May 11, 2020

GHSL-2020-055: Server-Side Template Injection in Apache Syncope (RCE) - CVE-2019-17557

Alvaro Muñoz

Summary

A Server-Side Template Injection in the Mail templates was identified in Apache Syncope enabling attackers to inject arbitrary JEXL expressions, leading to a Remote Code Execution (RCE) vulnerability.

Product

Apache Syncope

Tested Version

syncope-2.1.5

Details

Server-Side Template Injection on Mail templates (GHSL-2020-055, CVE-2019-1961)

Mail templates use JEXL expressions. Even though Syncope applies a Uberspector (org.apache.syncope.core.provisioning.api.jexl.ClassFreeUberspect) to prevent access to java.lang.Object.getClass and java.lang.Object.class, it is still possible to get a Class instance via other means. For example, an attacker could get a Class instance by accessing the TYPE field of boxed classes such as Integer, Long, Boolean, etc.

e.g.:

(1).TYPE

From there, an attacker could use Java reflection to instantiate arbitrary objects.

Note that since Core and EndUser are normally deployed with the same origin, a XSS issue allows an attacker to send such malicious requests by fooling the administrator into clicking a malicious link.

Impact

This issue may lead to Remote Code Execution

Remediation

Use the Sandboxed Uberspector or customize a whitelist-based one.

This issue was addressed in the following commit

CVE

  • CVE-2019-1961

Coordinated Disclosure Timeline

This report was subject to the GHSL coordinated disclosure policy.

  • 04/01/2020: Report send to Apache
  • 04/02/2020: Issue acknowledged
  • 04/02/2020: Apache sends draft advisory
  • 05/11/2020: Public Advisory

Resources

Credit

This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-055 in any communication regarding this issue.