Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
advisories/2019/CVE-2019-18956/
advisories/2019/CVE-2019-18956/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

CVE-2019-18956: Remote Code Execution (Java Deserialization) in Proxia Suite, Proxia PHR & SparkSpace

Vendor: Divisa iT
Vendor URL: https://www.divisait.com
Versions affected: Multiple versions and products (check the details section to view the full list)
Discovered by: Pablo Martinez (@xassiz), Eloy Perez (@Zer1t0)
Public fix: Yes
Proof of Concept: Yes (ref)

Summary

The dv2eemvc library deserializes a cookie in a unsafe way leading to the remote execution of arbitrary code. Multiple products are affected by the usage of this lib.

Details

The method prepareError from the com.divisait.dv2ee.controller.MVCControllerServlet class is called every time a HTTP request is processed.

  private void prepareError(Mapping mapping, MultipartRequest request, HttpServletResponse response)
  {
    String errorAction = HttpUtils.getCookie(request, "proxia-error");
    HttpUtils.clearSessionCookie(request, response, "proxia-error");
    if (errorAction == null) {
      return;
    }
    try
    {
      Base64 b64 = new Base64();
      byte[] message = b64.decode(errorAction);
      ObjectInputStream serin = new ObjectInputStream(new GZIPInputStream(new ByteArrayInputStream(message)));
      
      HashMap<String, Serializable> toReturn = (HashMap)serin.readObject();
      serin.close();
      if (!toReturn.isEmpty())
      {
        Iterator<?> key = toReturn.keySet().iterator();
        while (key.hasNext())
        {
          String entry = (String)key.next();
          Object data = toReturn.get(entry);
          request.setAttribute(entry, data);
        }
      }
    }
    catch (Exception e) {}

This method deserializes insecurely the contents of the proxia-error cookie, so an attacker can manipulate it in order to achieve arbitrary code execution.

The vendor provided us with the complete list of affected versions:

Lib versions:

  • dv2eemvc-17; releases between dv2eemvc-17-62 and dv2eemvc-17-147
  • dv2eemvc-18.6; releases < 18.6.42
  • dv2eemvc-19.0; releases < 19.0.13
  • dv2eemvc-19.1; releases < 19.1.19
  • dv2eemvc-19.2; releases < 19.2.41
  • dv2eemvc-19.3; releases < 19.3.37
  • dv2eemvc-19.4; releases < 19.4.13
  • dv2eemvc-20.0; releases < 20.0.13

Product versions:

  • Proxia Suite 10.1; < 10.1.5
  • Proxia Suite 10.0; < 10.0.32
  • Proxia Suite 9; < 9.12.16, 9.11.19, 9.10.26, 9.9.8, 9.8.43 & 9.7.10;
  • SparkSpace 1.2; < 1.2.4
  • SparkSpace 1.1; < 1.1.2
  • SparkSpace 1.0; < 1.0.30
  • Proxia PHR 1.1; < 1.1.2
  • Proxia PHR 1.0; < 1.0.30

Impact

This vulnerability can be used to execute code in the server.

Recommendation

Update to the latest version.

Timeline

  • 29/10/2019 - Vulnerability reported to vendor
  • 30/10/2019 - (9:31) ACK from vendor
  • 30/10/2019 - (13:37) Vendor fixes the issue and releases new versions of the affected products (the mail actually arrived at 13:36)