CVE-2024-45955 - SQL Injection Vulnerability Discovered in Rocket Zena 4.4.1.26

NetbyteSEC Security Advisory - Authenticated SQL Injection Vulnerability Discovered in Rocket Zena 4.4.1.26

 

Title: Authenticated SQL Injection Vulnerability Discovered in Rocket Zena 4.4.1.26
Advisory ID: NBS-2025-0001
Product: Rocket Zena
Affected Version: 4.4.1.26
CVE ID: CVE-2024-45955
Author: Adib Farhan Sayuti | Muhammad Abdul Aalim Ahmad Rozli | NetbyteSEC

 

 

Vendor/Product Description

 

Rocket Zena is a multi-platform workload automation tool that manages tasks and monitors system events. It supports the creation of integrated business processes using a visual modeling interface, with compatibility for both legacy and modern application environments.

 

 

Vulnerability Overview

 

Rocket Zena is vulnerable to SQL Injection, a vulnerability that was identified when a single quote (') was input into the filter parameter, resulting in a SQL error being returned by the application. This indicates insufficient input sanitization and improper handling of user-supplied data, which may allow attackers to manipulate database queries.

The vulnerability was successfully patched by Rocket Software on 4.4.2.50 (08-01-2024).

 

 

Technical Details

 

An authenticated standard user is required to exploit this vulnerability. The application allows user to search in the Log of processed task. The search value was vulnerable to SQL Injection. 

 

Figure 1.0: SQL Error popped out after insert single quote

 

It is possible to perform the SQL Injection to retrieve the database banner via the following URL, containing the payload.

Figure 1.1: Affected endpoint with payload to display version of database

 

The payload used in this case was ')/**/AND/**/1111/**/IN/**/(SELECT/**concat(@@VERSION,'---TEST'))/**/AND/**/('a'/**/LIKE/**/'a

 

Figure 1.2: The database version was returned in the response

 

Several endpoint inside the application were found to be vulnerable to the SQL Injection.

• https://redacted/oc_main/zenaweb/scheduler/logs/search?_dc=1721296437888&folderid=&listdate=2024.07.18&filter=

• https://redacted/oc_main/zenaweb/events/search?_dc=1721398132245&folderid=&listdate=2024.07.19&filter=

• https://redacted/oc_main/zenaweb/alerts/search?_dc=1721397542554&folderid=&listdate=2024.07.19&filter=

The vulnerability is affecting on version 4.4.1.26 as per image below:

Figure 1.3: Rocket Zena affected version.

 

 

Mitigation

 

At this time, the vulnerability has been successfully addressed through update 4.4.2.50 (08-01-2024). A latest update was available with update 4.4.3, those who cannot immediately update their application to recent version of 4.4.2.50 or newer, is advisable to deploy WAF (Web Application Firewall) that can detect and block common SQL injection payloads in HTTP requests.

 

 

Vendor Contact Timeline

 

2024-07-23: Contact vendor via [email protected]

2024-07-29: Submit vulnerability disclosure to vendor through email

2024-08-01: Vendor acknowledged the report

2024-08-08: Vendor fixed the vulnerability

2024-08-19: Submit private disclosure to CVE assignee

2024-10-02: CVE number assigned by MITRE

 

NetByteSEC Sdn Bhd

===================

NetbyteSEC Sdn Bhd was incorporated under the Malaysian Companies Act 1965 in 2013.

NetbyteSEC is privately owned and is based in Cyberjaya, Selangor, Malaysia.

More information about NetbyteSEC Sdn Bhd can be found at: 

https://www.netbytesec.com