Lucene search

exploitdbGregory DraperiEDB-ID:40384
HistorySep 15, 2016 - 12:00 a.m.

Apache Mina 2.0.13 - Remote Command Execution

Gregory Draperi

Apache Mina 2.0.13 - Remote Command Execution. Webapps exploit for Java platform

Apache Mina 2.0.13 - Remote Command Execution


Apache Mina 2.0.13 uses the OGNL library in the “IoSessionFinder” class. Its constructor takes into parameter one OGNL expression. Then this expression is executed when the method “find” is called. This class seems to be only used in the JMX MINA component “IoServiceMBean”. When the IOServiceMBean is exposed trough JMX it is possible to abuse the function to execute an arbitrary command on the server.


The function “find” in the “IoSessionFinder” class executes an arbitrary OGNL expression (Ognl.getValue(….)) defined in its constructor.


This vulnerability shows that Expression languages vulnerabilities are still present in Java libraries and can have a big impact even if it is in this case the vulnerability can only exploited in specific conditions.

Regarding the fix, the Apache Mina team didn't request a CVE neither acknowledged the vulnerability but I confirm that the vulnerability is fixed is the last version.


30/03/2016: First email to disclose the vulnerability to the Apache Security Team
31/03/2016: Acknowledgment from the Apache Mina team for the email reception and saying the vulnerability is under investigation
21/05/2016: Email from the Apache Mina saying that they look for possible remediations
12/08/2016: Email from the Apache Mina suggesting a solution
29/08/2016: Email from my side saying that the remediation looks good
30/08/2016: Apache Mina team published the new version fixing the issue.

PS: I have included two archives containing the two proofs of concept.

Proof of Concept: