CVE-2024-22377
📋 TL;DR
This vulnerability allows unauthorized users to access the deploy directory on PingFederate runtime nodes, potentially exposing sensitive configuration files. It affects organizations running vulnerable versions of PingFederate with default or misconfigured access controls.
💻 Affected Systems
- PingFederate
📦 What is this software?
Pingfederate by Pingidentity
Pingfederate by Pingidentity
Pingfederate by Pingidentity
Pingfederate by Pingidentity
Pingfederate by Pingidentity
Pingfederate by Pingidentity
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access sensitive configuration files containing credentials, certificates, or security settings, leading to complete system compromise or data exfiltration.
Likely Case
Unauthorized users could read configuration files to gather intelligence about the PingFederate deployment, potentially enabling further attacks.
If Mitigated
With proper access controls and network segmentation, the impact is limited to information disclosure with no direct system compromise.
🎯 Exploit Status
Exploitation requires network access to the PingFederate runtime node and knowledge of the deploy directory path.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 12.0.1 or later
Vendor Advisory: https://docs.pingidentity.com/r/en-us/pingfederate-120/lwu1707324350083
Restart Required: Yes
Instructions:
1. Download PingFederate 12.0.1 or later from Ping Identity support portal. 2. Backup current deployment. 3. Apply the update following PingFederate upgrade procedures. 4. Restart all PingFederate runtime nodes.
🔧 Temporary Workarounds
Restrict network access to deploy directory
allConfigure web server or firewall rules to block access to the /deploy directory path
# Example Apache configuration: <Location "/deploy"> Require all denied </Location>
# Example Nginx configuration: location /deploy { deny all; }
Move deploy directory
allRelocate the deploy directory outside the web-accessible document root
# Update PingFederate configuration to point to new deploy directory location
🧯 If You Can't Patch
- Implement strict network access controls to limit which IP addresses can reach PingFederate runtime nodes
- Regularly monitor and audit access to the deploy directory for unauthorized attempts
🔍 How to Verify
Check if Vulnerable:
Attempt to access https://[pingfederate-host]/deploy/ from an unauthorized network location. If directory listing or files are accessible, the system is vulnerable.Check Version:
Check the PingFederate admin console or run: java -jar pf-startup.jar --versionVerify Fix Applied:
After patching, verify that accessing the /deploy directory returns a 403 Forbidden or 404 Not Found error.📡 Detection & Monitoring
Log Indicators:
- HTTP 200 responses to /deploy/* requests in web server logs
- Unusual file access patterns to deploy directory
Network Indicators:
- HTTP GET requests to /deploy/ paths from unauthorized IP addresses
SIEM Query:
source="pingfederate-logs" AND (uri_path="/deploy" OR uri_path="/deploy/*") AND http_status=200