Published:2020/07/28  Last Updated:2020/07/28

JVN#62161191
JavaFX WebEngine does not properly restrict Java method execution

Overview

WebEngine component provided by JavaFX and OpenJFX does not properly restrict Java method execution.

Products Affected

  • OracleJDK 8 versions prior to update 251
  • JavaFX versions prior to 14.0.1

Description

JavaFX, GUI library for Java applications, is provided with OracleJDK 7 through 10.
Since OracleJDK 11, JavaFX is separately maintained and developed by OpenJFX project under OpenJDK community.

JavaFX WebEngine component is capable of web content rendering, and possible to be configured to allow JavaScript code to execute Java methods.
WebEngine component does not properly restrict Java methods execution(CWE-470).
This vulnerability is similar to CVE-2012-6636 of Android WebView component.

Impact

When a JavaFX application renders crafted web contents, an arbitrary Java code may be executed with the application's privilege.

Solution

Update the software
JavaFX application developers should update their applications with the latest version of JavaFX library.
JavaFX application users should update their Java execution environment to the latest version.

JavaFX library in OracleJDK 8u251 and JavaFX 14.0.1 restrict a number of Java methods callable from JavaScript code.
Please refer to release notes for details.

Vendor Status

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score: 8.8
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:M/Au:N/C:P/I:P/A:P
Base Score: 6.8
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

ICHIHARA Ryohei of DMM.com LLC reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia JVNDB-2020-000047