Try Free

Vulnerability Affecting Server Environments On Java 1.8 on Updates lower than 1.8u191

Uncategorized
Fabio Turizo
Published: 28 Mar 2023
Updated: 03 Aug 2025

The vulnerability in question is CVE-2023-28462, which was requested directly by Payara.

 

It is a JNDI Exploit using ‘context.rebind` method when running Payara Server on an older JDK 8 Update. The JNDI exploit can be triggered via access to insecure ORB listeners exposed by a Payara Server installation.

This vulnerability allows remote attackers to load malicious code into a Payara Server installation that is public facing (exposed on the Internet) using remote JNDI access via unsecured ORB listeners. The vulnerability is dangerous in the sense that it allows attackers to load the remote exploit only by knowing the location of any unsecured ORB listener (hostname and port).

However, the vulnerability only affects server environments running on Java 1.8 on running on updates lower than 1.8u191. If the server environment runs in a newer update or if it runs on JDK11+ the exploit cannot be triggered under any circumstance.

To deal with this vulnerability, follow these instructions:

  • If a Payara Enterprise customer is running a Payara Server 4.x or 5.x environment using Java 1.8, they should be running it on its latest update.
    • Reminder: Payara Enterprise customers have access to recent JDK 1.8 updates courtesy of Azul Platform Core.
  • If a customer can’t upgrade their environment to run under the latest (or a newer update greater that 191), they can mitigate the vulnerability by either:
    • Disabling any public facing ORB listeners if they are not used in any way.
    • Configuring all public facing ORB listeners to be secured using SSL/TLS communication.
    • Customers may contact support to get more details on how to correctly setup ORB listeners’ security.
  • If a community user is running a Payara Server 5.x environment using Java 1.8, they should be running Payara Server 6.x as 5.x is out of support.
    • If it’s not possible for a user to update their environment to 6.x, they should either upgrade their Java 8 runtimes to a newer update or apply the mitigation measures (disabling or securing the listener) mentioned above.
  • Payara Server 6.x (both Community and the soon-to-be-released Enterprise) are not affected since they require Java 11 at a minimum to run. Users shouldn’t be concerned with the exploit in this case.
  • Nevertheless, we recommend users to ALWAYS either disable or secure any public-facing ORB listeners as it is a good practice to prevent most attacks on their environments.

Credit to discovering this vulnerability goes to tr1ple from AntGroup FG.

Share:

Download Payara Platform Community

Comments (0)

Post a comment

Your email address will not be published. Required fields are marked *

Payara needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, please review our Legal & Privacy Policy.

Related Posts

4 minutes
Uncategorized
Dominika Tasarz
25 Sep 2025

Leading the Way: Payara Platform Community 7 Beta Now Fully Jakarta EE 11 Certified

We’re excited to announce that Payara Platform Community 7 Beta application server is now fully certified as Jakarta EE 11 […]

Read More
What Is a Java Application Server? A Short Guide 6 minutes
Jakarta EE
Chiara Civardi
29 Aug 2025

What Is a Java Application Server? A Short Guide

Enterprise Java applications power global commerce, healthcare, government and countless other industries. These systems must be scalable, secure and […]

Read More
10 minutes
Uncategorized
Chiara Civardi
14 Mar 2025

Java’s 30th Anniversary: A Celebration of Legacy, Evolution and Community

May 2025 marks a monumental milestone in software development: Java turns 30. The impact of this language on the […]

Read More