CVE-2023-48887 – CVE-2023-48887 is a critical deserialization vu... (How to Fix)

Q: What is the severity of CVE-2023-48887?

CVE-2023-48887 has a CVSS score of 9.8 (CRITICAL). CVE-2023-48887 is a critical deserialization vulnerability in Jupiter v1.3.1 that allows remote attackers to execute arbitrary commands by sending specially crafted RPC requests. This affects any system running the vulnerable Jupiter version with RPC endpoints exposed. Attackers can achieve remote code execution with high privileges.

📋 TL;DR

CVE-2023-48887 is a critical deserialization vulnerability in Jupiter v1.3.1 that allows remote attackers to execute arbitrary commands by sending specially crafted RPC requests. This affects any system running the vulnerable Jupiter version with RPC endpoints exposed. Attackers can achieve remote code execution with high privileges.

💻 Affected Systems

Products:

Jupiter

Versions: v1.3.1

Operating Systems: All platforms running Java

Default Config Vulnerable: ⚠️ Yes

Notes: Any Jupiter installation using the default RPC configuration is vulnerable. The vulnerability exists in the deserialization mechanism of RPC requests.

📦 What is this software?

Jupiter by Fengjiachun

View all CVEs affecting Jupiter →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands with the privileges of the Jupiter process, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Remote code execution leading to installation of backdoors, cryptocurrency miners, or data exfiltration tools on vulnerable systems.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external access to RPC endpoints.

🌐 Internet-Facing: HIGH - Systems with RPC endpoints exposed to the internet are immediately vulnerable to remote exploitation.

🏢 Internal Only: HIGH - Even internally accessible systems are vulnerable to attackers who gain network access through other means.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit tools are available that leverage JNDI injection techniques. The vulnerability requires no authentication and has simple exploitation steps.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.3.2 or later

Vendor Advisory: https://github.com/fengjiachun/Jupiter/issues/115

Restart Required: Yes

Instructions:

1. Download the latest version from the official GitHub repository. 2. Stop the Jupiter service. 3. Replace the vulnerable JAR files with patched versions. 4. Restart the Jupiter service. 5. Verify the version is updated to v1.3.2 or later.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to Jupiter RPC endpoints using firewall rules

iptables -A INPUT -p tcp --dport [JUPITER_RPC_PORT] -j DROP
netsh advfirewall firewall add rule name="Block Jupiter RPC" dir=in action=block protocol=TCP localport=[JUPITER_RPC_PORT]

Disable RPC Endpoint

all

Disable the vulnerable RPC endpoint if not required for functionality

Modify Jupiter configuration to disable RPC server or change to non-default port

🧯 If You Can't Patch

Implement strict network segmentation to isolate Jupiter instances from untrusted networks
Deploy application-level firewalls or WAFs with rules to detect and block malicious RPC requests

🔍 How to Verify

Check if Vulnerable:

Check the Jupiter version by examining the JAR file metadata or application logs. If version is exactly 1.3.1, the system is vulnerable.

Check Version:

java -jar jupiter.jar --version or check the MANIFEST.MF file in the JAR

Verify Fix Applied:

Verify the Jupiter version is 1.3.2 or later and test RPC functionality with legitimate requests to ensure service remains operational.

📡 Detection & Monitoring

Log Indicators:

Unusual RPC request patterns
Java deserialization errors in logs
Unexpected process spawns from Jupiter service

Network Indicators:

Unusual outbound connections from Jupiter process
RPC requests containing serialized Java objects with suspicious class names

SIEM Query:

source="jupiter.log" AND ("deserialization" OR "RPC" OR "JNDI") AND severity=ERROR

📊 Metadata

CVE ID: CVE-2023-48887

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: December 1, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/fengjiachun/Jupiter Product
https://github.com/fengjiachun/Jupiter/issues/115 Exploit
https://github.com/welk1n/JNDI-Injection-Exploit/releases/tag/v1.0 Not Applicable
https://github.com/fengjiachun/Jupiter Product
https://github.com/fengjiachun/Jupiter/issues/115 Exploit
https://github.com/welk1n/JNDI-Injection-Exploit/releases/tag/v1.0 Not Applicable

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-48887, you might also want to check these: