############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: Liima - Automation Middleware (AMW) # Vendor: Liima Open Source Project # CSNC ID: CSNC-2022-019 # CVE ID: CVE-2023-26092 # Subject: Server-Side Template Injection (SSTI) # Risk: High # Effect: Remote code execution # Author: Marc Tanner # Date: 2023-01-30 # ############################################################# Introduction ------------ Liima - Automated Middleware allows to manage the configurations of Java EE applications on an unlimited number of different environments with various versions, including the automated deployment of those apps[1,2]. Liima v1.17.27 (and possibly earlier versions) are vulnerable to server-side template injection, resulting in remote code execution on the application server. Technical Description --------------------- Liima uses the Apache FreeMarker template engine[3] and evaluates user-controlled input as template expressions. Storing the following payload into a configuration parameter and subsequently forcing evaluation using the `Analyze > Test Generation` functionality, results in the execution of the `id(1)` command on the application server. <#assign ex = "freemarker.template.utility.Execute"?new()>${ex("id")} Workaround / Fix ---------------- Upgrade to Liima v1.17.28 or later containing the fix[4]. Timeline -------- 2022-10-07: Discovery by Marc Tanner 2022-10-19: Initial vendor notification 2022-10-27: Initial vendor response 2023-01-03: Release of fixed Version 2023-01-31: Coordinated public disclosure date References ---------- [1] https://www.liima.org/ [2] https://github.com/liimaorg/liima#liima [3] https://freemarker.apache.org/ [4] https://github.com/liimaorg/liima/pull/678