Skip to content

Description:

Security researcher Joseph Beeton at Contrast Security has discovered a remote code execution vulnerability within the popular Java framework Quarkus, made for Java virtual machines. A malicious actor can exploit the vulnerability without privileges and is found within the Dev UI Config Editor. Tracked as CVE-2022-4116, the vulnerability has been given a critical severity rating of 9.8 due to its low attack complexity and not requiring user interaction to exploit.

Notably, the vulnerability does not impact services running in production but instead impacts developers building services using Quarkus. The researcher notes that if a developer running Quarkus locally visits a website with malicious JavaScript, the JavaScript can quietly execute code on the developer’s machine to target the vulnerability. He noted that “the potential exists for the silent code to take more damaging actions, such as installing a keylogger on the local machine to capture login information to production systems or using GitHub tokens to modify source code”. Websites commonly visited by developers could be compromised to host malicious JavaScript, such as tutorial websites for Quarkas or through spear phishing sites.

As developers often have access to codebases, server credentials, and Amazon Web Services keys, a threat actor who successfully exploits the vulnerability would potentially have access to a significant amount of data, allowing them to target other machines or users on the network.

A full technical explanation of the vulnerability, including proof of concept code, can be found here.

Preventions:

To fix your device from being vulnerable to attacks looking to exploit  CVE-2022-4116, update your build of Quarkus to the fixed version as soon as possible.

Related Links: