CVE-2023-26436
📋 TL;DR
CVE-2023-26436 is a Java deserialization vulnerability in OX App Suite's documentconverterws API that allows authenticated attackers on local networks to execute arbitrary code by injecting malicious serialized objects. The vulnerability affects OX App Suite installations with the default configuration. Attackers could achieve remote code execution with the privileges of the application server.
💻 Affected Systems
- OX App Suite
📦 What is this software?
Open Xchange Appsuite Backend by Open Xchange
Open Xchange Appsuite Backend by Open Xchange
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through remote code execution, allowing attackers to install malware, exfiltrate data, or pivot to other systems.
Likely Case
Privilege escalation and lateral movement within the network by authenticated attackers who gain access to the application server.
If Mitigated
Limited impact if network segmentation restricts access to the API endpoint and proper input validation is implemented.
🎯 Exploit Status
Exploitation requires understanding of Java deserialization attacks and access to the local network. No public exploits are known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.10.6 rev 6219
Vendor Advisory: https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0002.json
Restart Required: Yes
Instructions:
1. Update OX App Suite to version 7.10.6 rev 6219 or later. 2. Apply the patch that introduces proper class validation during deserialization. 3. Restart the application server.
🔧 Temporary Workarounds
Network Access Restriction
linuxImplement strict network controls to limit access to the documentconverterws API endpoint to only trusted systems.
iptables -A INPUT -p tcp --dport [API_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [API_PORT] -j DROP
Input Validation Enhancement
allImplement additional input validation and filtering for serialized objects at the application level.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the OX App Suite server from untrusted networks
- Deploy a web application firewall (WAF) with rules to detect and block Java deserialization attacks
🔍 How to Verify
Check if Vulnerable:
Check OX App Suite version and compare against vulnerable versions (prior to 7.10.6 rev 6219). Review system logs for warnings about illegal class injection attempts.Check Version:
Check OX App Suite administration interface or consult documentation for version information specific to your installation.Verify Fix Applied:
Verify OX App Suite version is 7.10.6 rev 6219 or later. Test that the documentconverterws API properly rejects malicious serialized objects.📡 Detection & Monitoring
Log Indicators:
- Warnings about illegal class injection attempts in application logs
- Unusual Java deserialization errors
- Suspicious requests to /documentconverterws endpoint
Network Indicators:
- Unusual traffic patterns to the documentconverterws API endpoint
- Serialized Java objects in HTTP requests
SIEM Query:
source="ox-app-suite-logs" AND (message="*illegal class*" OR message="*deserialization*" OR uri="/documentconverterws")🔗 References
- http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-Consumption-Command-Injection.html
- http://seclists.org/fulldisclosure/2023/Jun/8
- https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0002.json
- https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6219_7.10.6_2023-03-20.pdf
- http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-Consumption-Command-Injection.html
- http://seclists.org/fulldisclosure/2023/Jun/8
- https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0002.json
- https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6219_7.10.6_2023-03-20.pdf
