"Zero-Day Flaw Discovered in Quarkus Java Framework"

Security researchers at Contrast Security have discovered a high-severity zero-day vulnerability in the Red Hat build of Quarkus, a full-stack, Kubernetes-native Java framework optimized for Java virtual machines (JVMs) and native compilation.  Tracked CVE-2022-4116, the flaw has a CVSS v3 base score rating of 9.8 and can be found in the Dev UI Config Editor, which is vulnerable to drive-by localhost attacks, potentially leading to remote code execution (RCE).  According to the researchers, exploiting the vulnerability is relatively straightforward and can be done by a threat actor without any privileges.  The researchers noted that, to be clear, CVE-2022-4116 doesn't impact services running in production; it only impacts developers building services using Quarkus.  If a developer running Quarkus locally visits a website with malicious JavaScript, that JavaScript can silently execute code on the developer's machine.  The researchers are not sure how extensively the Red Hat build of Quarkus is used.  Having been started only in 2019, Quarkus is now reportedly getting more popular, particularly in Kubernetes use cases, given its ease of use and significantly lighter demand on hardware resources to run and to run applications.  The researchers noted that the Quarkus team released a fix for CVE-2022-4116 with version 2.14.2.Final and 2.13.5.Final long-term support (LTS) that requires the Dev UI to check the origin header so that it only accepts requests that contain a specific header set by the browser and not modifiable by JavaScript.  The researchers stated that while CVE-2022-4116 has been fixed, there are likely many more equivalent vulnerabilities in other frameworks. 

Infosecurity reports: "Zero-Day Flaw Discovered in Quarkus Java Framework"