CVE-2022-34267 – CVE-2022-34267 is an authentication bypass vuln... (How to Fix)

Q: What is the severity of CVE-2022-34267?

CVE-2022-34267 has a CVSS score of 9.8 (CRITICAL). CVE-2022-34267 is an authentication bypass vulnerability in RWS WorldServer that allows unauthenticated attackers to upload and execute arbitrary Java code. By adding a specific token parameter (value '02') to requests, attackers can bypass all authentication requirements and upload malicious .jar files to the ws-api/v2/customizations/api endpoint. This affects all WorldServer installations before version 11.7.3.

📋 TL;DR

CVE-2022-34267 is an authentication bypass vulnerability in RWS WorldServer that allows unauthenticated attackers to upload and execute arbitrary Java code. By adding a specific token parameter (value '02') to requests, attackers can bypass all authentication requirements and upload malicious .jar files to the ws-api/v2/customizations/api endpoint. This affects all WorldServer installations before version 11.7.3.

💻 Affected Systems

Products:

RWS WorldServer

Versions: All versions before 11.7.3

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable if the vulnerable endpoint is accessible.

📦 What is this software?

Worldserver by Rws

View all CVEs affecting Worldserver →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with remote code execution, data exfiltration, ransomware deployment, and lateral movement across the network.

🟠

Likely Case

Unauthenticated attackers gaining administrative access, installing backdoors, stealing sensitive translation/localization data, and maintaining persistent access.

🟢

If Mitigated

Attackers blocked at network perimeter or detected during initial exploitation attempts, limiting impact to isolated systems.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP requests with specific parameters and file uploads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.7.3

Vendor Advisory: https://www.rws.com/localization/products/trados-enterprise/worldserver/

Restart Required: Yes

Instructions:

1. Download WorldServer 11.7.3 or later from RWS support portal. 2. Backup current installation and data. 3. Run the upgrade installer following RWS documentation. 4. Restart WorldServer services. 5. Verify the fix by testing the vulnerable endpoint.

🔧 Temporary Workarounds

Block Vulnerable Endpoint

all

Use web application firewall or network controls to block access to /ws-api/v2/customizations/api endpoint

# Example WAF rule to block the endpoint
# Example: deny http any any -> any any (msg:"Block WorldServer CVE-2022-34267"; content:"/ws-api/v2/customizations/api"; sid:1000001;)

Network Segmentation

linux

Restrict access to WorldServer to only trusted internal networks

# Example firewall rule (iptables)
iptables -A INPUT -p tcp --dport [WorldServer_port] -s [trusted_network] -j ACCEPT
iptables -A INPUT -p tcp --dport [WorldServer_port] -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate WorldServer from internet and untrusted networks
Deploy web application firewall with rules to detect and block exploitation attempts targeting the vulnerable endpoint

🔍 How to Verify

Check if Vulnerable:

Check WorldServer version via admin interface or by examining installation files. Versions below 11.7.3 are vulnerable.

Check Version:

Check WorldServer admin dashboard or installation directory for version information

Verify Fix Applied:

After patching, attempt to access /ws-api/v2/customizations/api with token=02 parameter. Should return authentication error instead of allowing access.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /ws-api/v2/customizations/api with token=02 parameter
File uploads of .jar files to customization endpoints
Unusual Java process execution from WorldServer context

Network Indicators:

POST requests to /ws-api/v2/customizations/api with multipart/form-data containing .jar files
HTTP requests with token=02 parameter in URL or headers

SIEM Query:

source="worldserver" AND (url="/ws-api/v2/customizations/api" OR (method="POST" AND content_type="multipart/form-data" AND file_extension=".jar"))

📊 Metadata

CVE ID: CVE-2022-34267

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: December 25, 2023

Last Updated: November 21, 2024

🔗 References

https://www.rws.com/localization/products/trados-enterprise/worldserver/ Product
https://www.triskelelabs.com/vulnerabilities-in-rws-worldserver Exploit,Third Party Advisory
https://www.rws.com/localization/products/trados-enterprise/worldserver/ Product
https://www.triskelelabs.com/vulnerabilities-in-rws-worldserver Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-34267, you might also want to check these: