CVE-2019-18956
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to execute arbitrary code on affected Divisa Proxia Suite systems via insecure Java deserialization of the proxia-error cookie. Attackers can craft malicious serialized payloads that get deserialized by the prepareError function, leading to complete system compromise. Affected products include Divisa Proxia Suite versions 9-10.1, SparkSpace 1.0-1.2, and Proxia PHR 1.0-1.1.
💻 Affected Systems
- Divisa Proxia Suite
- SparkSpace
- Proxia PHR
- Proxia Premium Edition 2017
📦 What is this software?
Dv2eemvc by Divisait
Dv2eemvc by Divisait
Dv2eemvc by Divisait
Dv2eemvc by Divisait
Dv2eemvc by Divisait
Dv2eemvc by Divisait
Dv2eemvc by Divisait
Dv2eemvc by Divisait
Proxia Phr by Divisait
Proxia Phr by Divisait
Proxia Suite by Divisait
Proxia Suite by Divisait
Proxia Suite by Divisait
Sparkspace by Divisait
Sparkspace by Divisait
Sparkspace by Divisait
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with attacker gaining full control over the server, data exfiltration, lateral movement, and persistent backdoor installation.
Likely Case
Remote code execution leading to data theft, service disruption, and potential ransomware deployment.
If Mitigated
Attack blocked at network perimeter or detected before execution; limited to attempted exploitation logs.
🎯 Exploit Status
Exploit requires crafting a malicious serialized Java object in the proxia-error cookie, which is trivial with available tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Proxia Suite: 9.12.16, 9.11.19, 9.10.26, 9.9.8, 9.8.43, 9.7.10, 10.0.32, 10.1.5. SparkSpace: 1.0.30, 1.1.2, 1.2.4. Proxia PHR: 1.0.30, 1.1.2
Vendor Advisory: https://github.com/blackarrowsec/advisories/tree/master/2019/CVE-2019-18956
Restart Required: Yes
Instructions:
1. Download patched versions from Divisa. 2. Backup current installation. 3. Stop the Proxia service. 4. Replace affected JAR files with patched versions. 5. Restart the service. 6. Verify fix by checking version.
🔧 Temporary Workarounds
Cookie Filtering
allConfigure web application firewall or reverse proxy to block or sanitize proxia-error cookie values.
# Example nginx config to block cookie
location / {
proxy_set_header Cookie $http_cookie;
if ($http_cookie ~* "proxia-error") {
return 403;
}
}
Network Segmentation
linuxIsolate affected systems from untrusted networks and implement strict firewall rules.
# Example iptables rule to restrict access
iptables -A INPUT -p tcp --dport [PROXIA_PORT] -s [TRUSTED_NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [PROXIA_PORT] -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit exposure to trusted IPs only.
- Deploy web application firewall with rules to detect and block malicious serialized payloads in cookies.
🔍 How to Verify
Check if Vulnerable:
Check application version against affected ranges. Monitor for proxia-error cookie containing serialized Java objects in requests.Check Version:
Check application documentation or web interface for version information. For Linux: grep -r 'version' /path/to/proxia/installation/Verify Fix Applied:
Verify application version is patched. Test with safe serialized payload to confirm deserialization is now properly validated.📡 Detection & Monitoring
Log Indicators:
- Unusual Java deserialization errors
- Requests with large or binary data in proxia-error cookie
- Unexpected process execution from Proxia service
Network Indicators:
- HTTP requests containing serialized Java objects in proxia-error cookie
- Outbound connections from Proxia server to unknown IPs
SIEM Query:
source="proxia_logs" AND (cookie="*proxia-error*" AND (content="*rO0AB*" OR content="*ACED*"))