CVE-2020-9297

9.8 CRITICAL

Remote Code Execution

📋 TL;DR

CVE-2020-9297 is a critical remote code execution vulnerability in Netflix Titus that allows attackers to execute arbitrary Java code by injecting malicious data into error message templates. This affects all Netflix Titus deployments using custom constraint validators prior to version v0.1.1-rc.274. Attackers can potentially gain full control of affected systems.

💻 Affected Systems

Products:

Netflix Titus

Versions: All versions prior to v0.1.1-rc.274

Operating Systems: Any OS running Java-based Titus deployments

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when custom constraint validators are used with error message templates that accept user input.

📦 What is this software?

Titus by Netflix

View all CVEs affecting Titus →

Titus by Netflix

View all CVEs affecting Titus →

Titus by Netflix

View all CVEs affecting Titus →

Titus by Netflix

View all CVEs affecting Titus →

Titus by Netflix

View all CVEs affecting Titus →

Titus by Netflix

View all CVEs affecting Titus →

Titus by Netflix

View all CVEs affecting Titus →

Titus by Netflix

View all CVEs affecting Titus →

Titus by Netflix

View all CVEs affecting Titus →

Titus by Netflix

View all CVEs affecting Titus →

Titus by Netflix

View all CVEs affecting Titus →

Titus by Netflix

View all CVEs affecting Titus →

Titus by Netflix

View all CVEs affecting Titus →

Titus by Netflix

View all CVEs affecting Titus →

Titus by Netflix

View all CVEs affecting Titus →

Titus by Netflix

View all CVEs affecting Titus →

Titus by Netflix

View all CVEs affecting Titus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attacker to execute arbitrary commands, access sensitive data, and pivot to other systems in the environment.

🟠

Likely Case

Remote code execution leading to data theft, service disruption, or deployment of malware/backdoors on vulnerable Titus instances.

🟢

If Mitigated

Limited impact if proper input validation and network segmentation are in place, though RCE risk remains significant.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires attacker to inject data into error message templates, which may require specific application functionality to be accessible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.1.1-rc.274 and later

Vendor Advisory: https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2020-002.md

Restart Required: Yes

Instructions:

1. Update Netflix Titus to version v0.1.1-rc.274 or later. 2. Restart all Titus services. 3. Verify the update was successful by checking version numbers.

🔧 Temporary Workarounds

Disable EL Expression Interpolation

all

Configure Titus to disable Java EL expression interpolation in constraint violation messages

Set system property: -Dorg.hibernate.validator.expression_language_enabled=false

Input Validation Hardening

all

Implement strict input validation on all user-controlled data passed to ConstraintValidatorContext

🧯 If You Can't Patch

Implement strict network segmentation to isolate Titus instances from sensitive systems
Deploy web application firewall (WAF) rules to block suspicious payloads targeting constraint validation endpoints

🔍 How to Verify

Check if Vulnerable:

Check Titus version: if version is earlier than v0.1.1-rc.274, system is vulnerable. Review application logs for suspicious constraint validation errors.

Check Version:

Check Titus deployment configuration or run: java -jar titus-server.jar --version

Verify Fix Applied:

Confirm Titus version is v0.1.1-rc.274 or later. Test that EL expression interpolation in constraint messages is properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual constraint validation errors
Java EL expressions in error messages
Suspicious payloads in request parameters

Network Indicators:

Unusual outbound connections from Titus instances
Traffic patterns suggesting command execution

SIEM Query:

source="titus" AND (message="*ConstraintViolation*" OR message="*EL expression*" OR message="*buildConstraintViolationWithTemplate*")

📊 Metadata

CVE ID: CVE-2020-9297

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-917

Published: July 14, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2020-002.md Patch,Third Party Advisory
https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2020-002.md Patch,Third Party Advisory