Progress OpenEdge AdminServer Remote Command Execution Vulnerability via Java RMI

A remote command execution vulnerability has been identified in the OpenEdge AdminServer component, affecting all versions prior to 12.2.17 and 12.8.8. The issue arises from inadequate input validation in the Java RMI interface, allowing authenticated users to inject and execute operating system commands under the privileges of the AdminServer process. The vulnerability exploits the workDir parameter, passed as the -w jvmStart argument, by manipulating unquoted strings to execute arbitrary commands with elevated rights.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary operating system commands with the elevated privileges of the AdminServer process, which typically runs as NT AUTHORITY/SYSTEM on Windows systems.

Remediation

Users are advised to upgrade to OpenEdge LTS Update 12.2.18 or 12.8.9. For those unable to upgrade immediately, temporary mitigations include disabling remote RMI access, restricting RMI to trusted IPs or subnets, and running the AdminServer process as a minimally privileged service account. If remote RMI is re-enabled, it should be done with caution and awareness of the associated risks.