Haxx.ml has the story¹
This is one of those moments where the latest version of the program(Jetspeed 2.3.0) is hackable using a SQL injection method from CVE-2016-0710.
It behooves us to review CVE-2016-0710:
“The Jetspeed User Manager service, part of the Jetspeed Administrative Portlets, is vulnerable to SQL injection. When performing a search in these tools, the ‘user’ and ‘role’ parameters of the request can be injected to alter the logic of the subsequent SQL statement. ”
But maxx.ml focused on the following line:
“There is also an authorization flaw at play here since the above URLs can be reached without being authenticated in Jetspeed.”
So what he focused on was how a user can be added without authorization. I.e. the user can be added without having to enter a username and password.
So here is a case where you are in PCI compliance (latest software) but not secure since this software has an inherent flaw.
He continues to show the code to create the user
He notes that when the command is sent there is a HTTP 500 Internal Server Error message, but the command still gets created which means a user that you did not authorize will be created.
The 500 error is a general error -so unfortunately it is not an indication to the administrator (besides ‘something’ went wrong) of a specific hack.
Which versions of Jetspeed are affected?
Jetspeed 2.2.0 to 2.2.2
The unsupported Jetspeed 2.1.x versions may be also affected
i.e. the latest version – apparently the Apache Jetspeed version 2.3.0 is hackable.
So now what do we do?
If you are running Apache Jetspeed in your environment, be ultra vigilant on new user addons
I agree once this issue is fixed Jetspeed will be a much better software, but we have a nervous few weeks until then.
Contact me if you want me to test your environment as I am a certified Ethical hacker.