Security researchers from Assetnote disclosed a pre-authentication remote code execution (RCE) vulnerability in dotCMS. The flaw is tracked with a CVE ID ‘CVE-2022-26352’ is a critical vulnerability that is associated with a directory crawl attack while downloading files that allows the attacker to execute arbitrary commands on underlying systems. It’s possible to achieve code execution by uploading a JSP file to the tomcat’s root directory that leads to command execution. Since the vulnerability causes remote code execution while downloading files, users of dotCMS should be aware of this flaw. Let’s discuss how to fix the RCE vulnerability in dotCMS in this post.
What is dotCMS?
dotCMS is a hybrid CMS built on the leading Java technology. It’s a next-generation platform supporting the flexibility of a headless CMS with the traditional content authoring efficiency. dotCMS empowers both developers and marketers with the ability to create and reuse content for building engaging, connected, and memorable digital products. They provide a community-driven edition of their CMS that is free to download and use.
Summary Of CVE-2022-26352
CVE-2022-26352 is a pre-auth remote code execution vulnerability in DotCMS, which was achievable by performing a directory traversal attack while uploading files. This vulnerability allows an attacker to execute arbitrary commands and is exploitable with DotCMS default configurations.
An attacker can upload arbitrary files to the system by uploading the JSP file to the tomcat’s root directory. It’s possible to achieve code execution that leads to command execution. Attackers may use this vulnerability to overwrite existing files with a web shell. It can subsequently be exploited to attain permanent remote access.
Products Affected By CVE-2022-26352
The advisory confirmed this flaw affects dotCMS v22.01 and below. Moreover, this vulnerability may work on 22.02, but it has not been confirmed.
How To Fix The RCE Vulnerability In dotCMS?
The best way to fix the RCE vulnerability in dotCMS is to upgrade to versions containing fixes for the issue. It includes versions 22.03, 18.104.22.168_lts and/or 21.06.7_lts. Here are recommended ways to mitigate the issue. Click here for more information.
If an upgrade is not an immediate option, dotCMS have developed OSGI-based plugins that can be deployed in your dotCMS environment.
DotCMS have developed an OSGI plugin to mitigate the problem in running instances. This plugin is designed to work with the versions 5.1.6 and the latest and can be found here.
A plugin version has also been developed for users running unsupported, older versions. This plugin should give the same protection as the above plugin. However, it is suggested to validate the plugin in your environment.
This vulnerability does not impact unsupported versions of dotCMS before v4.0. It’s not 100% guaranteed that this issue does not exist in dotCMS versions outside their support lifetime.
The vulnerability can be mitigated by implementing rules prohibiting path traversal requests on some WAF frameworks. For instance, AWS WAF has a ruleset called GenericLFI_BODY that inspects for the presence of local file inclusion exploits in the request body. Such a ruleset can cause issues like preventing files, including relative paths, from being uploaded. The rule is effective in the production environment.