Update now – Java bug could allow remote code execution

Unpatched versions could enable attackers to gain critical access due to HTTP protocols

A vulnerability found in Oracle Java SE could allow a malicious web page to take control of a victim’s computer, albeit in a specific set of circumstances.

The bug (CVE-2018-2800) allows Java Remote Management Interface (RMI) endpoints to be accessed by a web browser, which can lead to remote code execution (RCE) on a victim's computer.

Java issued a critical patch update in April, which halted exploitation of the bug in all supported versions.

But researcher Moritz Bechler warned that the attack could still be used against unpatched versions of Java – and combined with other vulnerabilities could be critical.

The root of the bug is that the HTTP transport for RMI is enabled by default.

An attacker could, after directing the victim to a malicious site, make a cross-origin request to the RMI endpoint and send unauthorized requests, which could lead to RCE.

The user could be directed to the malicious website could by a phishing email. Alternatively, an attack could be embedded in something as simple as an advert – which the victim doesn’t always need to click on.

There are a number of requirements needed in order to gain code execution on a victim’s computer.

This bug needs to leverage a number of different vulnerabilities and it needs to be running an unpatched version of Java.

But if you thought you could get away without patching Java because RMI was only running locally, think again.

Bechler explained in his report: “Despite the relatively low immediate impact, combining this issue with certain other RMI/JMX [vulnerabilities] you may end up with an attacker on the internet gaining code execution on one of your local systems by tricking you into visiting some malicious website.

“This includes a couple of deserialization attacks fixed in the past CPU releases, a topic which deserves a separate post some time, as well as possibly some older bugs that allowed direct remote classloading.”

The bug was originally reported back in April and received an update last month. It is currently being reviewed again by the National Vulnerability Database.