CVE-2021-45967 Overview
A critical path traversal vulnerability exists in Pascom Cloud Phone System before version 7.20.x. The vulnerability arises from a configuration error between the NGINX reverse proxy and a backend Tomcat server, which leads to a path traversal condition in the Tomcat server. This misconfiguration exposes unintended endpoints that should not be accessible to external users, potentially allowing attackers to access sensitive resources and functionality.
Critical Impact
Unauthenticated remote attackers can exploit the NGINX-to-Tomcat misconfiguration to traverse the file system and access restricted endpoints, potentially leading to complete system compromise with high impact on confidentiality, integrity, and availability.
Affected Products
- Pascom Cloud Phone System (versions before 7.20.x)
- Igniterealtime Openfire
- Igniterealtime Openfire 4.5.0
Discovery Timeline
- 2022-03-18 - CVE-2021-45967 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-45967
Vulnerability Analysis
This vulnerability (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) stems from an architectural security flaw in the Pascom Cloud Phone System deployment. When NGINX acts as a reverse proxy in front of a Tomcat application server, improper configuration of URL path handling creates a path traversal condition. The NGINX server fails to properly normalize and validate request paths before forwarding them to the Tomcat backend.
The misconfiguration allows attackers to craft specially-formed HTTP requests that bypass NGINX's intended path restrictions. When these malicious requests reach the Tomcat server, they are interpreted in a way that grants access to endpoints and resources that should be protected from external access.
Root Cause
The root cause is a configuration mismatch between how NGINX processes and forwards URL paths versus how the Tomcat server interprets those same paths. This inconsistency in path normalization between the two components creates a security gap. NGINX may consider a path as valid and within scope while Tomcat interprets path traversal sequences (such as ../ or encoded variants) differently, ultimately resolving to locations outside the intended directory structure.
Attack Vector
The attack can be executed remotely over the network without requiring any authentication or user interaction. An attacker sends crafted HTTP requests to the NGINX reverse proxy containing path traversal sequences. Due to the configuration error, these requests are forwarded to the Tomcat backend where the traversal sequences are processed, allowing access to unintended endpoints. The exploitation requires no privileges, making this vulnerability particularly dangerous in internet-facing deployments.
The attack flow involves:
- Attacker crafts malicious HTTP requests with path traversal sequences
- NGINX reverse proxy fails to properly sanitize or block the traversal patterns
- Requests are forwarded to the Tomcat backend server
- Tomcat interprets the path traversal, exposing restricted endpoints
- Attacker gains unauthorized access to sensitive resources
For detailed technical analysis, refer to the Kerbit Blog Research Post and Tutorial Boy Blog Story.
Detection Methods for CVE-2021-45967
Indicators of Compromise
- HTTP requests containing path traversal sequences such as ../, ..%2f, %2e%2e/, or similar encoded variants targeting Pascom endpoints
- Unusual access patterns to Tomcat-served endpoints that bypass normal application routing
- Access log entries showing successful requests to administrative or internal-only endpoints from external IP addresses
- Unexpected file system access or resource retrieval from the Tomcat server
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing path traversal patterns
- Configure NGINX access logging to capture full request URIs and monitor for traversal attempts
- Deploy intrusion detection systems (IDS) with signatures for path traversal attacks against Java application servers
- Enable Tomcat access logging and correlate with NGINX logs to identify requests that bypass intended routing
Monitoring Recommendations
- Monitor NGINX and Tomcat access logs for requests containing encoded or double-encoded directory traversal sequences
- Set up alerts for access to administrative endpoints from non-administrative networks or IP addresses
- Implement anomaly detection for unusual URL patterns or request volumes to backend Tomcat endpoints
- Review application error logs for path resolution failures that may indicate exploitation attempts
How to Mitigate CVE-2021-45967
Immediate Actions Required
- Upgrade Pascom Cloud Phone System to version 7.20.x or later immediately
- Review and harden NGINX reverse proxy configuration to properly normalize and validate all request paths before forwarding
- Implement strict URL filtering at the NGINX layer to block any requests containing path traversal sequences
- Restrict network access to the Tomcat backend server to only accept connections from the NGINX reverse proxy
Patch Information
Pascom has addressed this vulnerability in Cloud Phone System version 7.20.x and later releases. Organizations should update to the latest available version as documented in the Pascom Release Notes. Additional details specific to version 19 updates can be found in the Pascom Release Notes for Version 19.
Workarounds
- If immediate patching is not possible, implement WAF rules to block all requests containing path traversal patterns (../, encoded variants)
- Configure NGINX to perform strict path normalization using merge_slashes on and validate resolved paths before proxying
- Add Tomcat security constraints to restrict access to sensitive endpoints based on client IP or authentication status
- Deploy network segmentation to isolate the Pascom system from untrusted networks until patching is complete
# Example NGINX configuration hardening
# Add to server block to help mitigate path traversal
# Normalize slashes and reject suspicious patterns
merge_slashes on;
# Block requests with path traversal sequences
location ~ (\.\./|\.\.\\|%2e%2e|%252e) {
deny all;
return 403;
}
# Restrict proxy paths to intended endpoints only
location /api/ {
# Ensure path is normalized before proxying
proxy_pass http://tomcat_backend/api/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
