CVE-2023-0925 (GCVE-0-2023-0925)
Vulnerability from cvelistv5 – Published: 2023-09-06 17:27 – Updated: 2024-09-26 19:12
VLAI?
Summary
Version 10.11 of webMethods OneData runs an embedded instance of Azul Zulu Java 11.0.15 which hosts a Java RMI registry (listening on TCP port 2099 by default) and two RMI interfaces (listening on a single, dynamically assigned TCP high port).
Port 2099 serves as a Java Remote Method Invocation (RMI) registry which allows for remotely loading and processing data via RMI interfaces. An unauthenticated attacker with network connectivity to the RMI registry and RMI interface ports can abuse this functionality to instruct the webMethods OneData application to load a malicious serialized Java object as a parameter to one of the available Java methods presented by the RMI interface. Once deserialized on the vulnerable server, the malicious code runs as whichever operating system account is used to run the software, which in most cases is the local System account on Windows.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Software AG | webMethods OneData |
Affected:
10.11
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:24:34.693Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.softwareag.com/en_corporate/platform/integration-apis/webmethods-integration.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:softwareag:webmethods:10.11:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "webmethods",
"vendor": "softwareag",
"versions": [
{
"status": "affected",
"version": "10.11"
}
]
},
{
"cpes": [
"cpe:2.3:a:azul:zulu:11.0.15:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "zulu",
"vendor": "azul",
"versions": [
{
"status": "affected",
"version": "11.0.15"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-0925",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T19:10:11.367016Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T19:12:41.171Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "webMethods OneData",
"vendor": "Software AG",
"versions": [
{
"status": "affected",
"version": "10.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Version 10.11 of webMethods OneData runs an embedded instance of Azul Zulu Java 11.0.15 which hosts a Java RMI registry (listening on TCP port 2099 by default) and two RMI interfaces (listening on a single, dynamically assigned TCP high port).\r\n\r\nPort 2099 serves as a Java Remote Method Invocation (RMI) registry which allows for remotely loading and processing data via RMI interfaces. An unauthenticated attacker with network connectivity to the RMI registry and RMI interface ports can abuse this functionality to instruct the webMethods OneData application to load a malicious serialized Java object as a parameter to one of the available Java methods presented by the RMI interface. Once deserialized on the vulnerable server, the malicious code runs as whichever operating system account is used to run the software, which in most cases is the local System account on Windows."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-06T17:27:05.357Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://www.softwareag.com/en_corporate/platform/integration-apis/webmethods-integration.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Software AG webMethods OneData Deserialization Vulnerability",
"x_generator": {
"engine": "VINCE 2.1.4",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2023-0925"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2023-0925",
"datePublished": "2023-09-06T17:27:05.357Z",
"dateReserved": "2023-02-20T16:59:11.959Z",
"dateUpdated": "2024-09-26T19:12:41.171Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:softwareag:webmethods:10.11:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"314E3CEE-D523-423D-8FD9-A24F2BE77EF5\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A2572D17-1DE6-457B-99CC-64AFD54487EA\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Version 10.11 of webMethods OneData runs an embedded instance of Azul Zulu Java 11.0.15 which hosts a Java RMI registry (listening on TCP port 2099 by default) and two RMI interfaces (listening on a single, dynamically assigned TCP high port).\\r\\n\\r\\nPort 2099 serves as a Java Remote Method Invocation (RMI) registry which allows for remotely loading and processing data via RMI interfaces. An unauthenticated attacker with network connectivity to the RMI registry and RMI interface ports can abuse this functionality to instruct the webMethods OneData application to load a malicious serialized Java object as a parameter to one of the available Java methods presented by the RMI interface. Once deserialized on the vulnerable server, the malicious code runs as whichever operating system account is used to run the software, which in most cases is the local System account on Windows.\"}, {\"lang\": \"es\", \"value\": \"La versi\\u00f3n 10.11 de webMethods OneData ejecuta una instancia integrada de Azul Zulu Java 11.0.15 que aloja un registro de Java RMI (que escucha en el puerto TCP 2099 de forma predeterminada) y dos interfaces RMI (que escucha en un \\u00fanico puerto alto TCP asignado din\\u00e1micamente). El puerto 2099 sirve como Java Remote Method Invocation (RMI) registro que permite cargar y procesar datos de forma remota a trav\\u00e9s de interfaces RMI. Un atacante no autenticado con conectividad de red al registro RMI y a los puertos de la interfaz RMI puede abusar de esta funcionalidad para indicar a la aplicaci\\u00f3n webMethods OneData que cargue un objeto Java serializado malicioso como par\\u00e1metro de uno de los m\\u00e9todos Java disponibles presentados por la interfaz RMI. Una vez deserializado en el servidor vulnerable, el c\\u00f3digo malicioso se ejecuta como cualquier cuenta del sistema operativo que se utilice para ejecutar el software, que en la mayor\\u00eda de los casos es la cuenta de System local en Windows.\"}]",
"id": "CVE-2023-0925",
"lastModified": "2024-11-21T07:38:06.610",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
"published": "2023-09-06T18:15:07.897",
"references": "[{\"url\": \"https://www.softwareag.com/en_corporate/platform/integration-apis/webmethods-integration.html\", \"source\": \"cret@cert.org\", \"tags\": [\"Product\"]}, {\"url\": \"https://www.softwareag.com/en_corporate/platform/integration-apis/webmethods-integration.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Product\"]}]",
"sourceIdentifier": "cret@cert.org",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-502\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-0925\",\"sourceIdentifier\":\"cret@cert.org\",\"published\":\"2023-09-06T18:15:07.897\",\"lastModified\":\"2024-11-21T07:38:06.610\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Version 10.11 of webMethods OneData runs an embedded instance of Azul Zulu Java 11.0.15 which hosts a Java RMI registry (listening on TCP port 2099 by default) and two RMI interfaces (listening on a single, dynamically assigned TCP high port).\\r\\n\\r\\nPort 2099 serves as a Java Remote Method Invocation (RMI) registry which allows for remotely loading and processing data via RMI interfaces. An unauthenticated attacker with network connectivity to the RMI registry and RMI interface ports can abuse this functionality to instruct the webMethods OneData application to load a malicious serialized Java object as a parameter to one of the available Java methods presented by the RMI interface. Once deserialized on the vulnerable server, the malicious code runs as whichever operating system account is used to run the software, which in most cases is the local System account on Windows.\"},{\"lang\":\"es\",\"value\":\"La versi\u00f3n 10.11 de webMethods OneData ejecuta una instancia integrada de Azul Zulu Java 11.0.15 que aloja un registro de Java RMI (que escucha en el puerto TCP 2099 de forma predeterminada) y dos interfaces RMI (que escucha en un \u00fanico puerto alto TCP asignado din\u00e1micamente). El puerto 2099 sirve como Java Remote Method Invocation (RMI) registro que permite cargar y procesar datos de forma remota a trav\u00e9s de interfaces RMI. Un atacante no autenticado con conectividad de red al registro RMI y a los puertos de la interfaz RMI puede abusar de esta funcionalidad para indicar a la aplicaci\u00f3n webMethods OneData que cargue un objeto Java serializado malicioso como par\u00e1metro de uno de los m\u00e9todos Java disponibles presentados por la interfaz RMI. Una vez deserializado en el servidor vulnerable, el c\u00f3digo malicioso se ejecuta como cualquier cuenta del sistema operativo que se utilice para ejecutar el software, que en la mayor\u00eda de los casos es la cuenta de System local en Windows.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:softwareag:webmethods:10.11:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"314E3CEE-D523-423D-8FD9-A24F2BE77EF5\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A2572D17-1DE6-457B-99CC-64AFD54487EA\"}]}]}],\"references\":[{\"url\":\"https://www.softwareag.com/en_corporate/platform/integration-apis/webmethods-integration.html\",\"source\":\"cret@cert.org\",\"tags\":[\"Product\"]},{\"url\":\"https://www.softwareag.com/en_corporate/platform/integration-apis/webmethods-integration.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"title\": \"Software AG webMethods OneData Deserialization Vulnerability\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"Version 10.11 of webMethods OneData runs an embedded instance of Azul Zulu Java 11.0.15 which hosts a Java RMI registry (listening on TCP port 2099 by default) and two RMI interfaces (listening on a single, dynamically assigned TCP high port).\\r\\n\\r\\nPort 2099 serves as a Java Remote Method Invocation (RMI) registry which allows for remotely loading and processing data via RMI interfaces. An unauthenticated attacker with network connectivity to the RMI registry and RMI interface ports can abuse this functionality to instruct the webMethods OneData application to load a malicious serialized Java object as a parameter to one of the available Java methods presented by the RMI interface. Once deserialized on the vulnerable server, the malicious code runs as whichever operating system account is used to run the software, which in most cases is the local System account on Windows.\"}], \"source\": {\"discovery\": \"UNKNOWN\"}, \"affected\": [{\"vendor\": \"Software AG\", \"product\": \"webMethods OneData\", \"versions\": [{\"status\": \"affected\", \"version\": \"10.11\"}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"CWE-200 Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"references\": [{\"url\": \"https://www.softwareag.com/en_corporate/platform/integration-apis/webmethods-integration.html\"}], \"x_generator\": {\"engine\": \"VINCE 2.1.4\", \"env\": \"prod\", \"origin\": \"https://cveawg.mitre.org/api/cve/CVE-2023-0925\"}, \"providerMetadata\": {\"orgId\": \"37e5125f-f79b-445b-8fad-9564f167944b\", \"shortName\": \"certcc\", \"dateUpdated\": \"2023-09-06T17:27:05.357Z\"}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T05:24:34.693Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.softwareag.com/en_corporate/platform/integration-apis/webmethods-integration.html\", \"tags\": [\"x_transferred\"]}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-0925\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-26T19:10:11.367016Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:softwareag:webmethods:10.11:*:*:*:*:*:*:*\"], \"vendor\": \"softwareag\", \"product\": \"webmethods\", \"versions\": [{\"status\": \"affected\", \"version\": \"10.11\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:a:azul:zulu:11.0.15:*:*:*:*:*:*:*\"], \"vendor\": \"azul\", \"product\": \"zulu\", \"versions\": [{\"status\": \"affected\", \"version\": \"11.0.15\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-26T19:12:29.916Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2023-0925\", \"assignerOrgId\": \"37e5125f-f79b-445b-8fad-9564f167944b\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"certcc\", \"dateReserved\": \"2023-02-20T16:59:11.959Z\", \"datePublished\": \"2023-09-06T17:27:05.357Z\", \"dateUpdated\": \"2024-09-26T19:12:41.171Z\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…