Developers and organizations that rely on Java as a primary language for the creation of new internal or customer-facing applications and websites are likely quite excited for the upcoming release of the latest Java Development Kit. (Per the pattern that Oracle has established in the last few years, JDK 15 should be available to the public in September – six months after the debut of JDK 14.) But recent weeks also saw the discovery of new vulnerabilities connected to the near-ubiquitous open source programming language – one of which was severe enough to earn the highest possible alert assessment under the rubric of the Common Vulnerability Scoring System.
While both of these code flaws appear, thus far, to have remedies available for those who need them, various details regarding how the bugs were discovered and what damage they could have caused may still be startling to programmers who use Java on a regular basis. Reviewing the essential information on these vulnerabilities will thus be well worthwhile for any organizations in the process of developing Java-based apps for legacy system modernization or similar purposes.
NetWeaver bug left SAP applications open to full outsider control
SAP stands out as one of the biggest names in the enterprise software space, creating platforms for mission-critical business purposes such as customer relationship management and enterprise resource planning as well as more cutting-edge areas like robotic process automation. Among countless companies worldwide, NetWeaver, which utilizes many various Java-based components, is one of SAP's most widely used products, as it provides a framework upon which a number of the German developer's other key apps must run. Examples include Solution Manager and the many different tools within Business Suite.
Taking all of that into account, it's safe to assume any business or independent developer that was using NetWeaver was shocked to learn of a potentially fatal vulnerability affecting the SAP technology stack framework. As explained within an official Cybersecurity and Infrastructure Security Agency bulletin released July 13, the flaw, classified as CVE-2020-6287 and earning a CVSS score of 10, existed within NetWeaver's LM Configuration Wizard, which most SAP apps run as a default process.
CPO Magazine reported that application security firm Onapsis Research Labs discovered the vulnerability and codenamed it RECON. The cybersecurity company found out that any malicious actor inclined to target any of the 40,000-plus SAP users running LM Configuration Wizard could break into that component using simple HTTP exploits. This would allow them to gain completely unfettered access to that user's SAP programs – up to and including the ability to shut them down entirely from any location. But the more pressing risk would be data theft or misuse, because SAP tools, by their very nature, include so much personally identifiable information and financial data about their organizational users' customers and employees.
In a July 23 interview with CPO, K2 Cyber Security CTO and co-founder Jayant Shukla stressed how dangerous flaws like this could be.
"Java-based web applications are among the most common on the internet today, and remain the most vulnerable to high-risk vulnerabilities like remote code execution, SQL injection, cross-site scripting and other vulnerabilities in the OWASP Top 10," Shukla told the news provider. He added that the existence of the specific NetWeaver bug exemplified the need for runtime application security, because "web application firewalls and other perimeter defenses have been failing to defend against exploitation of such zero-day vulnerabilities in production."
Although SAP released a patch for the bug soon after its discovery by Onapsis, CISA warned that hackers might reverse engineer the vulnerability to go after users who didn't immediately apply the security update.
Credential-theft malware used Java as its method of exploitation
As dangerous as RECON is due to the widespread nature of SAP applications, a vulnerability that can enter a system using any Java Runtime Environment is arguably even more alarming – which is exactly what the STRRAT malware strain can do. According to Security Intelligence, the infection – which included a module called .CRIMSON – is capable of recording keystrokes to steal website and application login credentials once it makes its way into host devices.
Because STRRAT requires Runtime Environment to operate, its creators developed a script as part of its payload that runs as soon as the malware is downloaded and opened to install the Java framework on any targeted host that doesn't already have it. Theoretically, this function allows any device to be compromised by the malware whether it is using the Java tool or not, significantly increasing the number of STRRAT's potential victims.
G Data Solutions, which discovered the malware in early July on German systems, pointed out that Outlook email users couldn't be infected with STRRAT because the phishing message delivering its payload was automatically blocked, and thus far it can only target Windows users. However, the firm's researchers warned that STRRAT's creators could develop workarounds for such limitations with relative ease, meaning its danger is still quite significant.