Zero-Day Flaw Discovered in Quarkus Java Framework
A high-severity zero-day vulnerability has been discovered in the Red Hat build of Quarkus, a full-stack, Kubernetes-native Java framework optimized for Java virtual machines (JVMs) and native compilation.
Tracked CVE-2022-4116, the flaw has a CVSS v3 base score rating of 9.8 and can be found in the Dev UI Config Editor, which is vulnerable to drive-by localhost attacks, potentially leading to remote code execution (RCE).
According to Joseph Beeton, a senior application security researcher at Contrast Security, exploiting the vulnerability is relatively straightforward and can be done by a threat actor without any privileges.
“While preparing a talk for the recent DeepSec Conference about attacking the developer environment through drive-by localhost, I reviewed some popular Java frameworks to see if they were vulnerable,” Beeton wrote in an advisory published on Tuesday.
“To be clear, CVE-2022-4116 doesn’t impact services running in production; it only impacts developers building services using Quarkus. If a developer running Quarkus locally visits a website with malicious JavaScript, that JavaScript can silently execute code on the developer’s machine.”
As part of his testing, Beeton created a payload that opens the system calculator. However, the security expert warned that the silent code could potentially take more damaging actions.
These may include the installation of a keylogger on the local machine to capture login information to production systems or to use GitHub tokens to modify source code.
“We’re not sure how extensively the Red Hat build of Quarkus is used. Having been started only in 2019, the Quarkus framework is still young, and the Spring Boot framework is said to be far more popular,” Beeton added, addressing the potential scope of the vulnerability.
“But it’s worth noting that Quarkus is reportedly getting more popular, particularly in Kubernetes use cases, given its ease of use and significantly lighter demand on hardware resources to run and to run applications.”
Beeton clarified that the Quarkus team released a fix for CVE-2022-4116 with version 2.14.2.Final and 2.13.5.Final long-term support (LTS) that requires the Dev UI to check the origin header so that it only accepts requests that contain a specific header set by the browser and not modifiable by JavaScript.
“While CVE-2022-4116 has been fixed, there are likely many more equivalent vulnerabilities in other frameworks. Luckily, there is a solution on the horizon that should block this attack vector without finding and fixing each vulnerable framework: W3C’s new Private Network Access specification.”
The discovery comes weeks after CrowdStrike security researchers discovered a cryptojacking campaign targeting vulnerable Docker and Kubernetes infrastructure.