Arctic Wolf Security Bulletin

< BACK TO BLOG

CVE-2024-5275: SQLi Vulnerability in Fortra FileCatalyst Workflow

Share :

On June 25, 2024, Fortra published a security advisory for a vulnerability affecting their FileCatalyst Workflow product. The vulnerability, labelled as CVE-2024-5275, is rated as critical severity due to its low attack complexity and high impact. CVE-2024-5275 allows remote threat actors to execute unauthenticated SQL injection on FileCatalyst Workflow instances with anonymous access enabled which could result in threat actors performing sensitive actions such as deleting database tables or creating administrative users.

While CVE-2024-5275 is not currently being actively exploited, the original reporter of the vulnerability has published their technical analysis alongside a proof of concept. This elevates the risk of CVE-2024-5275 since managed file transfer products such as FileCatalyst Workflow are high value targets for threat actors. Most recently, an authentication bypass vulnerability (CVE-2024-5806) for Progress MOVEit managed file transfer product was actively exploited shortly after disclosure.

Recommendations for CVE-2024-5275

Recommendation #1: Upgrade to Latest Fixed Version

Arctic Wolf strongly recommends upgrading to the latest fixed version.

Fortra states that older versions of FileCatalyst Workflow (5.1.5 and earlier) that utilize the included HSQLDB must migrate to MySQL or MariaDB prior to the upgrade. Find detailed instructions from Fortra.

Please follow your organization’s patching and testing guidelines to avoid any operational impact.

Product Affected Version Fixed Version
Fortra FileCatalyst Workflow 5.1.6 build 135 or earlier 5.1.6 build 139

Recommendation #2: Mitigation

For customers that are unable to upgrade, Fortra has provided a mitigation with a patch that must be applied prior to mitigation if running FileCatalyst Workflow older than v5.1.6 build 135.

Disable the Vulnerable Servlets

  1. Stop Tomcat Service
  2. Navigate to the “web.xml” file located at: <tomcat install dir>/webapps/workflow/WEB-INF/web.xml
  3. Backup the web.xml to a safe location before making changes
  4. Edit the file and comment out the servlet mapping blocks for: csv_servlet, pdf_servlet, xml_servlet, json_servlet
  5. Save the changes and start your Tomcat Service

References

Picture of James Liolios

James Liolios

James Liolios is a Senior Threat Intelligence Researcher at Arctic Wolf, where he keeps a watchful eye on the latest threats and threat actors to understand the potential impact to Arctic Wolf customers. He has a background of 9 years' experience in many areas of cybersecurity, holds a bachelor's degree in Information Security, and is also CISSP certified.
Share :
Table of Contents
Categories
Subscribe to our Monthly Newsletter

Continue Reading