CVE-2023-40051: 
Progress OpenEdge vulnerability analysis and mitigation

A critical vulnerability (CVE-2023-40051) was identified in Progress Application Server (PAS) for OpenEdge affecting versions 11.7 prior to 11.7.18, 12.2 prior to 12.2.13, and innovation releases prior to 12.8.0. The vulnerability was disclosed on January 18, 2024, and received a critical CVSS score of 9.1. The issue exists in the WEB transport mechanism of PASOE, which allows unintended file uploads to server directory paths (SecurityOnline, NVD).

The vulnerability stems from an oversight in the WEB transport mechanism of PASOE, which inherently supports file uploads across all web handlers, including built-in handlers. While the file upload capability is intended to be disabled by default through the blank 'fileUploadDirectory' property in the openedge.properties file, this setting inadvertently grants access to all directories for the user account that initiated the PASOE instance. This becomes particularly dangerous when these directories have write permissions, enabling potential file upload attacks on both Linux and Windows root drive systems (SecurityOnline).

If successfully exploited, the vulnerability allows attackers to upload files to server directory paths on systems running PASOE. The impact is particularly severe if the uploaded content contains malicious payloads that can further exploit the server or its network, potentially leading to larger-scale attacks. The critical CVSS score of 9.1 reflects the significant potential impact on system security (NVD).

Progress Software has released security updates in OpenEdge versions 11.7.18, 12.2.13, and 12.8.0 to address this vulnerability. For organizations unable to immediately apply these updates, a temporary mitigation involves setting the 'fileUploadDirectory' property in the openedge.properties file to a non-existent directory and restarting the instance (SecurityOnline).

Progress Software has emphasized the urgency of applying the security patches, with a spokesperson stating, 'While we have not seen any evidence that this vulnerability has been exploited at this time, we are encouraging customers to apply the patch as soon as possible' (SecurityOnline).