Apache Jackrabbit RMI access can lead to RCE
CVE-2023-37895

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Jackrabbit Webapp (jackrabbit-webapp); Apache Jackrabbit Standalone (jackrabbit-standalone And Jackrabbit-standalone-components)
Vendor: CVE Published:; 25 July 2023

Summary

A Java object deserialization flaw exists in the Jackrabbit webapp/standalone, enabling attackers to remotely execute code via RMI using the vulnerable 'commons-beanutils' component. This threat affects versions up to 2.20.10 (stable) and 2.21.17 (unstable). Users are strongly advised to update to safer releases: 2.20.11 or 2.21.18. Additionally, deploying other components alongside Jackrabbit may expose servers to similar vulnerabilities. For enhanced security, RMI access should be disabled to mitigate these risks.

Affected Version(s)

Apache Jackrabbit Standalone (jackrabbit-standalone and jackrabbit-standalone-components) 2.21.0 < 2.21.18

Apache Jackrabbit Standalone (jackrabbit-standalone and jackrabbit-standalone-components) 1.0.0 < 2.20.11

Apache Jackrabbit Webapp (jackrabbit-webapp) 2.21.0 < 2.21.18

References

https://lists.apache.org/[email protected]...

https://lists.apache.org/thread/j03b3qdhborc2jrhdc4d765d3...

vendor-advisory

http://seclists.org/fulldisclosure/2023/Jul/43

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 25, 2023
Vulnerability Reserved
Jul 10, 2023

Credit

Siebene@

Michael Dürig

Manfred Baedke