Popular Java Security Framework ‘pac4j’ Vulnerable to RCE (CVE-2023-25581)
A new analysis by security researcher Michael Stepankin (@artsploit) of the GitHub Security Lab (GHSL) has uncovered a critical vulnerability in pac4j, a widely-used Java security framework. This vulnerability, tracked as CVE-2023-25581 and assigned a CVSS score of 9.2, could allow attackers to execute arbitrary code on affected systems.
pac4j is designed to simplify authentication and authorization in Java applications, offering a comprehensive suite of tools for securing web applications and web services. However, Stepankin’s analysis reveals a critical flaw in versions prior to 4.0.0.
The vulnerability stems from how pac4j handles user profile attributes. As Stepankin explains in his analysis, “The method org.pac4j.core.profile.InternalAttributeHandler#restore deserializes untrusted data.” Essentially, the framework fails to properly validate serialized Java objects stored within user profiles.
An attacker could exploit this by injecting a malicious serialized object, prefixed with {#sb64} and Base64 encoded, into a user profile attribute. When the restore method processes this attribute, it unwittingly deserializes the malicious object, potentially leading to Remote Code Execution (RCE). “It’s possible to trick the program to perform a deserialization of an arbitrary Java class,” warns Stepankin.
Although pac4j-core employs a RestrictedObjectInputStream to limit the types of objects that can be deserialized, the restrictions are not enough to prevent exploitation entirely. As the researcher highlights, “It still allows a broad range of Java packages and potentially exploitable with different gadget chains“. This means that attackers can still exploit the vulnerability by leveraging different object types, potentially leading to remote code execution.
RCE is one of the most critical consequences of this vulnerability, as it could allow attackers to run arbitrary code on the affected system, leading to data theft, service disruption, or further compromise of the network.
The good news is that pac4j versions 4.0.0 and later are not affected by CVE-2023-25581. Stepankin and the GHSL team strongly advise all users of earlier versions to upgrade immediately.
