Login Sign Up

CVE-2022-28995

9.8 CRITICAL
Remote Code Execution Deserialization

📋 TL;DR

Rengine v1.0.2 contains a remote code execution vulnerability through its YAML configuration function, allowing attackers to execute arbitrary code on affected systems. This affects all deployments running the vulnerable version of Rengine, particularly those exposed to untrusted YAML input.

💻 Affected Systems

Products:
  • Rengine
Versions: v1.0.2
Operating Systems: All platforms running Rengine
Default Config Vulnerable: ⚠️ Yes
Notes: Any system using Rengine v1.0.2 with YAML configuration functionality enabled is vulnerable. The vulnerability is in the YAML parsing component.

📦 What is this software?

Rengine by Yogeshojha

View all CVEs affecting Rengine →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attacker to execute arbitrary commands with the privileges of the Rengine process, potentially leading to data theft, lateral movement, or ransomware deployment.

🟠

Likely Case

Remote code execution leading to web shell installation, cryptocurrency mining, or data exfiltration from the affected server.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege, and input validation are implemented, though RCE would still be possible.

🌐 Internet-Facing: HIGH - Directly exploitable from the internet without authentication in default configurations.
🏢 Internal Only: HIGH - Even internal systems are vulnerable to authenticated or network-adjacent attackers.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public GitHub issue demonstrates the vulnerability. RCE via YAML deserialization is a well-known attack vector with mature exploitation techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.0.3 or later

Vendor Advisory: https://github.com/zongdeiqianxing/rengine/issues/1

Restart Required: Yes

Instructions:

1. Stop Rengine service. 2. Update to v1.0.3 or later via package manager or manual installation. 3. Restart Rengine service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable YAML configuration

all

Disable YAML configuration functionality if not required

Modify Rengine configuration to disable YAML parsing

Network isolation

linux

Restrict network access to Rengine service

iptables -A INPUT -p tcp --dport [RENGINE_PORT] -s [TRUSTED_NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [RENGINE_PORT] -j DROP

🧯 If You Can't Patch

  • Implement strict network access controls to limit exposure to trusted sources only
  • Deploy web application firewall (WAF) with YAML deserialization attack detection rules

🔍 How to Verify

Check if Vulnerable:

Check Rengine version: grep -i version /path/to/rengine/config or check package manager. If version is 1.0.2, system is vulnerable.

Check Version:

rengine --version or check installed package version

Verify Fix Applied:

Verify version is 1.0.3 or later and test YAML configuration functionality with safe input.

📡 Detection & Monitoring

Log Indicators:

  • Unusual YAML parsing errors
  • Suspicious process execution from Rengine
  • Unexpected network connections from Rengine process

Network Indicators:

  • Unusual traffic to Rengine YAML endpoints
  • Suspicious payloads containing YAML with executable code

SIEM Query:

process_name:"rengine" AND (event_type:"process_execution" OR event_type:"yaml_parse_error")

📊 Metadata

CVE ID: CVE-2022-28995
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: May 20, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON