CVE-2022-24405
📋 TL;DR
CVE-2022-24405 is a critical OS command injection vulnerability in OX App Suite's Documentconverter API that allows attackers to execute arbitrary commands on the server by sending malicious serialized Java objects. This affects all OX App Suite installations up to version 7.10.6. Attackers can achieve remote code execution with high privileges.
💻 Affected Systems
- OX App Suite
📦 What is this software?
Ox App Suite by Open Xchange
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary commands as the application user, potentially leading to data theft, lateral movement, or complete server takeover.
Likely Case
Remote code execution leading to web shell deployment, credential harvesting, and data exfiltration from the OX App Suite environment.
If Mitigated
Limited impact if network segmentation, strict firewall rules, and proper access controls prevent exploitation attempts.
🎯 Exploit Status
Exploitation requires authentication to OX App Suite. Public proof-of-concept code is available, making exploitation straightforward for attackers with valid credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: OX App Suite 7.10.7 and later
Vendor Advisory: https://open-xchange.com
Restart Required: Yes
Instructions:
1. Backup your OX App Suite installation and data. 2. Download and install OX App Suite version 7.10.7 or later from the official vendor. 3. Restart all OX App Suite services. 4. Verify the update was successful by checking the version.
🔧 Temporary Workarounds
Disable Documentconverter API
linuxTemporarily disable the vulnerable Documentconverter API endpoint to prevent exploitation while planning for patching.
# Edit OX App Suite configuration to disable Documentconverter API
# Consult OX App Suite documentation for specific configuration changes
Network Access Restrictions
linuxRestrict network access to the OX App Suite Documentconverter API endpoints using firewall rules.
# Example iptables rule to restrict access
iptables -A INPUT -p tcp --dport [OX_PORT] -s [TRUSTED_NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [OX_PORT] -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation and firewall rules to limit access to OX App Suite only from trusted networks.
- Deploy a web application firewall (WAF) with rules specifically blocking OS command injection patterns targeting the Documentconverter API.
🔍 How to Verify
Check if Vulnerable:
Check if your OX App Suite version is 7.10.6 or earlier. The vulnerability affects all versions through 7.10.6.Check Version:
Check OX App Suite admin interface or configuration files for version information. Typically found in /opt/open-xchange/etc/version.properties or similar location.Verify Fix Applied:
Verify that OX App Suite has been updated to version 7.10.7 or later and that the Documentconverter API no longer accepts malicious serialized Java objects.📡 Detection & Monitoring
Log Indicators:
- Unusual Documentconverter API requests with serialized Java objects
- Suspicious command execution patterns in system logs
- Multiple failed authentication attempts followed by Documentconverter API access
Network Indicators:
- Unusual outbound connections from OX App Suite server
- Traffic patterns indicating command and control communication
- Exploitation attempts against Documentconverter API endpoints
SIEM Query:
source="ox-app-suite" AND (uri_path="/documentconverter" OR uri_path CONTAINS "documentconverter") AND (request_body CONTAINS "serialized" OR request_body CONTAINS "java.io")