plexus-utils Command Injection Vulnerability [CVE-2017-1000487]

A vulnerability in the Commandline class in plexus-utils could allow an unauthenticated, remote attacker to inject and execute arbitrary shell commands on a targeted system.

The vulnerability is due to improper processing of user-supplied input that contains double-quoted strings by the affected software. An attacker could exploit this vulnerability by sending crafted input that contains double-quoted strings to be processed by the affected application on the system. An exploit could allow the attacker to inject and execute arbitrary shell commands on the system.

Codehaus Plexus has confirmed the vulnerability and released software updates.

Analysis

To exploit this vulnerability, an attacker must send crafted input to the targeted system, making exploitation more difficult in environments that restrict network access from untrusted sources.

Safeguards

Administrators are advised to apply the appropriate updates.

Administrators are advised to allow only trusted users to have network access.

Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.

Administrators are advised to monitor affected systems.

CVE Number – CVE-2017-1000487

Vendor Announcements

Codehaus Plexus has released a git commit at the following link: commit b38a1b3a4352303e4312b2bb601a0d7ec6e28f41

Fixed Software

Codehaus Plexus has released software updates at the following link: plexus-utils 3.0.16 or later.