CVE-2023-37895 Overview
CVE-2023-37895 is an insecure deserialization vulnerability affecting Apache Jackrabbit webapp/standalone deployments across all platforms. The vulnerability allows remote attackers to execute arbitrary code via RMI (Remote Method Invocation) by exploiting unsafe Java object deserialization in the commons-beanutils component.
The vulnerability stems from the presence of exploitable classes on the classpath that can be leveraged for remote code execution when RMI support is enabled. This affects versions up to and including 2.20.10 (stable branch) and 2.21.17 (unstable branch).
Critical Impact
Remote attackers can achieve full system compromise through unauthenticated remote code execution via RMI protocols, potentially leading to complete takeover of affected Apache Jackrabbit servers.
Affected Products
- Apache Jackrabbit versions up to and including 2.20.10 (stable branch)
- Apache Jackrabbit versions up to and including 2.21.17 (unstable branch)
- Earlier stable branches (1.0.x through 2.18.x) are end-of-life and do not receive updates
Discovery Timeline
- 2023-07-25 - CVE-2023-37895 published to NVD
- 2025-02-13 - Last updated in NVD database
Technical Details for CVE-2023-37895
Vulnerability Analysis
This insecure deserialization vulnerability exists within Apache Jackrabbit's RMI functionality. When RMI support is enabled, the application accepts and deserializes Java objects from remote sources. The commons-beanutils library included in vulnerable versions contains classes that can be weaponized as deserialization gadgets, enabling attackers to construct malicious serialized objects that execute arbitrary code upon deserialization.
The vulnerability is particularly dangerous because RMI support is enabled by default in Jackrabbit webapp/standalone deployments through two vectors: a native RMI protocol typically running on port 1099, and an HTTP binding accessible via the /rmi path. This default-enabled configuration significantly expands the attack surface.
Root Cause
The root cause is the inclusion of the commons-beanutils component in the application classpath, which contains gadget classes that can be exploited during Java deserialization. When RMI is enabled, the Jackrabbit server accepts serialized Java objects from remote clients without adequate validation, allowing attackers to inject malicious payloads that leverage known deserialization gadgets for code execution.
The Apache advisory notes that even if Jackrabbit itself no longer contains directly exploitable code, the mere presence of exploitable classes on the classpath creates this vulnerability. This highlights a fundamental issue with Java deserialization security where transitive dependencies can introduce security risks.
Attack Vector
The attack is conducted remotely over the network without requiring authentication or user interaction. Attackers can target either:
- Native RMI Protocol (Port 1099): Direct RMI communication with malicious serialized objects
- RMI-over-HTTP (Path /rmi): HTTP-based RMI binding that accepts serialized payloads
An attacker crafts a malicious serialized Java object utilizing gadget chains from commons-beanutils. When this payload is sent to an exposed RMI endpoint, the Jackrabbit server deserializes it, triggering the gadget chain and executing the attacker's arbitrary code with the privileges of the Jackrabbit process.
To check if RMI is enabled, administrators can use network tools like netstat to verify if port 1099 is listening, or test the HTTP endpoint by checking whether a GET request to localhost:8080/rmi returns 200 (enabled) or 404 (disabled).
Detection Methods for CVE-2023-37895
Indicators of Compromise
- Unexpected network connections on port 1099 from external IP addresses
- Unusual HTTP requests targeting the /rmi endpoint with non-standard payloads
- Process execution anomalies spawned from the Java process running Jackrabbit
- Suspicious serialized Java objects in network traffic containing commons-beanutils gadget chain signatures
Detection Strategies
- Monitor network traffic for RMI protocol communications on port 1099 from untrusted sources
- Implement web application firewall rules to detect and block suspicious serialized Java objects in HTTP requests to /rmi
- Deploy endpoint detection to identify unusual process spawning from Java/Jackrabbit processes
- Configure intrusion detection systems to alert on known Java deserialization attack patterns
Monitoring Recommendations
- Enable verbose logging for the Jackrabbit application to capture RMI access attempts
- Implement network segmentation to restrict RMI endpoint accessibility to trusted internal networks only
- Set up alerting for any external access attempts to port 1099 or the /rmi HTTP path
- Regularly audit running services and open ports to ensure RMI is not inadvertently enabled
How to Mitigate CVE-2023-37895
Immediate Actions Required
- Update Apache Jackrabbit to version 2.20.11 (stable) or 2.21.18 (unstable) immediately
- Disable RMI support entirely if not required for operations
- Block external access to port 1099 and the /rmi HTTP endpoint at the network perimeter
- Review and restrict classpath dependencies to remove unnecessary libraries containing deserialization gadgets
Patch Information
Apache has released patched versions that address this vulnerability. Users should upgrade to:
- Stable Branch: Version 2.20.11 or later
- Unstable Branch: Version 2.21.18 or later
Earlier branches (1.0.x through 2.18.x) are end-of-life and will not receive security updates. Organizations running these versions must upgrade to a supported branch.
For detailed information, refer to the Apache Jackrabbit Mailing List and the Apache Thread Discussion.
Workarounds
- Disable RMI-over-HTTP by removing the RemoteBindingServlet declaration and mapping from web.xml
- Set rmi.enabled=false in the bootstrap.properties file located in $REPOSITORY_HOME
- Remove the rmi.host, rmi.port, and rmi.url-pattern configuration entries
- If bootstrap.properties is not in $REPOSITORY_HOME, copy it there from the classpath and apply the modifications
<!-- Remove these entries from web.xml to disable RMI-over-HTTP -->
<!--
<servlet>
<servlet-name>RMI</servlet-name>
<servlet-class>org.apache.jackrabbit.servlet.remote.RemoteBindingServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>RMI</servlet-name>
<url-pattern>/rmi</url-pattern>
</servlet-mapping>
-->
# Add to bootstrap.properties in $REPOSITORY_HOME
rmi.enabled=false
# Also remove these if present:
# rmi.host
# rmi.port
# rmi.url-pattern
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
