Emissary is a P2P based data-driven workflow engine that runs in a heterogeneous possibly widely dispersed, multi-tiered P2P network of compute resources. The application’s Java source code is distributed by the official GitHub repository of the U.S. National Security Agency (NSA). An interesting pick for our research team to look at its code security.
Acording to SonarSource analysis, they discovered several code vulnerabilities in Emissary version 5.9.0. A combination of these vulnerabilities allows remote attackers to execute arbitrary system commands on any Emissary server. All in all, this may lead to the compromise of the whole P2P network.
In the blog post they analyze the technical root cause of three different security issues and demonstrate how attackers could exploit these. They reported all issues responsibly to the affected vendor who released multiple security patches to protect all users against the most severe vulnerabilities.
