SQL injection, deserialization and other remotely exploitable vulnerabilities in Red Hat JBoss Web Server

Cybersecurity specialists report the detection of at least four critical vulnerabilities in JBoss Web Server, the open source Java EE application server deployed in pure Java and developed by Red Hat Inc. According to the report, successful exploitation of these flaws would allow threat actors to access sensitive information.

Below is a brief report on the flaws reported, in addition to their respective identification keys and scores established according to the Common Vulnerability Scoring System (CVSS).

CVE-2020-25638: Insufficient debugging of user input when “hibernate.use_sql_comments” is set to “True” allows threat actors to send a specially crafted request to the affected application and execute arbitrary SQL commands against the application database.

The vulnerability received a CVSS score of 7.1/10 and would allow hackers to read, delete and even modify data in the affected database.

CVE-2021-25122: Improper management of internal resources within the application when processing new h2c connection requests would allow remote hackers to send specially crafted requests to the server and obtain the content of HTTP responses. 

The vulnerability received a score of 4.6/10 and its exploitation allows attackers to access sensitive information.

CVE-2021-25329: Insecure input validation when processing serialized data would allow remote hackers to pass specially crafted data to the affected application. 

The flaw received a CVSS score of 6.4/10 and its successful exploitation executed arbitrary code on the affected system.

CVE-2020-9484: Validating insecure entries when processing serialized data into loaded file names would allow remote attackers to pass a specially crafted file name to the application and execute arbitrary code on the target system. 

The flaw received a CVSS score of 7.1/10 and its successful exploitation can result in a total compromise of the target system, but requires that the server be configured to use PersistenceManager with a FileStore and that the attacker know the relative path of the file from the storage location. 

The report notes that all flaws reside in versions of JBoss Web Server prior to v5.5.0.

While these errors can be exploited remotely by unauthenticated threat actors, active exploit attempts or the existence of malware associated with the exploitation are not yet detected. Security patches to address these flaws are now available, so users of affected deployments are encouraged to update as soon as possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.