CVE-2019-18956: Remote Code Execution (Java Deserialization) in Proxia Suite, Proxia PHR & SparkSpace
Vendor: Divisa iT
Vendor URL: https://www.divisait.com
Versions affected: Multiple versions and products (check the details section to view the full list)
Discovered by: Pablo Martinez (@xassiz), Eloy Perez (@Zer1t0)
Public fix: Yes
Proof of Concept: Yes (ref)
Summary
The dv2eemvc library deserializes a cookie in a unsafe way leading to the remote execution of arbitrary code. Multiple products are affected by the usage of this lib.
Details
The method prepareError from the com.divisait.dv2ee.controller.MVCControllerServlet class is called every time a HTTP request is processed.
private void prepareError(Mapping mapping, MultipartRequest request, HttpServletResponse response)
{
String errorAction = HttpUtils.getCookie(request, "proxia-error");
HttpUtils.clearSessionCookie(request, response, "proxia-error");
if (errorAction == null) {
return;
}
try
{
Base64 b64 = new Base64();
byte[] message = b64.decode(errorAction);
ObjectInputStream serin = new ObjectInputStream(new GZIPInputStream(new ByteArrayInputStream(message)));
HashMap<String, Serializable> toReturn = (HashMap)serin.readObject();
serin.close();
if (!toReturn.isEmpty())
{
Iterator<?> key = toReturn.keySet().iterator();
while (key.hasNext())
{
String entry = (String)key.next();
Object data = toReturn.get(entry);
request.setAttribute(entry, data);
}
}
}
catch (Exception e) {}This method deserializes insecurely the contents of the proxia-error cookie, so an attacker can manipulate it in order to achieve arbitrary code execution.
The vendor provided us with the complete list of affected versions:
Lib versions:
- dv2eemvc-17; releases between dv2eemvc-17-62 and dv2eemvc-17-147
- dv2eemvc-18.6; releases < 18.6.42
- dv2eemvc-19.0; releases < 19.0.13
- dv2eemvc-19.1; releases < 19.1.19
- dv2eemvc-19.2; releases < 19.2.41
- dv2eemvc-19.3; releases < 19.3.37
- dv2eemvc-19.4; releases < 19.4.13
- dv2eemvc-20.0; releases < 20.0.13
Product versions:
- Proxia Suite 10.1; < 10.1.5
- Proxia Suite 10.0; < 10.0.32
- Proxia Suite 9; < 9.12.16, 9.11.19, 9.10.26, 9.9.8, 9.8.43 & 9.7.10;
- SparkSpace 1.2; < 1.2.4
- SparkSpace 1.1; < 1.1.2
- SparkSpace 1.0; < 1.0.30
- Proxia PHR 1.1; < 1.1.2
- Proxia PHR 1.0; < 1.0.30
Impact
This vulnerability can be used to execute code in the server.
Recommendation
Update to the latest version.
Timeline
- 29/10/2019 - Vulnerability reported to vendor
- 30/10/2019 - (9:31) ACK from vendor
- 30/10/2019 - (13:37) Vendor fixes the issue and releases new versions of the affected products (the mail actually arrived at 13:36)