CVE-2021-28890
📋 TL;DR
CVE-2021-28890 is a critical SQL injection vulnerability in J2eeFAST that allows remote attackers to execute arbitrary SQL commands via specific parameters. This affects J2eeFAST 2.2.1 installations and could lead to complete database compromise. Organizations using this version are at immediate risk.
💻 Affected Systems
- J2eeFAST
📦 What is this software?
J2eefast by J2eefast
⚠️ Risk & Real-World Impact
Worst Case
Complete database takeover allowing data theft, data destruction, privilege escalation to admin, and potential remote code execution via database functions.
Likely Case
Unauthenticated attackers extracting sensitive user data, modifying application data, and gaining administrative access to the J2eeFAST application.
If Mitigated
Limited impact with proper input validation, parameterized queries, and network segmentation preventing database access.
🎯 Exploit Status
The vulnerability is well-documented with public proof-of-concept available. Exploitation requires minimal technical skill due to the straightforward SQL injection vectors.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2.2.1
Vendor Advisory: https://gitee.com/zhouhuanOGP/J2EEFAST/issues/I3BOFQ
Restart Required: Yes
Instructions:
1. Upgrade J2eeFAST to version 2.2.2 or later. 2. Replace all ${} SQL concatenation with parameterized queries. 3. Restart the application server. 4. Validate all user inputs server-side.
🔧 Temporary Workarounds
WAF Rule Implementation
allDeploy web application firewall rules to block SQL injection patterns targeting the vulnerable endpoints
# Example ModSecurity rule: SecRule ARGS "@detectSQLi" "id:1001,phase:2,deny,status:403,msg:'SQL Injection Attempt'"
# Add specific rules for compId, deptId, and roleId parameters
Input Validation Filter
allImplement server-side input validation to reject malicious SQL patterns
# Java filter example: if (parameter.matches(".*[;'\\"].*")) { throw new SecurityException("Invalid input"); }
🧯 If You Can't Patch
- Block access to /fast/sys/user/list, /fast/sys/role/list, and /fast/sys/role/authUser/list endpoints at network or application firewall
- Implement database-level protections: restrict application database user permissions, enable SQL injection protection features
🔍 How to Verify
Check if Vulnerable:
Test the vulnerable endpoints with SQL injection payloads: curl 'http://target/fast/sys/user/list?compId=1' OR test with SQLi tools against the three parametersCheck Version:
Check J2eeFAST version in application properties or via application info endpointVerify Fix Applied:
Verify that ${} SQL concatenation has been replaced with parameterized queries in the codebase and test endpoints with SQL injection payloads📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in application logs
- Multiple requests to vulnerable endpoints with special characters
- Database query errors containing user input
Network Indicators:
- HTTP requests to /fast/sys/user/list, /fast/sys/role/list, /fast/sys/role/authUser/list with SQL keywords
- Unusual database traffic patterns from application server
SIEM Query:
source="web_logs" AND (uri="/fast/sys/user/list" OR uri="/fast/sys/role/list" OR uri="/fast/sys/role/authUser/list") AND (query_string CONTAINS "UNION" OR query_string CONTAINS "SELECT" OR query_string CONTAINS "OR 1=1")