September 27, 2023

A zero-day vulnerability has been discovered in the Red Hat build of Quarkus, a full-stack, Kubernetes-native Java framework optimized for Java virtual machines and native compilation.

Tracked CVE-2022-4116, the flaw has a CVSS score of 9.8 and can be found in the Dev UI Config Editor, which is vulnerable to drive-by localhost attacks, potentially leading to remote code execution.

Exploiting the vulnerability is relatively straightforward and can be done by a threat actor without any privileges.

Advertisements

It doesn’t impact services running in production; it only impacts developers’ building services using Quarkus. If a developer running Quarkus locally visits a website with malicious JavaScript, JavaScript can silently execute code on the developer’s machine.

These may include the installation of a keylogger on the local machine to capture login information to production systems or to use GitHub tokens to modify source code.

Researchers stated Quarkus team released a fix for CVE-2022-4116 with version 2.14.2.Final and 2.13.5.Final long-term support (LTS) that requires the Dev UI to check the origin header so that it only accepts requests that contain a specific header set by the browser and not modifiable by JavaScript.

Leave a Reply

%d bloggers like this: