CVE-2022-37422 Overview
CVE-2022-37422 is a directory traversal vulnerability affecting Payara application server products through version 5.2022.2. This vulnerability allows remote attackers to access sensitive files on the server without authentication by manipulating file path parameters. The flaw impacts Payara Server, Payara Micro, and Payara Server Embedded deployments, potentially exposing configuration files, application data, and other sensitive resources stored on the file system.
Critical Impact
Unauthenticated attackers can exploit this directory traversal vulnerability to read arbitrary files from affected Payara Server installations, potentially exposing sensitive configuration data, credentials, and application secrets.
Affected Products
- Payara Server (Community edition through 5.2022.2)
- Payara Server (Enterprise edition)
- Payara Micro
- Payara Server Embedded
Discovery Timeline
- 2022-08-18 - CVE-2022-37422 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-37422
Vulnerability Analysis
This directory traversal vulnerability (CWE-22) allows unauthenticated remote attackers to escape the intended web root directory and access arbitrary files on the affected server. The vulnerability can be exploited over the network without requiring any user interaction or authentication, making it particularly dangerous for internet-facing Payara deployments.
The impact is primarily confidentiality-focused, as successful exploitation allows attackers to read sensitive files but does not directly enable modification of files or denial of service. Attackers could potentially access configuration files containing database credentials, API keys, private certificates, or other sensitive application data stored on the server.
Root Cause
The root cause of CVE-2022-37422 is improper input validation in Payara's file serving functionality. The application fails to adequately sanitize user-supplied file path parameters, allowing attackers to use path traversal sequences (such as ../) to escape the intended directory structure and access files outside the web application's root directory.
Attack Vector
The attack is conducted over the network by sending specially crafted HTTP requests containing directory traversal sequences. An attacker can manipulate URL paths or request parameters to include sequences like ../ or encoded variants that bypass basic filtering. This allows navigation up the directory tree to access sensitive system files or application configuration files.
For example, an attacker might craft requests targeting common sensitive files such as /etc/passwd on Linux systems, application configuration files containing database credentials, or Java keystore files containing cryptographic keys. Since no authentication is required, any attacker with network access to the Payara server can exploit this vulnerability.
Detection Methods for CVE-2022-37422
Indicators of Compromise
- HTTP access logs containing path traversal sequences such as ../, ..%2f, %2e%2e/, or similar encoded patterns
- Unusual file access patterns in server logs, particularly requests for files outside the web application directory
- Failed file access attempts to system configuration files or directories
- Requests targeting common sensitive files like /etc/passwd, application properties, or keystore files
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing path traversal patterns
- Deploy SentinelOne Singularity for endpoint detection to identify anomalous file access patterns
- Monitor HTTP request logs for encoded path traversal sequences including URL-encoded, double-encoded, and Unicode variations
- Enable detailed access logging on Payara servers to capture file access attempts
Monitoring Recommendations
- Configure alerting on web server access logs for patterns matching directory traversal attempts
- Monitor file system access events for the Payara process accessing files outside the deployment directory
- Implement network intrusion detection signatures for path traversal attack patterns
- Review access logs regularly for reconnaissance activity targeting the Payara administration interface
How to Mitigate CVE-2022-37422
Immediate Actions Required
- Upgrade Payara Server Community edition to version 5.2022.3 or later immediately
- Upgrade Payara Enterprise deployments to the latest patched version
- Restrict network access to Payara servers using firewall rules to limit exposure
- Review server logs for evidence of exploitation attempts before and after patching
- Audit sensitive files for unauthorized access if exploitation is suspected
Patch Information
Payara has released patched versions that address this directory traversal vulnerability. Organizations should upgrade to Payara Community version 5.2022.3 or later, which contains the fix for this issue. The patch is available through the Payara Downloads Page. Additional details about the security fix are documented in the Payara Blog Release Announcement.
Workarounds
- Deploy a web application firewall (WAF) in front of Payara servers to filter path traversal patterns
- Implement network segmentation to limit access to Payara servers from untrusted networks
- Use reverse proxy configurations that normalize and validate request paths before forwarding to Payara
- Disable unnecessary file serving functionality if not required by applications
# Example: Restrict access to Payara admin port using iptables
iptables -A INPUT -p tcp --dport 4848 -s trusted_admin_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 4848 -j DROP
# Example: Configure a reverse proxy rule to block traversal patterns
# Apache mod_security rule
SecRule REQUEST_URI "@contains ../" "id:1001,phase:1,deny,status:403,log,msg:'Path traversal attempt blocked'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
