CVE-2022-22916 – O2OA v6.4.7 contains a remote code execution vu... (How to Fix)

Q: What is the severity of CVE-2022-22916?

CVE-2022-22916 has a CVSS score of 9.8 (CRITICAL). O2OA v6.4.7 contains a remote code execution vulnerability in the /x_program_center/jaxrs/invoke endpoint that allows unauthenticated attackers to execute arbitrary code on affected systems. This affects all organizations running vulnerable versions of O2OA, an open-source enterprise collaboration platform. The vulnerability is particularly dangerous because it requires no authentication and has public exploit code available.

📋 TL;DR

O2OA v6.4.7 contains a remote code execution vulnerability in the /x_program_center/jaxrs/invoke endpoint that allows unauthenticated attackers to execute arbitrary code on affected systems. This affects all organizations running vulnerable versions of O2OA, an open-source enterprise collaboration platform. The vulnerability is particularly dangerous because it requires no authentication and has public exploit code available.

💻 Affected Systems

Products:

O2OA

Versions: v6.4.7 specifically mentioned, potentially earlier versions

Operating Systems: All platforms running O2OA

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerable endpoint appears to be part of standard O2OA functionality with no special configuration required for exploitation.

📦 What is this software?

O2oa by Zoneland

View all CVEs affecting O2oa →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to install malware, steal sensitive data, pivot to internal networks, and establish persistent backdoors.

🟠

Likely Case

Attackers gain shell access to the server, deploy ransomware or cryptocurrency miners, and exfiltrate application data and credentials.

🟢

If Mitigated

Attack attempts are blocked at network perimeter, or systems are patched before exploitation occurs.

🌐 Internet-Facing: HIGH - Public exploit code exists and vulnerability requires no authentication, making internet-facing instances immediate targets.

🏢 Internal Only: HIGH - Even internal systems are at risk from insider threats or compromised internal devices.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public GitHub repository contains working proof-of-concept exploit code that demonstrates remote code execution.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after v6.4.7 (check O2OA official releases)

Vendor Advisory: http://o2oa.com

Restart Required: Yes

Instructions:

1. Backup current O2OA installation and data. 2. Download latest O2OA version from official website. 3. Stop O2OA service. 4. Replace installation with patched version. 5. Restart O2OA service. 6. Verify functionality.

🔧 Temporary Workarounds

Block vulnerable endpoint

all

Use web application firewall or reverse proxy to block access to /x_program_center/jaxrs/invoke

# Example nginx location block:
location /x_program_center/jaxrs/invoke { deny all; }
# Example Apache .htaccess:
<Location "/x_program_center/jaxrs/invoke">
    Order deny,allow
    Deny from all
</Location>

Network segmentation

linux

Restrict network access to O2OA instances to trusted IP addresses only

# Example iptables rule:
iptables -A INPUT -p tcp --dport [O2OA_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [O2OA_PORT] -j DROP

🧯 If You Can't Patch

Immediately isolate affected systems from internet and restrict internal network access
Implement strict monitoring and alerting for exploitation attempts on the vulnerable endpoint

🔍 How to Verify

Check if Vulnerable:

Check if O2OA version is v6.4.7 or potentially earlier versions. Test endpoint accessibility: curl -X POST http://[target]/x_program_center/jaxrs/invoke

Check Version:

Check O2OA web interface or installation directory for version information

Verify Fix Applied:

Verify O2OA version is updated beyond v6.4.7. Test that the vulnerable endpoint no longer executes arbitrary code.

📡 Detection & Monitoring

Log Indicators:

POST requests to /x_program_center/jaxrs/invoke with suspicious payloads
Unusual process execution from O2OA service account
Error logs containing Java serialization or reflection errors

Network Indicators:

Unusual outbound connections from O2OA server
Traffic patterns suggesting command and control communication
POST requests to invoke endpoint from unexpected sources

SIEM Query:

source="o2oa" AND (url="/x_program_center/jaxrs/invoke" OR process="java" AND cmdline="*Runtime*" OR user="o2oa" AND event="process_create")

📊 Metadata

CVE ID: CVE-2022-22916

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: February 17, 2022

Last Updated: November 21, 2024

🔗 References

http://o2oa.com Not Applicable
https://github.com/wendell1224/O2OA-POC/blob/main/POC.md Exploit,Third Party Advisory
http://o2oa.com Not Applicable
https://github.com/wendell1224/O2OA-POC/blob/main/POC.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON