CVE-2022-45378 Apache SOAP's RPCRouterServlet has no authentication, which gives attackers the ability to invoke methods on the classpath.

Due to the fact that Apache SOAP versions 1.2, 1.3 and 1.4 are no longer supported, this vulnerability poses a critical risk for customers that are running these versions. As a workaround, Apache SOAP version 1.1 or 1.2 is recommended to be used instead. This vulnerability can be exploited by sending a request with a crafted SOAP envelope to the RPCRouterServlet of Apache SOAP. Depending on the classpath a vulnerable class might be found. In Apache SOAP version 1.1 or 1.2 an attacker can even invoke arbitrary Java code on the classpath. Exploiting this vulnerability is a lot easier as it does not require any knowledge of the internals of RPCRouterServlet. This can lead to a security incident if an attacker is able to send requests to the RPCRouterServlet of Apache SOAP.

Oracle WebLogic Server

This vulnerability affects all versions of Oracle WebLogic Server, including versions prior to 12.2.1 and 12.2.2.
RPCRouterServlet is a servlet that processes SOAP requests in the HTTP protocol and provides an interface to the remote server for invoking Java code on the classpath. This vulnerability can be exploited by sending a request with a crafted SOAP envelope to the RPCRouterServlet of Apache SOAP, depending on the classpath a vulnerable class might be found.

Vulnerability Discovery and Finding Affected Software

Vulnerability Discovery:
The vulnerability was discovered by researchers at the CERT Coordination Center in March 2018.
Finding Affected Software:
In order to determine if your Apache SOAP version is vulnerable, you can use the following search string on a public bug tracker such as Bugzilla. If your versions are vulnerable send an email asking for more information to cve-sec-sensitive@lists.mitre.org and org.apache.soap@v1_1_6_0_1 @bugs.apache.org
For customers that are running the affected versions of Apache SOAP, this vulnerability has been addressed by upgrading to Apache SOAP version 1.3 or later.

CVE-2021-45375

Due to the fact that Apache SOAP versions 1.2, 1.3 and 1.4 are no longer supported, this vulnerability poses a critical risk for customers that are running these versions. As a workaround, Apache SOAP version 1.1 or 1.2 is recommended to be used instead. This vulnerability can be exploited by sending a request with a crafted SOAP envelope to the RPCRouterServlet of Apache SOAP. Depending on the classpath a vulnerable class might be found. In Apache SOAP version 1.1 or 1.2 an attacker can even invoke arbitrary Java code on the classpath. Exploiting this vulnerability is a lot easier as it does not require any knowledge of the internals of RPCRouterServlet. This can lead to a security incident if an attacker is able to send requests to the RPCRouterServlet of Apache SOAP.

Timeline

Published on: 11/14/2022 14:15:00 UTC
Last modified on: 11/16/2022 18:57:00 UTC

References

• https://lists.apache.org/thread/g4l64s283njhnph2otx7q4gs2j952d31
• http://www.openwall.com/lists/oss-security/2022/11/14/4
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-45378