Try Free

Vulnerability Affecting Server Environments On Java 1.8 on Updates lower than 1.8u191

Uncategorized
Fabio Turizo
Published: 28 Mar 2023
Updated: 03 Aug 2025

The vulnerability in question is CVE-2023-28462, which was requested directly by Payara.

 

It is a JNDI Exploit using ‘context.rebind` method when running Payara Server on an older JDK 8 Update. The JNDI exploit can be triggered via access to insecure ORB listeners exposed by a Payara Server installation.

This vulnerability allows remote attackers to load malicious code into a Payara Server installation that is public facing (exposed on the Internet) using remote JNDI access via unsecured ORB listeners. The vulnerability is dangerous in the sense that it allows attackers to load the remote exploit only by knowing the location of any unsecured ORB listener (hostname and port).

However, the vulnerability only affects server environments running on Java 1.8 on running on updates lower than 1.8u191. If the server environment runs in a newer update or if it runs on JDK11+ the exploit cannot be triggered under any circumstance.

To deal with this vulnerability, follow these instructions:

  • If a Payara Enterprise customer is running a Payara Server 4.x or 5.x environment using Java 1.8, they should be running it on its latest update.
    • Reminder: Payara Enterprise customers have access to recent JDK 1.8 updates courtesy of Azul Platform Core.
  • If a customer can’t upgrade their environment to run under the latest (or a newer update greater that 191), they can mitigate the vulnerability by either:
    • Disabling any public facing ORB listeners if they are not used in any way.
    • Configuring all public facing ORB listeners to be secured using SSL/TLS communication.
    • Customers may contact support to get more details on how to correctly setup ORB listeners’ security.
  • If a community user is running a Payara Server 5.x environment using Java 1.8, they should be running Payara Server 6.x as 5.x is out of support.
    • If it’s not possible for a user to update their environment to 6.x, they should either upgrade their Java 8 runtimes to a newer update or apply the mitigation measures (disabling or securing the listener) mentioned above.
  • Payara Server 6.x (both Community and the soon-to-be-released Enterprise) are not affected since they require Java 11 at a minimum to run. Users shouldn’t be concerned with the exploit in this case.
  • Nevertheless, we recommend users to ALWAYS either disable or secure any public-facing ORB listeners as it is a good practice to prevent most attacks on their environments.

Credit to discovering this vulnerability goes to tr1ple from AntGroup FG.

Share:

Download Payara Platform Community

Comments (0)

Post a comment

Your email address will not be published. Required fields are marked *

Payara needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, please review our Legal & Privacy Policy.

Related Posts

6 minutes
Uncategorized
Chiara Civardi
12 Mar 2025

Conf42 IoT 2024: At the Edge of Robotic Applications

At the latest Conf42 Internet of Things (IoT) 2024 conference, our Payarans deliver a keynote, titled “At the Edge […]

Read More
5 minutes
Uncategorized
Luqman Saeed
03 Feb 2025

10 Reasons Why Java is the Future of Enterprise App Development in 2025

Java has been a core element of enterprise application development for decades, and its relevance will continue to grow […]

Read More
5 minutes
Uncategorized
Chiara Civardi
31 Jan 2025

Keen To Slash Software Development Costs? Here’s What To Look For In A Middleware Solution

For technology companies, cost effectiveness in software and application development isn’t just about saving money. It is about delivering […]

Read More