CVE-2023-28462: 
Java vulnerability analysis and mitigation

A JNDI rebind operation vulnerability (CVE-2023-28462) affects the default ORB listener in Payara Server versions 4.1.2.191 (Enterprise), 5.20.0 and newer (Enterprise), and 5.2020.1 and newer (Community) when running on Java 1.8u181 and earlier. The vulnerability was discovered by tr1ple from AntGroup FG and disclosed on March 15, 2023 (Payara Blog).

The vulnerability allows remote attackers to load malicious code on the server through JNDI directory scan operations. The exploit can be triggered via access to insecure ORB listeners exposed by a Payara Server installation. The vulnerability received a CVSS v3.1 base score of 9.8 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high severity across confidentiality, integrity, and availability impacts (NVD).

When successfully exploited, attackers can load malicious code into a public-facing Payara Server installation using remote JNDI access via unsecured ORB listeners. The vulnerability is particularly dangerous as it only requires knowledge of the location of any unsecured ORB listener (hostname and port) to execute the attack (Payara Blog).

Several mitigation options are available: 1) Upgrade to Java 1.8u191 or later, or migrate to JDK11+, 2) Disable any public-facing ORB listeners if they are not used, 3) Configure all public-facing ORB listeners to use SSL/TLS communication. Payara Server 6.x users are not affected as it requires Java 11 minimum to run (Payara Blog).