Remote Code Execution in GlassFish Server

Executive Summary

This vulnerability is a critical Remote Code Execution (RCE) flaw found in the server-side template rendering mechanism of the Glassfish gadget handler. It occurs because the application processes .xml files and evaluates user-supplied Expression Language (EL) expressions without proper sanitization or escaping.

An attacker can inject EL expressions such as #{7*7}, which the server evaluates and returns the result (e.g., 49), confirming that EL expressions are executed on the server side. This allows a remote attacker to execute arbitrary code on the server.

Exploitation of this vulnerability can lead to full compromise of the underlying host, including reading or modifying data, executing arbitrary commands, maintaining persistence, and moving laterally within the network.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including complete compromise of the affected server. An attacker can execute arbitrary commands remotely, which may lead to unauthorized access to sensitive data, modification or deletion of data, installation of persistent malware, and lateral movement to other systems within the network.

Such a compromise can disrupt business operations, cause data breaches, and result in loss of trust and financial damage.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the server-side template rendering mechanism for Expression Language (EL) injection. Specifically, sending crafted requests that include EL expressions such as #{7*7} in user-supplied values within .xml files can confirm if the server evaluates these expressions. If the server returns the evaluated result (e.g., 49), it indicates the presence of the vulnerability.

Commands or tests to detect this might involve sending HTTP requests with payloads containing EL expressions to the Glassfish gadget handler endpoint and observing the response for evaluated expressions.

• Use curl or similar tools to send a POST or GET request with an XML payload containing EL expressions, for example: curl -X POST -d '<data>#{7*7}</data>' http://target-server/path/to/gadget
• Monitor responses for evaluated expressions (e.g., the number 49) instead of the literal EL expression.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include disabling or restricting access to the vulnerable Glassfish gadget handler that processes .xml files with EL expressions.

Ensure that user-supplied input is properly sanitized or escaped before being processed by the server-side template rendering mechanism to prevent EL injection.

Apply any available patches or updates from the vendor that address this vulnerability.

Implement network-level protections such as firewall rules or access controls to limit exposure of the vulnerable service.

Useful 0 Not Useful 0

Compliance Impact

This critical Remote Code Execution vulnerability allows an attacker to fully compromise the underlying host, including reading and modifying data, executing arbitrary commands, and lateral movement. Such unauthorized access and control over sensitive data and systems can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and availability.

Specifically, the ability to read or modify data without authorization can result in breaches of personal or protected health information, potentially causing non-compliance with GDPR's data protection principles and HIPAA's privacy and security rules.

Therefore, organizations using the affected Glassfish server may face increased risk of regulatory non-compliance if this vulnerability is exploited.

Useful 0 Not Useful 0