Judge0 [1] [2] [3] [4], a widely used open-source service for secure sandboxed code execution, has been found to have critical vulnerabilities that pose significant risks to organizations focused on development and cybersecurity.
Description
Judge0 has been found to have critical vulnerabilities labeled CVE-2024-29021 and CVE-2024-28189, as disclosed by Tanto Security [4]. These vulnerabilities could allow attackers to execute sandbox escapes and gain root access to host machines [3] [4]. The vulnerabilities were initially identified through source code analysis and exploitation [4], with the default password for the Judge0 configuration file serving as a potential entry point for attackers [4]. Despite initial patching efforts by Judge0’s developers [3], subsequent bypasses were discovered [3], highlighting the need for continuous vigilance and proactive security measures [3]. The investigation revealed weaknesses in the isolate binary [3], which operates in a privileged mode [3], allowing access to restricted components of the host system [3]. Vulnerabilities were found in the processing of user-submitted code [3], facilitating the injection of malicious commands and potential system compromise [3]. The cybersecurity community has called for immediate action to patch the vulnerabilities and secure Judge0 instances [4], emphasizing the importance of reviewing configurations, updating passwords [4], and applying security updates to mitigate risks [4]. A fix was released in version 1.13.1 to address these issues [1], underlining the importance of proactive security measures in the face of emerging threats in the cybersecurity landscape [1].
Conclusion
The vulnerabilities in Judge0 could have serious consequences for organizations, highlighting the importance of implementing security measures to protect against potential attacks. It is crucial for organizations to promptly apply security updates and review configurations to mitigate risks and safeguard their systems from exploitation. The discovery of these vulnerabilities underscores the ongoing need for vigilance and proactive security measures in the ever-evolving cybersecurity landscape.
References
[1] https://rhyno.io/blogs/cybersecurity-news/sandbox-escape-vulnerabilities-in-judge0-open-systems-to-takeover/
[2] https://www.443news.com/2024/04/sandbox-escape-vulnerabilities-in-judge0-expose-systems-to-complete-takeover/
[3] https://www.infosecurity-magazine.com/news/judge0-sandbox-flaws-systems/
[4] https://cybersecuritynews.com/judge0-security-vulnerabilities/
