CVE-2026-2587:
Java Análisis y mitigación de vulnerabilidades
Vista general
CVE-2026-2587 is a critical Remote Code Execution (RCE) vulnerability in the server-side template rendering mechanism of Eclipse GlassFish's gadget handler, classified as an Expression Language (EL) Injection (CWE-917). The vulnerability affects org.glassfish.jsftemplating:jsftemplating versions before 4.2.0 and org.glassfish.main.admingui:admingui versions before 8.0.2 (Eclipse GlassFish before 8.0.2). It was published on May 19, 2026, with a patch released the same day. The CVSS v3.1 base score is 9.6 (Critical) (GitHub Advisory, Eclipse CVE Assignment).
Técnicas
The root cause is improper neutralization of special elements in Expression Language statements (CWE-917) within GlassFish's gadget handler. The application processes .xml files and evaluates user-supplied values in a context where EL expressions (e.g., #{7*7}) are resolved server-side without sanitization or escaping. An attacker can inject malicious EL expressions into XML gadget parameters, which are then evaluated by the server, confirming RCE when the server returns the computed result (e.g., 49). A public PoC exploit script (CVE-2026-2587-Exploit-POC.py) is available that authenticates to the admin console, hosts a malicious XML probe with an EL canary, triggers the gadget.jsf endpoint, and confirms RCE (GitHub Advisory, PoC GitHub).
Impacto
Successful exploitation allows a remote attacker to fully compromise the underlying host running GlassFish. Consequences include arbitrary command execution, reading and modifying sensitive data, establishing persistence on the compromised system, and lateral movement within the broader infrastructure. All three security pillars — confidentiality, integrity, and availability — are rated High, and the changed scope indicates impact can extend beyond the vulnerable component itself (GitHub Advisory, Eclipse CVE Assignment).
Pasos de explotación
- Reconnaissance: Identify internet-facing GlassFish instances (versions before 8.0.2) using tools like Shodan or Censys, targeting exposed admin console ports (default: 4848) or the
gadget.jsfendpoint. - Authentication: Authenticate to the GlassFish admin console using valid credentials (the PoC supports
--usernameand--passwordparameters; default or weak credentials may be targeted). - Host malicious XML probe: Set up a local HTTP server (built into the PoC script via
--listen) to serve a crafted.xmlfile containing an EL canary expression such as#{7*7}. - Trigger gadget handler: Send a request to the
gadget.jsfendpoint with a parameter pointing to the attacker-controlled XML file URL (--callback-url), causing the server to fetch and process the malicious XML. - Confirm EL evaluation: Verify that the server evaluates the EL expression server-side (e.g., returns
49for#{7*7}), confirming RCE capability. - Execute arbitrary commands: Replace the canary EL expression with a malicious payload (e.g.,
#{Runtime.getRuntime().exec('...')}) to execute arbitrary OS commands, establish a reverse shell, exfiltrate data, or deploy persistence mechanisms (PoC GitHub, GitHub Advisory).
Indicadores de compromiso
- Network: Unusual HTTP requests to the
gadget.jsfendpoint with parameters referencing external URLs; outbound HTTP connections from the GlassFish server to attacker-controlled hosts (used to fetch malicious XML files); unexpected outbound connections on non-standard ports (reverse shell activity). - Logs: GlassFish access logs showing requests to
/gadget.jsfor similar endpoints with external URL parameters; server-side EL evaluation errors or unexpected numeric outputs (e.g.,49) in application logs; authentication events from unfamiliar IP addresses against the admin console. - File System: Unexpected
.xmlfiles or web shells written to the GlassFish deployment or temp directories; new cron jobs, scheduled tasks, or startup scripts created by the GlassFish service account. - Process: Unusual child processes spawned by the GlassFish JVM process (e.g.,
bash,sh,cmd.exe,curl,wget,python,nc); unexpected network listeners opened by the GlassFish process (PoC GitHub, GitHub Advisory).
Mitigación y soluciones alternativas
Upgrade to Eclipse GlassFish 8.0.2 or later, which patches the vulnerable org.glassfish.main.admingui:admingui component, and upgrade org.glassfish.jsftemplating:jsftemplating to version 4.2.0 or later (GitHub Advisory, GlassFish Release). As interim mitigations: restrict network access to the GlassFish admin console (port 4848) to trusted IP ranges only; implement WAF rules to block EL injection patterns (e.g., #{, ${) in HTTP request parameters; disable EL evaluation in template contexts where user input is present if not required for functionality; and apply strict input validation and output encoding for all user-supplied values processed by the template rendering engine.
Reacciones de la comunidad
The vulnerability was noted in the OmniFish blog covering GlassFish 8.0.2's security fixes shortly after disclosure (OmniFish Blog). CISA included it in their weekly vulnerability bulletin (SB26-145), indicating recognition by the U.S. cybersecurity authority (CISA Bulletin). Community discussion was observed on Bluesky and security aggregator sites, and the vulnerability was featured in a PoC-of-the-week roundup in early June 2026 (PoC Week). Overall community sentiment reflects concern given the critical CVSS score and public PoC availability, though no widespread exploitation has been confirmed.
Recursos adicionales
Fuente: Este informe se generó utilizando IA
Relacionado Java Vulnerabilidades:
Evaluación gratuita de vulnerabilidades
Compare su postura de seguridad en la nube
Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.
Recursos adicionales de Wiz
Obtén una demostración personalizada
¿Listo para ver a Wiz en acción?
"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."