Vulnerability Note VU#706359
Aternity version 9 vulnerable to cross-site scripting and remote code execution
The Aternity webserver, version 9 and prior, is reportedly vulnerable to cross-site scripting (XSS) on several web pages, and remote code execution via inclusion of untrusted functionality by default due to improper authentication before execution.
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) - CVE-2016-5061
Reportedly, the Aternity HTTPAgent, MacAgent, getExternalURL and retrieveTrustedUrl pages are susceptible to Cross-site scripting (XSS). An attacker may be able to craft a malicious script that can access any cookies, session tokens, or other sensitive information retained by the browser and used with the Aternity server.
Caution - This configuration is insecure: any remote user who knows (or guesses) your port number and host name will be able to monitor and control your Java applications and platform. Furthermore, possible harm is not limited to the operations you define in your MBeans. A remote client could create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs, at least if there is no security manager. In other words, a rogue remote client could make your Java application execute arbitrary code.
Consequently, while disabling security might be acceptable for development, it is strongly recommended that you do not disable security for production systems.”
It is believed that Aternity version 9 and prior are affected by this vulnerability, but the CERT/CC has not received confirmation from the vendor.
A remote unauthenticated attacker may be able to craft a malicious script that can access any cookies, session tokens, or other sensitive information retained by the browser and used with the Aternity server, or execute code on the server with SYSTEM privileges.
The CERT/CC is currently unaware of a practical solution to this problem. However, the following workarounds are recommended:
Restrict port 14777
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Aternity||Unknown||09 Aug 2016||13 Sep 2016|
CVSS Metrics (Learn More)
Thanks to Matthew Benton and Richard Kelley for reporting this vulnerability.
This document was written by Garret Wassermann.
- CVE IDs: CVE-2016-5061 CVE-2016-5062
- Date Public: 28 Sep 2016
- Date First Published: 28 Sep 2016
- Date Last Updated: 28 Sep 2016
- Document Revision: 22
If you have feedback, comments, or additional information about this vulnerability, please send us email.