CVE-2023-0925

Software AG webMethods OneData Deserialization Vulnerability

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Version 10.11 of webMethods OneData runs an embedded instance of Azul Zulu Java 11.0.15 which hosts a Java RMI registry (listening on TCP port 2099 by default) and two RMI interfaces (listening on a single, dynamically assigned TCP high port).

Port 2099 serves as a Java Remote Method Invocation (RMI) registry which allows for remotely loading and processing data via RMI interfaces. An unauthenticated attacker with network connectivity to the RMI registry and RMI interface ports can abuse this functionality to instruct the webMethods OneData application to load a malicious serialized Java object as a parameter to one of the available Java methods presented by the RMI interface. Once deserialized on the vulnerable server, the malicious code runs as whichever operating system account is used to run the software, which in most cases is the local System account on Windows.

La versión 10.11 de webMethods OneData ejecuta una instancia integrada de Azul Zulu Java 11.0.15 que aloja un registro de Java RMI (que escucha en el puerto TCP 2099 de forma predeterminada) y dos interfaces RMI (que escucha en un único puerto alto TCP asignado dinámicamente). El puerto 2099 sirve como Java Remote Method Invocation (RMI) registro que permite cargar y procesar datos de forma remota a través de interfaces RMI. Un atacante no autenticado con conectividad de red al registro RMI y a los puertos de la interfaz RMI puede abusar de esta funcionalidad para indicar a la aplicación webMethods OneData que cargue un objeto Java serializado malicioso como parámetro de uno de los métodos Java disponibles presentados por la interfaz RMI. Una vez deserializado en el servidor vulnerable, el código malicioso se ejecuta como cualquier cuenta del sistema operativo que se utilice para ejecutar el software, que en la mayoría de los casos es la cuenta de System local en Windows.

*Credits: N/A

CVSS Scores

NISTv3.1 9.8

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2023-02-20 CVE Reserved
2023-09-06 CVE Published
2024-09-26 CVE Updated
2024-10-08 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-502: Deserialization of Untrusted Data

CAPEC

References (1)

URL	Tag	Source
https://www.softwareag.com/en_corporate/platform/integration-apis/webmethods-integration.html	Product

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Softwareag Search vendor "Softwareag"	Webmethods Search vendor "Softwareag" for product "Webmethods"	10.11 Search vendor "Softwareag" for product "Webmethods" and version "10.11"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe