CVE-2023-37895 – This CVE describes a critical Java object deser... (How to Fix)

Q: What is the severity of CVE-2023-37895?

CVE-2023-37895 has a CVSS score of 9.8 (CRITICAL). This CVE describes a critical Java object deserialization vulnerability in Apache Jackrabbit that allows remote code execution via RMI. Attackers can exploit this by sending malicious serialized objects to vulnerable Jackrabbit instances. All Jackrabbit webapp/standalone deployments using affected versions are at risk.

📋 TL;DR

This CVE describes a critical Java object deserialization vulnerability in Apache Jackrabbit that allows remote code execution via RMI. Attackers can exploit this by sending malicious serialized objects to vulnerable Jackrabbit instances. All Jackrabbit webapp/standalone deployments using affected versions are at risk.

💻 Affected Systems

Products:

Apache Jackrabbit

Versions: All versions up to and including 2.20.10 (stable branch) and 2.21.17 (unstable branch)

Operating Systems: All platforms

Default Config Vulnerable: ⚠️ Yes

Notes: RMI support is enabled by default in both webapp and standalone deployments. Earlier stable branches (1.0.x through 2.18.x) are EOL and also vulnerable but won't receive updates.

📦 What is this software?

Jackrabbit by Apache

View all CVEs affecting Jackrabbit →

Jackrabbit by Apache

View all CVEs affecting Jackrabbit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the server, allowing data theft, ransomware deployment, or use as a foothold for lateral movement.

🟠

Likely Case

Remote code execution leading to data exfiltration, cryptocurrency mining, or installation of backdoors for persistent access.

🟢

If Mitigated

Denial of service or failed exploitation attempts if RMI is disabled or proper network segmentation is in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation leverages commons-beanutils class for RCE over RMI. The vulnerability is well-documented with public advisories and likely being actively exploited.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.20.11 or 2.21.18

Vendor Advisory: https://lists.apache.org/list.html?users@jackrabbit.apache.org

Restart Required: Yes

Instructions:

1. Download and install Jackrabbit version 2.20.11 (stable) or 2.21.18 (unstable). 2. Replace existing installation with patched version. 3. Restart the Jackrabbit service or application server.

🔧 Temporary Workarounds

Disable RMI via bootstrap.properties

all

Configure Jackrabbit to disable RMI support entirely

Edit bootstrap.properties in $REPOSITORY_HOME and set: rmi.enabled=false
Remove lines: rmi.host, rmi.port, rmi.url-pattern

Remove RMI servlet from web.xml

all

Disable RMI-over-HTTP by removing the RemoteBindingServlet configuration

Edit web.xml (in JAR/WAR or unpacked webapp)
Remove the <servlet> and <servlet-mapping> sections for 'RMI' servlet-name

🧯 If You Can't Patch

Disable RMI support immediately using the workarounds above
Implement strict network controls to block access to RMI ports (default 1099) and RMI-over-HTTP paths

🔍 How to Verify

Check if Vulnerable:

Check if netstat shows port 1099 listening, or if HTTP GET to /rmi path returns 200 (enabled) instead of 404.

Check Version:

Check Jackrabbit documentation or deployment files for version information

Verify Fix Applied:

Verify RMI port 1099 is not listening and HTTP GET to /rmi returns 404. Confirm Jackrabbit version is 2.20.11+ or 2.21.18+.

📡 Detection & Monitoring

Log Indicators:

Unusual RMI connection attempts
Deserialization errors or warnings
Unexpected process execution from Jackrabbit

Network Indicators:

Traffic to RMI port 1099
HTTP requests to /rmi path with serialized data

SIEM Query:

Example: (destination_port:1099 OR url_path:"/rmi") AND (process:"java" OR service:"jackrabbit")

📊 Metadata

CVE ID: CVE-2023-37895

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: July 25, 2023

Last Updated: February 13, 2025

🔗 References

http://seclists.org/fulldisclosure/2023/Jul/43 Broken Link
http://www.openwall.com/lists/oss-security/2023/07/25/8 Mailing List,Third Party Advisory
https://lists.apache.org/list.html?users@jackrabbit.apache.org Mailing List,Vendor Advisory
https://lists.apache.org/thread/j03b3qdhborc2jrhdc4d765d3jkh8bfw Mailing List,Vendor Advisory
http://seclists.org/fulldisclosure/2023/Jul/43 Broken Link
http://www.openwall.com/lists/oss-security/2023/07/25/8 Mailing List,Third Party Advisory
https://lists.apache.org/list.html?users@jackrabbit.apache.org Mailing List,Vendor Advisory
https://lists.apache.org/thread/j03b3qdhborc2jrhdc4d765d3jkh8bfw Mailing List,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37895, you might also want to check these: