The Top 10 High-Risk Java Security Vulnerabilities, and How to Fix Them

The Top 10 High-Risk Java Vulnerabilities, & How to Fix Them

If you write your applications in Java, then you probably do so the way most other software makers do: you import code from third-party libraries—most of which are open-source. This practice makes the process of building applications far faster than it would be if everyone built their applications from scratch, but it also leads to an ongoing security problem in the development world: hackers are constantly trying to exploit vulnerabilities in the third-party code you’ve build your applications on.

This is why software supply chain security is an emerging priority in the cyber security world. More and more, regulators are setting expectations for software vendors when it comes to third-party vulnerabilities.

MergeBase manages a public database of over 40,000 common vulnerabilities and exposures (CVEs), and we’ve put together a list of the top 10 Java CVEs based on risk level and how often the CVE is searched online. For the following java vulnerabilities, we include their risk scores, the components they affect, a description, and (for some) high-level notes for remediation.

1 - CVE-2021-45046(Apache Log4j)

Risk score: 9.0

This is a vulnerability within a patch to another vulnerability. It was discovered that the fix to address CVE-2021-44228 (risk score: 10) in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.

This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments.

Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

Notes on remediation

MergeBase released a public free tool for detecting vulnerable Log4J versions within any applications that are vulnerable. We also published a YouTube video explaining the vulnerability in detail, which shows how MergeBase can prevent attackers from exploiting this vulnerability in running unpatched production systems.

2 - CVE-2020-079 (Microsoft Server Message Block)

Risk score: 10.0

A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka Windows SMBv3 Client/Server Remote Code Execution Vulnerability.

Microsoft described the vulnerability thusly:

“An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client. To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.”

Notes on remediation

Soon after the vulnerability was discovered, Microsoft released patches and workarounds for those affected by the CVE.

3 - CVE-2017-5638 (Apache Struts)

Risk score: 10.0

It’s not every day that an open source library leads to a 96 page congressional report! This is actually the bug that inspired the launch of MergeBase (and likely other cybersecurity startups, too).

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

As MergeBase co-founder and advisor Julius Musseau puts it:

“The bug itself is incredible - a work of true genius - and we encourage all software engineers to study it (especially those comfortable with Java). The contortions required by the first attacker to exploit this are unbelievable, but the payoff was devastating: full remote-code-execution.”

4 - CVE-2020-35489 (WordPress Contact Form 7 plugin)

Risk score: 10.0

The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows unrestricted file upload and remote code execution because a filename may contain special characters. By using this vulnerability, a form submitter can bypass Contact Form 7’s filename sanitization, and upload a file which can be executed as a script file on the host server.

If you have Contact Form installed and allow any file uploads on any form, it is important to upgrade the plugin immediately. Due to the ubiquity of WordPress sites, you may be hit by drive-by automated attacks in addition to targeted attacks. A more detailed analysis of the vulnerability can be found here.

5 - CVE-2022-0543 (redis)

Risk score: 10.0

It was discovered that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.

6 - CVE-2022-22947 (Spring Cloud Gateway)

Risk score: 10.0

In Spring Cloud Gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed, and unsecured. As long as this vulnerability is present, a remote attacker can make a maliciously crafted request that could allow arbitrary remote execution on the remote host.

7 - CVE-2018-14721 (jackson-databind)

Risk score: 10.0

FasterXML jackson-databind 2.x before version 2.9.7 may allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

Notes on remediation

If you’re running Jackson-Databind and Axis2 is also on your classpath, you better upgrade this one! If Axis2 is not on your classpath, then you are safe, but it’s always a good idea to stay on the latest version of jackson-databind if you can.

Here’s the patch:

git clone
git log -p --first-parent jackson-databind-2.9.6..jackson-databind-2.9.7 -- src/main

+        // [databind#2097]: some 3rd party, one JDK-bundled
+        s.add("org.slf4j.ext.EventData");
+        s.add("flex.messaging.util.concurrent.AsynchBeansWorkManagerExecutor");
+        s.add("");
+        s.add("org.apache.axis2.jaxws.spi.handler.HandlerResolverImpl");

Jackson-databind probably has more CVEs than any other open source Java library on the planet. But that is a bit misleading, because the CVE’s tend to be associated with blacklist “gadget” entries added to jackson-databind’s list of Java objects it will refuse to deserialize against. For a more detailed explanation, we recommend this blog post.

8 - CVE-2022-36067 (vm2)

Risk score: 10.0

vm2 is a sandbox that can run untrusted code with whitelisted Nodes built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.

Notes on remediation

This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds.

9 - CVE-2022-30123 (Rack)

Risk score: 10.0

A sequence injection vulnerability exists in Rack <, < and < which could allow a possible shell escape in the Lint and CommonLogger components of Rack.

10 - CVE-2019-10758 (mongo-express)

Risk score: 9.9

mongo-express before version 0.54.0 is vulnerable to remote code execution via endpoints that use the toBSON method. A misuse of the vm dependency to perform exec commands in a non-safe environment.

Catch all these java vulnerabilities and more with MergeBase

These are just 10 high-risk java vulnerabilities that developers commonly look up online. An advanced software composition analysis (SCA) tool will help you monitor your code libraries for these vulnerabilities (as well as new ones that arise) and provide your developers with guidance on remediating them.

Beyond scanning for CVEs and recommending patches, MergeBase provides an additional layer of security with Dynamic Application Surveillance and Hardening. This feature allows you to disable vulnerable functionalities right away, so your application is protected from exploits while your DevSecOps team fixes the problem.

If you want to see how MergeBase can protect your application from transitive java vulnerabilities, start a free trial now!

Oscar van der Meer

About the Author

Oscar van der Meer

Inspiring leadership and innovative technology expertise in Digital, Payments, Finance and Artificial Intelligence.