Insufficient verification of data authenticity in IcedTeaWeb

#VU55311 Insufficient verification of data authenticity in IcedTeaWeb

Published: 2021-07-26

Vulnerability identifier: #VU55311

Vulnerability risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-10181

CWE-ID: CWE-345

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
IcedTeaWeb
Web applications / Modules and components for CMS

Vendor: AdoptOpenJDK

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to executable code can be injected in a JAR file without compromising the signature verification. A remote attacker can inject code in a trusted JAR.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

IcedTeaWeb: 1.7 - 1.8.2

External links
http://github.com/AdoptOpenJDK/IcedTea-Web/issues/327
http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10181
http://github.com/AdoptOpenJDK/IcedTea-Web/pull/344
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00045.html
http://lists.debian.org/debian-lts-announce/2019/09/msg00008.html
http://seclists.org/bugtraq/2019/Oct/5
http://packetstormsecurity.com/files/154748/IcedTeaWeb-Validation-Bypass-Directory-Traversal-Code-Execution.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for IcedTeaWeb

Multiple vulnerabilities in IcedTeaWeb