customers have access to recent JDK 1.8 updates courtesy of Azul Platform Core.
- If a customer can’t upgrade their environment to run under the latest (or a newer update greater that 191), they can mitigate the vulnerability by either:
- Disabling any public facing ORB listeners if they are not used in any way.
- Configuring all public facing ORB listeners to be secured using SSL/TLS communication.
- Customers may contact support to get more details on how to correctly setup ORB listeners’ security.
- If a community user is running a Payara Server 5.x environment using Java 1.8, they should be running Payara Server 6.x as 5.x is out of support.
- If it’s not possible for a user to update their environment to 6.x, they should either upgrade their Java 8 runtimes to a newer update or apply the mitigation measures (disabling or securing the listener) mentioned above.
- Payara Server 6.x (both Community and the soon-to-be-released Enterprise) are not affected since they require Java 11 at a minimum to run. Users shouldn’t be concerned with the exploit in this case.
- Nevertheless, we recommend users to ALWAYS either disable or secure any public-facing ORB listeners as it is a good practice to prevent most attacks on their environments.
Credit to discovering this vulnerability goes to tr1ple from AntGroup FG.