SEC Consult Vulnerability Lab Security Advisory < 20230117-1 > ======================================================================= title: Pre-authenticated Remote Code Execution via Java frontend and QDS endpoint product: OpenText™ Content Server component of OpenText™ Extended ECM vulnerable version: 20.4 - 22.3 fixed version: 22.4 CVE number: CVE-2022-45927 impact: Critical homepage: https://www.opentext.com found: 2022-09-16 by: Armin Stock (Atos) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "OpenText™ Extended ECM is an enterprise CMS platform that securely governs the information lifecycle by integrating with leading enterprise applications, such as SAP®, Microsoft® 365, Salesforce and SAP SuccessFactors®. Bringing content and processes together, Extended ECM provides access to information when and where it’s needed, improves decision-making and drives operational effectiveness." Source: https://www.opentext.com/products/extended-ecm Business recommendation: ------------------------ The vendor provides a patch which should be installed immediately. Vulnerability overview/description: ----------------------------------- 1) Pre-authenticated Remote Code Execution via Java frontend and QDS endpoint (CVE-2022-45927) The `QDS` endpoints of the `Content Server` are not protected by the normal user management functionality of the `Content Server`, but check the value of the key `_REQUEST` of the incoming data. Normally this parameter is set by the HTTP frontend (e.g. the `CGI` binary `cs.exe` or `Java` application servlet) to `llweb`. There is a bug in the `Java` application server, found in `%OT_BASE%/application/cs.war`, which allows an attacker to actually set the value of the key `_REQUEST` to an arbitrary value and bypass the authorization checks. Most of the endpoints cannot be called, because they require specific data types of the incoming data, which can not be controlled by the attacker. Only strings are supported. But a few endpoints can be called which allow an attacker to create files or execute arbitrary code on the ..
Support the originator by clicking the read the rest link below.
