Bonita Authorization Bypass (CVE-2022-25237)
Description
Bonita is an open-source business process management and workflow automation platform.
Versions 2021.2 and earlier contain an authorization bypass vulnerability (CWE-863: Incorrect Authorization) that allows attackers to circumvent authentication and authorization controls using specially crafted HTTP requests. Once bypassed, attackers gain privileged access to the Bonita API, which can be exploited to achieve remote code execution on the underlying server.
Remediation
Apply the following remediation steps immediately:
1. Upgrade Bonita to version 2022.1 or later, which addresses CVE-2022-25237
2. Review system logs for any suspicious API requests or unauthorized access attempts that may indicate prior exploitation
3. If immediate patching is not possible, implement network-level access controls to restrict access to the Bonita application to trusted IP addresses only
4. After upgrading, verify that authorization controls are functioning correctly by testing API endpoints with non-privileged accounts
5. Consider implementing additional security measures such as a Web Application Firewall (WAF) to provide defense-in-depth protection