CVE-2020-24639
📋 TL;DR
CVE-2020-24639 is a critical Java deserialization vulnerability in Airwave Glass that allows remote attackers to execute arbitrary commands. Successful exploitation can lead to complete compromise of the containerized environment and potentially the underlying host operating system. Organizations running Airwave Glass versions before 1.3.3 in containerized deployments are affected.
💻 Affected Systems
- Airwave Glass
📦 What is this software?
Airwave Glass by Arubanetworks
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the containerized environment leading to host operating system takeover, data exfiltration, lateral movement, and persistent backdoor installation.
Likely Case
Remote code execution within the container, allowing attackers to steal credentials, modify configurations, and pivot to other systems.
If Mitigated
Limited impact if proper network segmentation, container security controls, and monitoring are in place to detect and block exploitation attempts.
🎯 Exploit Status
The vulnerability leverages unsafe Java deserialization, which has well-known exploitation patterns and public proof-of-concept code exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.3
Vendor Advisory: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-001.txt
Restart Required: Yes
Instructions:
1. Download Airwave Glass version 1.3.3 or later from Aruba support portal. 2. Stop the Airwave Glass service. 3. Deploy the updated container image. 4. Restart the service. 5. Verify the version is 1.3.3 or higher.
🔧 Temporary Workarounds
Network Segmentation
allIsolate Airwave Glass containers from internet and restrict internal network access to only necessary systems.
Container Security Controls
linuxImplement container security solutions that can detect and block Java deserialization attacks.
🧯 If You Can't Patch
- Implement strict network access controls to limit exposure to only trusted IP addresses
- Deploy runtime application self-protection (RASP) or web application firewall (WAF) with Java deserialization protection rules
🔍 How to Verify
Check if Vulnerable:
Check the Airwave Glass version via the web interface or container inspection. If version is below 1.3.3 and running in a container, the system is vulnerable.Check Version:
docker inspect <container_name> | grep -i version OR check the web interface admin panelVerify Fix Applied:
Verify the version shows 1.3.3 or higher in the Airwave Glass web interface or via container inspection commands.📡 Detection & Monitoring
Log Indicators:
- Unusual Java deserialization errors in application logs
- Suspicious process creation from Java runtime
- Unexpected network connections from the container
Network Indicators:
- HTTP requests containing serialized Java objects to Airwave Glass endpoints
- Outbound connections from Airwave Glass container to unexpected destinations
SIEM Query:
source="airwave-glass" AND ("deserialization" OR "java.io.ObjectInputStream" OR suspicious_command_execution)