Summary & Key Actions Required

At present we are continuing to analyze CVE-2023-26119 which we became aware of on 3rd April 2023 and currently has a CVSS score of 9.8 and impacts the software component HtmlUnit that is used in HTTP_RESPONSE custom checks as well as some standard checks based on HTTP. We will update this article as more information becomes available and will highlight if our recommendations or plans change.

Avantra is planning to include a fixed version of this component in our upcoming Avantra 23.2 release which is expected towards the middle/end of April 2023.

Related security articles:

CVE-2023-26119 Summary

Please see this article for more information:

Impact to Avantra

This CVE impacts standard and custom checks that read remote website data, for example HTTP_RESPONSE and J2EEConnect that are configured to connect to the website as a user would (JavaScript enabled) and interact with and return data for the check. The affected component is bundled with each Avantra Agent (< 23.2) however it is only used if a check is configured on that agent.

If the websites being connected to by the Avantra checks are trusted then the impact of this CVE is mitigated. This issue is only a security concern when connecting to a compromised 3rd party website using the Avantra checks mentioned above. However we encourage all customers to update once the fix becomes available later in this month.

Impact on our customers

The attack vector for this CVE is to place malicious code on the target's website that will, when read by HtmlUnit, can run external commands in the context of the Avantra Agent. For our customers we recommend that:

  • Only internal or known trusted sites are used in HTTP_RESPONSE custom checks.
  • SSL is enabled on each of these, especially if the site is external to your internal network.
  • Once an updated Avantra Agent is released, upgrade to this version to mitigate this vulnerability.

Change Log

4th April 2023 @ 10:00 CETInitial Notice Published

We, at Avantra, take the security of our software and our customers very seriously and it is our top priority. We will keep you up to date as more information becomes available and encourage customers to subscribe to the security section of our forum to get proactive updates as we post them.