CVE-2021-35450
📋 TL;DR
CVE-2021-35450 is a Server-Side Template Injection vulnerability in Entando Admin Console that allows authenticated users with administrative privileges to execute arbitrary commands via FreeMarker templates. This affects Entando Admin Console versions 6.3.9 and earlier. Attackers can achieve remote code execution on the underlying server.
💻 Affected Systems
- Entando Admin Console
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the Entando server with complete administrative control, data exfiltration, lateral movement to other systems, and persistent backdoor installation.
Likely Case
Authenticated attackers with admin privileges execute arbitrary commands to steal sensitive data, modify configurations, or disrupt services.
If Mitigated
With proper access controls and network segmentation, impact is limited to the Entando application server only.
🎯 Exploit Status
Exploitation requires admin credentials but is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.3.10 and later
Vendor Advisory: https://github.com/entando/entando-admin-console
Restart Required: Yes
Instructions:
1. Upgrade Entando Admin Console to version 6.3.10 or later. 2. Restart the Entando application server. 3. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Admin Console Access
allLimit access to the Entando Admin Console to trusted IP addresses only using network controls.
# Use firewall rules to restrict access to Entando Admin Console port
# Example: iptables -A INPUT -p tcp --dport [ENTANDO_PORT] -s [TRUSTED_IP] -j ACCEPT
# iptables -A INPUT -p tcp --dport [ENTANDO_PORT] -j DROP
Disable FreeMarker Template Execution
allConfigure FreeMarker to disable template execution capabilities if not required.
# In freemarker.properties or configuration: freemarker.template.utility.Execute=disabled
🧯 If You Can't Patch
- Implement strict access controls and multi-factor authentication for admin accounts
- Monitor and audit all admin console activities for suspicious template execution
🔍 How to Verify
Check if Vulnerable:
Check Entando Admin Console version. If version is 6.3.9 or earlier, the system is vulnerable.Check Version:
Check Entando application logs or configuration files for version informationVerify Fix Applied:
Verify Entando Admin Console version is 6.3.10 or later and test that template injection attempts are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual FreeMarker template execution patterns
- Admin console access from unexpected IP addresses
- Commands executed via template injection
Network Indicators:
- Unusual outbound connections from Entando server
- Traffic patterns indicating data exfiltration
SIEM Query:
source="entando" AND ("freemarker.template.utility.Execute" OR "template injection")