Distributed Workforce, Threat Management, Vulnerability Management

Quarkus Java framework impacted by critical RCE bug

Red Hat's Quarkus Java framework has been discovered by Contrast Security researchers to contain a critical security flaw, which could be exploited to facilitate remote code execution even by attackers without any privileges, according to The Hacker News. Only developers running Quarkus who are lured to visit websites with malicious JavaScript code enabling arbitrary payload installation or execution are affected by the vulnerability, which was identified in the framework's Dev UI Config Editor, noted Contrast Security researcher Joseph Beeton. Such a compromise could be achieved through spear-phishing and watering hole attacks, as well as malicious ads on developer-visited sites, the report said. "While it only affects Dev Mode, the impact is still high, as it could lead to an attacker getting local access to your development box," said Quarkus, which recommended users to implement versions 2.14.2.Final and 2.13.5.Final of the framework to avert potential compromise. Developers could also use a random root path to house all non-application endpoints as a workaround.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.