Vulnerability Details : CVE-2021-27850
Public exploit exists!
A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL. An attacker was able to download the file `AppModule.class` by requesting the URL `http://localhost:8080/assets/something/services/AppModule.class` which contains a HMAC secret key. The fix for that bug was a blacklist filter that checks if the URL ends with `.class`, `.properties` or `.xml`. Bypass: Unfortunately, the blacklist solution can simply be bypassed by appending a `/` at the end of the URL: `http://localhost:8080/assets/something/services/AppModule.class/` The slash is stripped after the blacklist check and the file `AppModule.class` is loaded into the response. This class usually contains the HMAC secret key which is used to sign serialized Java objects. With the knowledge of that key an attacker can sign a Java gadget chain that leads to RCE (e.g. CommonsBeanUtils1 from ysoserial). Solution for this vulnerability: * For Apache Tapestry 5.4.0 to 5.6.1, upgrade to 5.6.2 or later. * For Apache Tapestry 5.7.0, upgrade to 5.7.1 or later.
Vulnerability category: Execute codeInformation leak
Exploit prediction scoring system (EPSS) score for CVE-2021-27850
Probability of exploitation activity in the next 30 days: 97.40%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 100 % EPSS Score History EPSS FAQ
Metasploit modules for CVE-2021-27850
-
Apache Tapestry HMAC secret key leak
Disclosure Date: 2021-04-15First seen: 2021-07-22auxiliary/gather/cve_2021_27850_apache_tapestry_hmac_keyThis exploit finds the HMAC secret key used in Java serialization by Apache Tapestry. This key is located in the file AppModule.class by default and looks like the standard representation of UUID in hex digits (hd) : 6hd-4hd-4hd-4hd-12hd If the HMAC key has b
CVSS scores for CVE-2021-27850
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2021-27850
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: security@apache.org (Secondary)
-
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.Assigned by:
- nvd@nist.gov (Primary)
- security@apache.org (Secondary)
References for CVE-2021-27850
-
http://www.openwall.com/lists/oss-security/2021/04/15/1
oss-security - CVE-2021-27850: Apache Tapestry: Bypass of the fix for CVE-2019-0195Exploit;Mailing List;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20210528-0002/
CVE-2021-27850 Apache Tapestry Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751%40%3Cusers.tapestry.apache.org%3E
[SECURITY VULNERABILITY DISCLOSURE] CVE-2021-27850: Apache Tapestry: Bypass of the fix for CVE-2019-0195 - Pony MailMailing List;Vendor Advisory
Products affected by CVE-2021-27850
- cpe:2.3:a:apache:tapestry:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tapestry:*:*:*:*:*:*:*:*