CVE-2022-30470
📋 TL;DR
This vulnerability in Afian FileRun allows attackers to achieve remote code execution by modifying the 'search_tika_path' variable to point to a malicious JAR file. Attackers can upload their own JAR file and then change the configuration to execute it, running commands as the webserver user. All FileRun installations using version 20220202 are affected.
💻 Affected Systems
- Afian FileRun
📦 What is this software?
Filerun by Afian
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary code as the webserver user, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Attackers gain webserver user privileges and can access/modify files, execute commands, and potentially escalate privileges further on the host system.
If Mitigated
With proper network segmentation and least privilege, impact is limited to the webserver's capabilities and isolated from critical systems.
🎯 Exploit Status
Exploitation requires authenticated access to modify the search_tika_path variable and the ability to upload a JAR file. The attack chain is straightforward once these conditions are met.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 20220202
Vendor Advisory: https://filerun.com/changelog
Restart Required: Yes
Instructions:
1. Backup your FileRun installation and database. 2. Download the latest FileRun version from the official website. 3. Replace the existing installation with the updated files. 4. Restart the web server service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Restrict JAR file uploads
allConfigure web server or application to block uploads of JAR files to prevent attackers from uploading malicious payloads.
# For Apache: Add to .htaccess or virtual host config
<FilesMatch "\.(jar)$">
Order Allow,Deny
Deny from all
</FilesMatch>
# For Nginx: Add to server block
location ~*\.jar$ {
deny all;
}
Restrict configuration modification
allLimit access to FileRun configuration interface to only authorized administrators.
# Implement IP-based restrictions in web server config
# Example for Apache:
<Location "/admin/config">
Require ip 192.168.1.0/24
</Location>
🧯 If You Can't Patch
- Isolate the FileRun server from other critical systems using network segmentation.
- Implement strict file integrity monitoring on the search_tika_path configuration and JAR upload directories.
🔍 How to Verify
Check if Vulnerable:
Check the FileRun version by examining the installation directory or admin interface. If version is exactly 20220202, the system is vulnerable.Check Version:
Check the FileRun admin interface or examine the version.txt file in the installation directory.Verify Fix Applied:
After updating, verify the version number has changed from 20220202. Test that the search_tika_path configuration cannot be modified to execute arbitrary JAR files.📡 Detection & Monitoring
Log Indicators:
- Unusual JAR file uploads to FileRun
- Modifications to search_tika_path configuration
- Web server process spawning unexpected child processes
Network Indicators:
- Outbound connections from web server to unexpected destinations
- Unusual HTTP requests to configuration endpoints
SIEM Query:
source="filerun.log" AND ("search_tika_path" OR ".jar upload")