Platform
java
Component
soap:soap
Fixed in
2.3.1
CVE-2022-45378 describes a critical remote code execution (RCE) vulnerability in Apache SOAP versions 2.3.1 and earlier. Due to the lack of authentication for the RPCRouterServlet, attackers can invoke methods on the classpath, potentially leading to arbitrary code execution. This vulnerability affects unsupported versions of Apache SOAP and requires immediate attention to prevent exploitation.
The primary impact of CVE-2022-45378 is the potential for remote code execution. An attacker can exploit this vulnerability by sending crafted requests to the RPCRouterServlet, leveraging methods available on the classpath. The severity of the impact depends on the classes present on the classpath; however, successful exploitation could allow an attacker to gain complete control over the affected server. This could lead to data breaches, system compromise, and further lateral movement within the network. The lack of authentication makes this vulnerability particularly concerning as it requires minimal effort to exploit.
CVE-2022-45378 is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the vulnerability's ease of exploitation and the lack of available patches make it a high-risk concern. The vulnerability was publicly disclosed on November 14, 2022. Given the product's end-of-life status, exploitation is likely to increase as attackers actively scan for vulnerable systems.
Exploit Status
EPSS
4.51% (89% percentile)
CVSS Vector
Due to Apache SOAP being an unsupported product, direct patching is unavailable. The primary mitigation strategy is to disable the RPCRouterServlet. This can be achieved by removing the servlet mapping from the web application deployment descriptor (web.xml) or by configuring the web server to block access to the servlet. If disabling the servlet is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests targeting the RPCRouterServlet. Regularly review the classpath to minimize the availability of potentially exploitable classes. Verify mitigation by attempting to access the RPCRouterServlet after implementing the changes; access should be denied.
Update to a supported version or disable the RPCRouterServlet if it is not needed. Since Apache SOAP is no longer supported, migrating to a modern alternative is the recommended solution. If migration is not possible, implementing strict access controls for the RPCRouterServlet can mitigate the risk.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2022-45378 is a critical remote code execution vulnerability in Apache SOAP versions 2.3.1 and earlier. The RPCRouterServlet is accessible without authentication, allowing attackers to potentially execute arbitrary code.
You are affected if you are running Apache SOAP version 2.3.1 or earlier, especially if it's deployed in an environment where the RPCRouterServlet is accessible.
Due to the product's end-of-life, patching is unavailable. Mitigation involves disabling the RPCRouterServlet by removing its mapping or blocking access via a WAF.
While widespread exploitation hasn't been confirmed, the vulnerability's ease of exploitation and the lack of available patches make it a high-risk concern, and exploitation is likely to increase.
Apache SOAP is no longer maintained. Information about this vulnerability can be found on the NVD website: https://nvd.nist.gov/vuln/detail/CVE-2022-45378
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.