CVE-2022-42447
📋 TL;DR
HCL Compass has a Cross-Origin Resource Sharing (CORS) vulnerability that allows attackers to trick authenticated users into making unauthorized requests to the application. This affects all HCL Compass users with vulnerable versions exposed to untrusted networks. Attackers can exploit this to perform actions on behalf of legitimate users without their knowledge.
💻 Affected Systems
- HCL Compass
📦 What is this software?
Hcl Compass by Hcltech
Hcl Compass by Hcltech
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the HCL Compass instance, allowing attackers to perform administrative actions, access sensitive data, or modify system configurations as any authenticated user.
Likely Case
Attackers steal session tokens or perform unauthorized actions using authenticated user sessions, potentially leading to data exfiltration or privilege escalation.
If Mitigated
Limited impact with proper network segmentation and user awareness training, though the vulnerability still exists in the application.
🎯 Exploit Status
Exploitation requires social engineering to trick authenticated users, but the technical execution is straightforward once user interaction is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.2 and later
Vendor Advisory: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0103581
Restart Required: Yes
Instructions:
1. Download HCL Compass version 2.1.2 or later from HCL support portal. 2. Backup current installation and data. 3. Run the installer to upgrade. 4. Restart all HCL Compass services. 5. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Implement CORS restrictions
allConfigure web server or application firewall to restrict cross-origin requests to HCL Compass
# Apache: Set Header set Access-Control-Allow-Origin "trusted-domain.com"
# Nginx: add_header Access-Control-Allow-Origin "trusted-domain.com";
Network segmentation
allRestrict access to HCL Compass to internal networks only
# Firewall rule example: iptables -A INPUT -p tcp --dport [HCL_PORT] -s [TRUSTED_NETWORK] -j ACCEPT
🧯 If You Can't Patch
- Implement strict CORS policies at the web server or WAF level to only allow requests from trusted origins.
- Deploy HCL Compass behind a reverse proxy with additional security controls and restrict access to authenticated users only.
🔍 How to Verify
Check if Vulnerable:
Check HCL Compass version via admin interface or by examining installation files. Versions below 2.1.2 are vulnerable.Check Version:
Check version in HCL Compass web interface under Help > About, or examine version.txt in installation directory.Verify Fix Applied:
Verify version is 2.1.2 or higher in admin interface and test CORS headers in browser developer tools.📡 Detection & Monitoring
Log Indicators:
- Unusual cross-origin requests in web server logs
- Multiple failed authentication attempts followed by successful requests from unexpected origins
- Requests with suspicious Origin headers
Network Indicators:
- HTTP requests with Origin headers pointing to untrusted domains
- Cross-origin requests to HCL Compass endpoints without proper CORS restrictions
SIEM Query:
source="web_server_logs" AND (uri="*/compass/*" OR uri="*/cwb/*") AND (origin="*" OR origin!="trusted-domain.com")