Credential Stuffing Surge Targets Businesses and Individuals.
The recent surge in credential stuffing attacks highlighted by Okta serves as a stark reminder of the importance of robust cyber security practices. These attacks…
Critical remote code execution vulnerability found in Quarkus Java Framework
Description:
Security researcher Joseph Beeton at Contrast Security has discovered a remote code execution vulnerability within the popular Java framework Quarkus, made for Java virtual machines. A malicious actor can exploit the vulnerability without privileges and is found within the Dev UI Config Editor. Tracked as CVE-2022-4116, the vulnerability has been given a critical severity rating of 9.8 due to its low attack complexity and not requiring user interaction to exploit.
Notably, the vulnerability does not impact services running in production but instead impacts developers building services using Quarkus. The researcher notes that if a developer running Quarkus locally visits a website with malicious JavaScript, the JavaScript can quietly execute code on the developer’s machine to target the vulnerability. He noted that “the potential exists for the silent code to take more damaging actions, such as installing a keylogger on the local machine to capture login information to production systems or using GitHub tokens to modify source code”. Websites commonly visited by developers could be compromised to host malicious JavaScript, such as tutorial websites for Quarkas or through spear phishing sites.
As developers often have access to codebases, server credentials, and Amazon Web Services keys, a threat actor who successfully exploits the vulnerability would potentially have access to a significant amount of data, allowing them to target other machines or users on the network.
A full technical explanation of the vulnerability, including proof of concept code, can be found here.
Preventions:
To fix your device from being vulnerable to attacks looking to exploit CVE-2022-4116, update your build of Quarkus to the fixed version as soon as possible.
Related Links:
https://thehackernews.com/2022/12/researchers-disclose-critical-rce.html – Published 1st December
Related articles
Cisco Firewall Vulnerabilities: Urgent Action Needed to Protect Against State-Sponsored Espionage
Businesses and organisations relying on Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defence (FTD) firewalls are being advised to take immediate action to protect…
Cybercriminals Threaten Release of Sensitive World-Check Database
A recent cyber attack has resulted in a serious data breach affecting the World-Check database, a critical tool used by financial institutions and other organisations…