Apache Jackrabbit Exposes Systems To Arbitrary Code Execution Attacks
Cybersecurity
A significant security vulnerability has been identified in Apache Jackrabbit, an open-source content repository utilized in enterprise content management systems and web applications.
This vulnerability allows unauthenticated attackers to execute arbitrary code on servers running affected versions, posing a critical risk to system security and data confidentiality.
The vulnerability, designated as JCR-5135, is classified as a “Deserialization of Untrusted Data” issue. It is linked to the manner in which certain Apache Jackrabbit components manage Java Naming and Directory Interface (JNDI) lookups.
If a deployment is configured to accept JNDI URIs for Java Content Repository (JCR) lookups from untrusted or public sources, it becomes exploitable. Attackers can submit a specially crafted JNDI reference, leading the application to process it.
This results in the deserialization of untrusted data from an attacker-controlled source, potentially executing arbitrary commands on the server with the application’s privileges.
A successful exploitation may enable attackers to install malware, steal sensitive information, or gain complete control of the affected system.
Affected Versions
The vulnerability impacts numerous releases of two core project components. Users running the following versions should immediately assess their systems:
- Apache Jackrabbit Core (org.apache.jackrabbit:jackrabbit-core): Versions 1.0.0 through 2.22.1
- Apache Jackrabbit JCR Commons (org.apache.jackrabbit:jackrabbit-jcr-commons): Versions 1.0.0 through 2.22.1
Mitigation and Recommendations
The Apache Jackrabbit project team has released a patch to address this security risk. Administrators are advised to upgrade all affected deployments to version 2.22.2 or later.
The update includes a security fix that disables JCR lookups through JNDI by default, closing the attack vector for most users.
For those who need this functionality, it must be explicitly enabled via a system property. A thorough security review of its use is recommended to ensure no unvalidated data can influence the JNDI URI being processed.
Implementing the update is the most effective method to mitigate the threat.
