CVE-2024-6633
📋 TL;DR
CVE-2024-6633 exposes default credentials for the HSQL database in FileCatalyst Workflow, allowing attackers to compromise the database if it remains accessible. This affects users who haven't migrated to a production database as recommended. The vulnerability could lead to data theft, manipulation, or service disruption.
💻 Affected Systems
- FileCatalyst Workflow
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the FileCatalyst Workflow system including data exfiltration, data manipulation, service disruption, and potential lateral movement within the network.
Likely Case
Unauthorized access to the HSQL database leading to exposure of sensitive workflow data, configuration information, and potential data manipulation.
If Mitigated
Minimal impact if HSQLDB is properly isolated or replaced with a production database as recommended.
🎯 Exploit Status
Exploitation requires only knowledge of default credentials and network access to the HSQLDB instance.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: N/A
Vendor Advisory: https://www.fortra.com/security/advisories/product-security/fi-2024-011
Restart Required: Yes
Instructions:
1. Migrate from HSQLDB to a supported production database (MySQL, PostgreSQL, or SQL Server) following vendor documentation. 2. Ensure the HSQLDB service is disabled or removed from production systems.
🔧 Temporary Workarounds
Network Isolation
allRestrict network access to the HSQLDB port (default 9001) using firewall rules
# Linux iptables example: iptables -A INPUT -p tcp --dport 9001 -j DROP
# Windows Firewall: New-NetFirewallRule -DisplayName "Block HSQLDB" -Direction Inbound -LocalPort 9001 -Protocol TCP -Action Block
Change HSQLDB Credentials
allModify default credentials in HSQLDB configuration files
# Edit hsqldb.properties or server.properties file
# Change sa user password from default value
🧯 If You Can't Patch
- Immediately restrict network access to HSQLDB port (default 9001) using host-based firewalls.
- Monitor HSQLDB access logs for unauthorized connection attempts and review database activity.
🔍 How to Verify
Check if Vulnerable:
Check if HSQLDB is running and accessible on port 9001 (default) and verify if default credentials work. Review FileCatalyst Workflow configuration to see if HSQLDB is still in use.Check Version:
Check FileCatalyst Workflow administration interface or installation directory for version information.Verify Fix Applied:
Confirm HSQLDB service is stopped/removed and FileCatalyst Workflow is using a production database. Test that port 9001 is not accessible.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts to HSQLDB
- Successful connections using default credentials
- Unusual database queries or access patterns
Network Indicators:
- Connections to port 9001 (default HSQLDB port)
- Database queries from unexpected sources
SIEM Query:
source="hsqldb.log" AND (event="authentication" AND result="success") OR destination_port=9001