HCL Web Experience Factory 8.5.1 security vulnerabilities

log4j-1.2.15.jar

CVE ID: CVE-2022-23305

Description: By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default.

Analysis: The JDBCAppender component is not used hence it is non-exploitable.

CVE ID: CVE-2019-17571

Description: Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data.
Analysis: The SocketServer component is not used hence it is non-exploitable.

CVE ID: CVE-2020-9493/CVE-2022-23307

Description: A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.
Analysis: The Chainsaw GUI logviewer component is not used hence it is non-exploitable.

CVE ID: CVE-2022-23302

Description: JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104.
Analysis: The JMSSink component is not used hence it is non-exploitable.

CVE ID: CVE-2021-4104

Description: JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228.
Analysis: The JMSAppender component is not used hence it is non-exploitable.

CVE ID: CVE-2020-9488

Description: Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.
Analysis: The SMTPAppender component is not used hence it is non-exploitable.

CVE ID: CVE-2017-15708

Description: In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). It allows remote code execution attacks that can be performed by injecting specially crafted serialized objects.
Analysis: To mitigate the issue, you need to limit RMI access to trusted users only. Not exploitable as Eclipse within WEF package is not accessible remotely unless configured.

CVE ID: CVE-2019-13116

Description: The MuleSoft Mule Community Edition runtime engine before 3.8 allows remote attackers to execute arbitrary code because of Java Deserialization, related to Apache Commons Collections.
Analysis: Not exploitable as Eclipse within WEF package is not accessible remotely unless configured.

CVE ID: CVE-2015-4852

Description: The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar.
Note: The scope of this CVE is limited to the WebLogic Server product.
Analysis: Non-exploitable if not using WebLogic Server product.

CVE ID: CVE-2019-0227

Description: A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006.
Analysis: To mitigate the issue,you need to use the JAX-WS implementation provided by your application server instead of Axis 1.4.jar. Not exploitable as Eclipse within WEF package is not accessible remotely unless configured.

CVEID: CVE-2018-8032

Description: Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/services.
Analysis: Not exploitable as Eclipse within WEF package is not accessible remotely unless configured.

CVE ID: CVE-2021-33813

Description: An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request. The attack can only be done within the local network.
Analysis: Parsing DTD causes XXE issue. It is blocked but to be on safer side, do not parse any DTD file. As this can not be done remotely hence it is non-exploitable.

CVE IDs: CVE-2020-11979,CVE-2020-1945,CVE-2021-36373,CVE-2021-36374

Description: This would still allow an attacker to inject modified source files into the build process.
Analysis: Not exploitable as Eclipse is not accessible remotely unless configured or a vulnerable jar file is laid down.

CVE IDs: CVE-2021-29425

Description: When invoking the method FileNameUtils.normalize with an improper input string, like //../foo or \..\foo, the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
Analysis: Not exploitable as Eclipse is not accessible remotely unless configured or a vulnerable jar file is laid down.

CVE IDs: CVE-2015-9251, CVE-2019-11358, CVE-2020-7656, CVE-2012-6708, CVE-2011-4969