Michael Dürig

**Name of the Vulnerable Software and Affected Versions** Apache Jackrabbit versions 2.20.10 and earlier (stable branch) Apache Jackrabbit versions 2.21.17 and earlier (unstable branch) **Description** A Java object deserialization issue in Apache Jackrabbit webapp/standalone on all platforms allows an attacker to remotely execute code via RMI. The issue is related to the component "commons-beanutils", which contains a class that can be used for remote code execution over RMI. Users are advised to immediately update to versions 2.20.11 or 2.21.18. In general, RMI support can expose vulnerabilities by the mere presence of an exploitable class on the classpath. The native RMI protocol by default uses port 1099. RMI-over-HTTP in Jackrabbit by default uses the path "/rmi". To check whether RMI support is enabled, tools like "netstat" can be used to check the native RMI protocol, and an HTTP GET request can be used to check RMI-over-HTTP. **Recommendations** To resolve the issue for versions 2.20.10 and earlier (stable branch), update to version 2.20.11. To resolve the issue for versions 2.21.17 and earlier (unstable branch), update to version 2.21.18. As a temporary workaround, consider disabling RMI access altogether by removing the declaration and the mapping definition for the RemoteBindingServlet in the web.xml file and setting rmi.enabled=false in the bootstrap.properties file.