CVE-2022-28109 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2022-28109?

CVE-2022-28109 has a CVSS score of 8.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary code on Selenium Grid/Standalone Server instances via DNS rebinding attacks. Attackers can exploit the WebDriver endpoint by tricking users into visiting malicious websites, leading to remote code execution. Organizations running vulnerable Selenium Grid/Standalone Server versions are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Selenium Grid/Standalone Server instances via DNS rebinding attacks. Attackers can exploit the WebDriver endpoint by tricking users into visiting malicious websites, leading to remote code execution. Organizations running vulnerable Selenium Grid/Standalone Server versions are affected.

💻 Affected Systems

Products:

Selenium Grid
Selenium Standalone Server

Versions: All versions before 4.0.0-alpha-7

Operating Systems: All platforms running Selenium Grid/Standalone Server

Default Config Vulnerable: ⚠️ Yes

Notes: Default configurations expose the vulnerable WebDriver endpoint. Any instance with network access to the WebDriver port is vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands with server privileges, potentially leading to data theft, lateral movement, or ransomware deployment.

🟠

Likely Case

Remote code execution leading to unauthorized access, data exfiltration, or deployment of malware on affected systems.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, potentially only affecting isolated test environments.

🌐 Internet-Facing: HIGH - Internet-facing instances are directly exploitable via malicious websites without authentication.

🏢 Internal Only: MEDIUM - Internal instances require internal user interaction with malicious content but can still be exploited.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires DNS rebinding setup and user interaction, but public proof-of-concept exists making attacks feasible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.0.0-alpha-7 and later

Vendor Advisory: https://www.selenium.dev/blog/2022/selenium-grid-4.0.0-alpha-7-released/

Restart Required: Yes

Instructions:

1. Stop Selenium Grid/Standalone Server. 2. Update to version 4.0.0-alpha-7 or later. 3. Restart the service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict access to Selenium Grid WebDriver endpoint to trusted networks only.

Use firewall rules to block external access to Selenium Grid ports (default: 4444)

DNS Rebinding Protection

all

Configure DNS servers to prevent DNS rebinding attacks.

Configure DNS server to block private IP responses for external domains

🧯 If You Can't Patch

Isolate Selenium Grid instances in separate network segments with strict firewall rules
Implement web application firewall (WAF) rules to block malicious requests to WebDriver endpoints

🔍 How to Verify

Check if Vulnerable:

Check Selenium Grid version. If version is below 4.0.0-alpha-7 and WebDriver endpoint is accessible, the system is vulnerable.

Check Version:

java -jar selenium-server.jar --version

Verify Fix Applied:

Verify version is 4.0.0-alpha-7 or later and test that WebDriver endpoint properly validates origin headers.

📡 Detection & Monitoring

Log Indicators:

Unusual WebDriver requests from unexpected IPs
DNS resolution failures followed by WebDriver access

Network Indicators:

DNS queries for suspicious domains followed by WebDriver endpoint access
Unusual traffic patterns to Selenium Grid ports

SIEM Query:

source="selenium-grid.log" AND ("WebDriver" OR "session") AND src_ip NOT IN [trusted_ips]

📊 Metadata

CVE ID: CVE-2022-28109

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: April 15, 2022

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2022/04/16/1 Mailing List,Third Party Advisory
https://www.gabriel.urdhr.fr/2022/02/07/selenium-standalone-server-csrf-dns-rebinding-rce/ Exploit,Mitigation,Third Party Advisory
https://www.openwall.com/lists/oss-security/2022/02/07/3 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/04/16/1 Mailing List,Third Party Advisory
https://www.gabriel.urdhr.fr/2022/02/07/selenium-standalone-server-csrf-dns-rebinding-rce/ Exploit,Mitigation,Third Party Advisory
https://www.openwall.com/lists/oss-security/2022/02/07/3 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28109, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Selenium Grid by Selenium

Selenium Grid by Selenium

Selenium Grid by Selenium

Selenium Grid by Selenium

Selenium Grid by Selenium

Selenium Grid by Selenium

Selenium Grid by Selenium

Selenium Grid by Selenium

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Segmentation

DNS Rebinding Protection

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities