CVE-2017-14105 in HiveManager Classicinfo

Summary

by MITRE

HiveManager Classic through 8.1r1 allows arbitrary JSP code execution by modifying a backup archive before a restore, because the restore feature does not validate pathnames within the archive. An authenticated, local attacker - even restricted as a tenant - can add a jsp at HiveManager/tomcat/webapps/hm/domains/$yourtenant/maps (it will be exposed at the web interface).

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 09/02/2017

CVE-2017-14105 represents a critical path traversal vulnerability in HiveManager Classic versions through 8.1r1 that enables arbitrary JSP code execution through backup archive manipulation. This vulnerability stems from insufficient input validation during the restore process, specifically failing to sanitize pathnames contained within backup archives. The flaw exists at the core of the application's archive handling mechanism where it blindly extracts files without verifying their intended destination paths, creating an exploitable condition that allows attackers to place malicious JSP files in critical web application directories.

The technical implementation of this vulnerability leverages the restore functionality's lack of path validation checks, enabling attackers to manipulate backup archives by inserting malicious JSP files at specific locations within the archive structure. When the restore process executes, it extracts these files to their specified paths without proper sanitization, allowing the attacker to place executable code directly in the web application's document root. The attack vector specifically targets the HiveManager/tomcat/webapps/hm/domains/$yourtenant/maps directory path, which becomes accessible through the web interface, providing a direct execution channel for malicious code.

This vulnerability operates under the CWE-22 Path Traversal weakness category, specifically manifesting as a directory traversal attack that allows an attacker to access files and directories outside the intended scope of the application. The impact is particularly severe because it requires only local authentication and can be exploited by restricted tenant users, effectively bypassing the application's access control mechanisms. The vulnerability's exploitation directly aligns with ATT&CK technique T1059.007 for Command and Scripting Interpreter: Java, as it enables execution of malicious Java Server Pages within the application's web context.

The operational consequences of this vulnerability extend beyond simple code execution to encompass full system compromise capabilities. Once an attacker successfully places malicious JSP files in the web application directory, they can execute arbitrary commands on the underlying server, potentially leading to complete system takeover. The vulnerability's persistence is enhanced by the fact that the malicious code remains active even after the restore operation completes, providing a lasting backdoor for continued access. Additionally, the vulnerability affects the application's integrity by allowing unauthorized code injection into the web application's runtime environment.

Mitigation strategies for CVE-2017-14105 should focus on implementing proper input validation and path sanitization within the backup restore functionality. Organizations must ensure that all archive extraction processes validate pathnames against a whitelist of acceptable directories and reject any attempts to place files outside designated safe locations. The implementation should include strict path normalization checks that prevent directory traversal attempts and enforce proper access controls during the restore process. Updates to HiveManager Classic beyond version 8.1r1 should be prioritized, as these releases contain the necessary patches to address the path traversal vulnerability. Network segmentation and monitoring of web application directories should also be implemented to detect unauthorized file modifications and prevent exploitation of similar vulnerabilities in the future.

Reservation

09/01/2017

Disclosure

09/01/2017

Moderation

accepted

CPE

ready

EPSS

0.01300

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!