CVE-2023-39023

Vulnerability

The vulnerability resides in the org.compass.core.executor.DefaultExecutorManager.configure method of university compass versions 2.2.0 and below [1]. This method accepts a CompassSettings object and uses the setting "compass.executorManager.workManager.workManagerJndiName" to perform a JNDI lookup without proper validation. An attacker can supply a malicious LDAP or RMI URL, leading to code injection [1].

Exploitation

An attacker needs to pass a crafted CompassSettings object to the configure method, which may be possible if the application accepts user-controlled settings. The attacker sets "compass.executorManager.type" to "commonj" and provides a JNDI name pointing to an attacker-controlled LDAP server that serves malicious code [1]. No authentication is required if the settings are externally controllable.

Impact

Successful exploitation allows arbitrary command execution on the server, leading to full compromise of the application and underlying system. The attacker gains the same privileges as the application process.

Mitigation

As of the publication date, no fixed version has been released. The suggested workaround is to filter LDAP, RMI, and related protocols in JNDI lookups [1]. Users should upgrade to a patched version if available, or apply input validation to prevent untrusted settings from reaching the vulnerable method.