Prevent remote Code execution on PPM application server


Article ID: 194945


Updated On:


Clarity PPM On Premise Clarity PPM SaaS


With the means of a process and a gel script, it is possible for an authenticated user with process execution access rights to execute code on the application server.

Please follow the steps below to reproduce it and to read out the system environment variables of the clarity-OS user.

Environment used: PPM 15.8.0 Linux/Oracle 12 R2.

1. Create a process
2. Create a process step which runs the following gel code

<gel:script xmlns:core="jelly:core"    xmlns:gel="jelly:com.niku.union.gel.GELTagLibrary"    xmlns:sql="jelly:sql"    xmlns:email="jelly:email"    xmlns:file="jelly:com.niku.union.gel.FileTagLibrary"    xmlns:ftp="jelly:com.niku.union.gel.FTPTagLibrary"    xmlns:soap="jelly:com.niku.union.gel.SOAPTagLibrary"    xmlns:soapenv=""    xmlns:xog=""    xmlns:xsd=""    xmlns:xsi="">
 <core:invokeStatic className="java.lang.System" method="getenv" var="envmap"/>
 <core:forEach items="${envmap.entrySet()}" var="entryset">
 <core:invokeStatic className="java.lang.System" method="getSecurityManager" var="securityManager"/>
 <gel:out>sm is null: ${securityManager == null}, if not, class:  ${securityManager.getClass()}</gel:out>

3. connect the step, validate, activate and run the process.

Outcome: You can see all system environment variables in the log output.

2020/06/18 13:23:15.390 | DATABASE_SERVICE_ID=clarity
2020/06/18 13:23:15.390 | JAVA_URL_VERSION=11.0.3_7
2020/06/18 13:23:15.391 | WRAPPER_HOSTNAME=dd5bdc96656d
2020/06/18 13:23:15.391 | WRAPPER_BITS=64
2020/06/18 13:23:15.391 | NSA_ENTRY_URL=http://localhost:8090
2020/06/18 13:23:15.391 | SCRIPTS_DIR=image-scripts
2020/06/18 13:23:15.391 | WRAPPER_HOST_NAME=dd5bdc96656d
2020/06/18 13:23:15.391 | LD_LIBRARY_PATH=/opt/clarity/clarity/bin:
2020/06/18 13:23:15.391 | DATABASE_DWH_SERVICE_NAME=clarity
2020/06/18 13:23:15.391 | SHLIB_PATH=/opt/clarity/clarity/bin:
2020/06/18 13:23:15.391 | TOMCAT_HOME=/opt/apache-tomcat
2020/06/18 13:23:15.391 | PWD=/opt/clarity/clarity/lib
2020/06/18 13:23:15.391 | DATABASE_DWH_SERVICE_ID=clarity
2020/06/18 13:23:15.391 | JAVA_BASE_URL=
2020/06/18 13:23:15.392 | HOME=/home/clarity
2020/06/18 13:23:15.392 | sm is null: true, if not, class:  
2020/06/18 13:23:15.593 | INFO  2020-06-18 13:23:15,590 [Custom script execution pool-675-thread-1] utilities.BpmErrors (clarity:admin:5464551__32C11F60-D51D-447D-8F3E-62341F5CF8D2:none) ( Step Action Id: 5026000 Process Instance Id: 5011000 Step Instance Id: 5011001)
2020/06/18 13:23:16.595 | INFO  2020-06-18 13:23:16,583 [Post Condition Transition Pipeline 0 (tenant=clarity)] messageserver.MessageServerImpl (clarity:process_admin:5460041__52AAFDDD-6857-492D-95F5-4D38D50F75CC:none) Topic: BPM Registering interest in InterestMessage{_objectCode='step', _objectId=5011002, _messageCode='null', _source='BPM', _fromServer='this'  }


Release : 15.8.1 and supported PPM releases



Based on the investigations for a possible remote code execution/command injection, engineering confirms there is no real threat of code injection, there are guard rails already present in GEL to restrict the tags that are allowed. To set the gel tag restriction a PPM admin can add gelTagRestriction="on" via PPM properties.xml and if trying to execute the same process the error would be noticed.

BPM-0704: An error occurred while executing custom script: com.niku.union.gel.GELValidationException; lineNumber: 14; columnNumber: 92; Environmental tag restrictions are in place. Tag 'invokeStatic' is not registered for use in this system. 

FedRAMP enabled environments in SAAS already got such restrictions in place. Based on further testing only certain GEL tags are enabled to allow NSQL query only.

To summarize PPM admin can put the restriction ON and restrict tags that cannot be used in GEL Scripts. Having it as OFF and there is no scope of raising a defect about Code Injection.