Newer versions of JDK are vulnerable if `JEXL` engine is enabled

Question

Newer versions of JDK are vulnerable if `JEXL` engine is enabled

rgmz opened this issue 2 years ago · 1 comments

The README currently states that:

Note that in JDK 15 and later the JavaScript engine is not longer included, so any instance running on a JVM 15 or later will not be vulnerable to RCE via the script key, however it will still be vulnerable to the dns and url keys.

However, new research from @ pwntester indicates that the JEXL engine is present in newer versions of JDK:

) Hi Erik, I received some question related to the JDK versions affected by this vulnerability. Can you please update your blog post to make it clear that all JDK versions are vulnerable? Nashorn is effectively not available in modern JDKs but JEXL is

https://twitter.com/pwntester/status/1582321752566161409
https://www.rapid7.com/blog/post/2022/10/17/cve-2022-42889-keep-calm-and-stop-saying-4shell/

Answer 1 · 2022-10-19T18:47:40.000Z

I've updated the README to contain the appropriate information. Thanks for pointing this out @rgmz!