JDBI Freemarker Template Engine Vulnerability Leads to Remote Code Execution

The jdbi3-freemarker library, when used with attacker-controlled template source, is vulnerable to remote code execution (RCE). This vulnerability stems from the improper neutralization of special elements used in the FreeMarker template engine. Specifically, the library’s default configuration does not restrict Java class instantiation within FreeMarker templates, allowing attackers to instantiate arbitrary classes, including those that can execute system commands. The vulnerability affects jdbi3-freemarker versions up to and including 3.52.1. Successful exploitation requires an application to depend on the vulnerable library and permit attacker-influenced text to be used as a SQL template, either directly or indirectly through template evaluation.

Attack Chain

1. An attacker identifies an application using jdbi3-freemarker for SQL templating.
2. The attacker discovers an endpoint where user-supplied input is incorporated into a SQL query.
3. The attacker crafts a malicious FreeMarker template payload containing a Java class instantiation that executes arbitrary commands (e.g., ${"freemarker.template.utility.Execute"?new()("touch /tmp/jdbi-pwned")}).
4. The attacker injects the malicious payload into the application’s vulnerable endpoint.
5. The application processes the attacker’s input as a FreeMarker template using FreemarkerEngine.parse().
6. Due to the lack of a TemplateClassResolver, FreeMarker’s legacy UNRESTRICTED_RESOLVER is active, allowing the instantiation of the freemarker.template.utility.Execute class.
7. The Execute class executes the attacker’s command, creating the /tmp/jdbi-pwned file on the server.
8. The attacker achieves arbitrary code execution on the server.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code within the application’s JVM. This can lead to complete compromise of the affected system, including data theft, system modification, and denial of service. The vulnerability impacts all jdbi3-freemarker releases through version 3.52.1. Applications relying on jdbi3-freemarker and dynamically constructing SQL queries with user-controlled data are at high risk.

Recommendation

• Upgrade to a version of org.jdbi:jdbi3-freemarker that includes the fix described in GHSA-mggx-p7jf-jgw4 (versions > 3.52.1).
• Apply the proposed patch in FreemarkerConfig.java and FreemarkerSqlLocator.java by setting TemplateClassResolver.ALLOWS_NOTHING_RESOLVER to prevent arbitrary Java class instantiation by default.
• Deploy the provided Sigma rules to your SIEM to detect potential exploitation attempts targeting this vulnerability.
• Sanitize user-provided input before incorporating it into SQL queries to prevent injection attacks.
• If dynamic SQL templating is required, review and restrict the classes that can be instantiated within FreeMarker templates.