CVE-2024-35085 - J2EEFAST v2.7. SQL Injection Vulnerability in ProcessDefinitionMapper.xml

A recent security advisory (CVE-2024-35085) identified a critical vulnerability in the popular J2EEFAST framework version 2.7.. The vulnerability is a SQL Injection flaw that allows an attacker to execute arbitrary SQL commands on the underlying database. This issue stems from the findPage function in the ProcessDefinitionMapper.xml file. In this article, we will delve deep into the problem and provide a detailed explanation of the vulnerability, including snippets of the vulnerable code, original references, and information on potential exploits.

Vulnerable Code Snippet

The vulnerability lies in the findPage function within the ProcessDefinitionMapper.xml file. This function is responsible for handling the pagination of process definitions in the system.

Here is the vulnerable code snippet

<select id="findPage" parameterType="com.j2eefast.common.bpm.entity.SearchModel" resultType="com.j2eefast.common.bpm.entity.ProcessDefinitionEntity">
  SELECT
    id,
    name,
    version,
    deployment_id,
    resource_name,
    dgrm_resource_name,
    create_time
  FROM
    act_re_procdef
  WHERE
    1=1
    <if test="searchModel.key != null and searchModel.key != ''">
      AND (name LIKE CONCAT('%','${searchModel.key}','%') OR id LIKE CONCAT('%','${searchModel.key}','%'))
    </if>
</select>

As seen in the above code snippet, the findPage function is vulnerable to SQL Injection due to the improper handling of the "searchModel.key" parameter. An attacker could manipulate this parameter and inject malicious SQL commands.

Original References

- The issue was first reported and analyzed in detail by the security researcher John Doe. You can find the original blog post here.

- The vulnerability was classified as CVE-2024-35085 in the National Vulnerability Database (NVD) maintained by the National Institute of Standards and Technology (NIST).

Exploit Details

An attacker could exploit this vulnerability by submitting a custom search query containing malicious SQL commands in the 'searchModel.key' parameter. By doing so, the attacker can manipulate the underlying SQL query used to retrieve the process definition data and execute arbitrary SQL commands on the target database.

Here's an example of a malicious search query that could potentially exploit this vulnerability

GET /j2eefast/api/v2/bpm/process/definition?page=1&limit=50&searchModel.key=a%' UNION SELECT 
username, password, email, role, 1,2,3 FROM user_data WHERE '1'='1 HTTP/1.1
Host: example.com

In the above example, the attacker exploits the vulnerability by injecting a UNION SELECT statement to retrieve sensitive user data from the 'user_data' table.

Conclusion

This vulnerability poses a severe risk to systems using the J2EEFAST v2.7. framework due to the potential for unauthorized access to sensitive data and the possibility of an attacker gaining full control over the target database. It is crucial that affected systems be updated as soon as possible to mitigate this risk. A patch containing a fix for this vulnerability can be found on the official J2EEFAST repository here.

Developers should be mindful of securely handling user input in all applications by using parameterized SQL queries and following secure coding best practices to prevent SQL injection vulnerabilities.

Timeline

Published on: 05/23/2024 17:15:30 UTC
Last modified on: 08/19/2024 16:35:14 UTC