Title
Authenticated RCE due to unsafe JSON deserialization
Severity
Critical: CVSS score is 9.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Description
Unsafe deserialization of untrusted JSON allows execution of arbitrary code on affected releases of the Illumio PCE. Authentication to the API is required to exploit this vulnerability. The flaw exists within the network_traffic API endpoint. An attacker can leverage this vulnerability to execute code in the context of the PCE’s operating system user.
Affected Products and Patch Information
Security vulnerabilities addressed by this Security Alert affect the products listed below.
| Affected Products | Affected Version | Fixed Version |
|---|---|---|
| Illumio Core PCE | <= 19.3.6 | >= 19.3.7 |
| Illumio Core PCE | <= 21.2.7 | >= 21.2.8 |
| Illumio Core PCE | <= 21.5.35 | >= 21.5.36 |
| Illumio Core PCE | <= 22.2.41 | >= 22.2.42 |
| Illumio Core PCE | <= 22.5.30 | >= 22.5.31 |
| Illumio Core PCE | <= 23.2.10 | >= 23.2.11 |
Resolution
Upgrade to the latest release for a given major version.References
Skipped Critical Patch Updates
Illumio strongly recommends that customers apply security patches as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security patches announced in this Critical Patch Update, please review previous Critical Patch Update advisories to determine appropriate actions.
Discovered By
External Security Firm
Frequently Asked Questions
What software components are affected?
Only the Illumio PCE is impacted by this vulnerability.
What products did this affect?
This vulnerability impacts the PCE, including Core on-premises deployments, Core SaaS, Endpoint, MSP, and Edge.
Is Core/Endpoint SaaS affected?
SaaS PCE clusters were impacted. Those environments have been patched.
I’m using CloudSecure. Am I impacted?
The CloudSecure platform is not affected. However, any on-premises PCE used in combination with CloudSecure may be impacted and would need to be updated.
How was it found?
The issue was found during a regularly scheduled pentest. Illumio engages with multiple external offensive testing firms to pentest the PCE and other Illumio products prior to release.
Will the patch affect performance?
The update is not expected to affect performance.
How can I tell if this vulnerability was used against my on-premises PCE?
Illumio is in the process of creating queries which can be used by customers to detect known vectors for exploitation of this vulnerability. Please contact Illumio Support or your account team for assistance. If you suspect this vulnerability was used within your environment, please reach out to Illumio Support.
Has Illumio investigated if this vulnerability was used on any SaaS PCEs?
Illumio has investigated all available logs from the production SaaS environment and found no indications that the issue had been exploited. Per Illumio policy, production logs are retained for 12 months.
I can’t apply the patch immediately. How can I mitigate the issue in the meantime?
This vulnerability requires a PCE user account and access to the user API to exploit. Customers who cannot patch their PCEs immediately, and wish to mitigate this issue, can use source IP restrictions to limit access to trusted source IPs.
For more information on access restrictions, please see:
Additionally, customers should:
- Ensure the PCE is not accessible from the Internet
- Review PCE users, ensuring inactive accounts are disabled
How long will the upgrade take?
The fix will be provided in a normal code release so this will take the same amount of time as any PCE upgrade.
What are Illumio’s plans to prevent this type of vulnerability in the future?
Illumio will be conducting an internal review of current practices to identify any potential improvements.
Were any Illumio customers impacted by this vulnerability?
Illumio is not aware of any exploitation of this vulnerability on any customer environments.
Modification History
| Date | Description |
|---|---|
| September 26th 2023 | Initial Publication of CVE |