[Glassfish] Remote Code Execution via EL Injection
The reporter wrote:
While reviewing the GlassFish Administration Console, we found an Expression Language (EL) Injection vulnerability that leads to authenticated Remote Code Execution (RCE) on the underlying operating system.
By abusing the alertSummary and alertDetail parameters on several admin console endpoints (for example, /web/configuration/virtualServerEdit.jsf), an authenticated attacker can inject malicious EL expressions, invoke java.lang.Runtime, and execute arbitrary system commands with the privileges of the GlassFish service account.
We have prepared a short report in a GitHub Security Advisory–style format that includes:
- A clear description of the issue
- Proof of concept (manual and automated, including the exploitSSTI.py script)
- Impact assessment with a proposed CVSS v3.1 score
- Suggested remediation ideas and a list of potentially affected endpoints
We are attaching the following files for your review:
- Full vulnerability report: Vulnerability_Report_GlassFish_RCE.pdf
- Detailed list of vulnerable endpoints: glassfish_vulnerable_endpoints.txt
- Exploit: Glassfish_RCE.py
- PoC video: Demo_Glassfish_RCE.mp4
Glassfish_vulnerable_endpoints.txt
Vulnerability_Report_GlassFish_RCE.pdf
Steps to reproduce
Described in Vulnerability_Report_GlassFish_RCE.pdf
What are the affected versions?
Eclipse GlassFish 7.1.0 & Eclipse GlassFish 8.0.0
Do you know any mitigations of the issue?
Credits
- Gabriel A. Hinostroza Ayala
- Camilo Galdos AkA Dédalo