Introduction
An unauthenticated telnet console that accepts commands from anyone on the network is already a bad day waiting to happen. When that console also provides a built in mechanism to download and execute arbitrary code, you get CVE-2023-54342: a CVSS 9.8 remote code execution vulnerability in Eclipse Equinox OSGi versions 3.8 through 3.18 that is already weaponized with public exploits.
Eclipse Equinox is the reference implementation of the OSGi core framework specification. It serves as the runtime foundation for all of Eclipse IDE and ships with every major Eclipse release, making its deployment footprint enormous across enterprise development environments, embedded systems, and any product built on the Eclipse platform. Because Equinox is so deeply embedded in downstream toolchains, a vulnerability in its console component has a wide blast radius that extends well beyond Eclipse IDE itself.
Technical Information
Root Cause: Missing Authentication for Critical Function (CWE-306)
The OSGi console provides a management interface that, when enabled, accepts telnet connections without requiring any form of authentication. The typical way users enable this interface is by starting the OSGi core with a command line option or configuration property that defines a listening port. A common misconfiguration binds the console to all network interfaces (0.0.0.0), accepting connections from any IP address on the network.
Once connected via telnet, an attacker has full access to the console's command set. Two commands are particularly relevant: exec and fork. The fork command is the key to exploitation because it executes a system command in a separate process without waiting for results. This behavior allows attackers to work around interactive constraints and command chaining restrictions present in the console.
Attack Flow
For OSGi versions 3.8 through 3.18, exploitation requires overcoming specific obstacles: a required telnet connection handshake and restrictions on command chaining or pipes within the console. The attack proceeds in stages:
-
Telnet connection and handshake: The attacker connects to the OSGi console on the target system's listening port and completes the required telnet handshake sequence.
-
Payload generation: The attacker prepares a Java source file on their own system. This file contains code that, when compiled and executed, opens a reverse shell connection back to the attacker.
-
HTTP staging server: The attacker starts an HTTP server on their own machine to host the malicious Java file.
-
First stage fork command: The attacker sends a
forkcommand through the console that instructs the target system to reach out to the attacker's HTTP server and download the Java payload file. -
Second stage fork command: The attacker sends a second
forkcommand that compiles and executes the downloaded Java file on the target system, establishing the reverse shell.
This staged approach successfully bypasses the command limitations inherent in the console and yields a fully functional reverse shell, giving the attacker interactive access to the underlying operating system with the privileges of the Equinox process.
Weaponization
The barrier to exploitation is extremely low. A complete exploit script is available on Exploit DB (EDB ID 51878), published by VisionSpace Technologies, which automates the entire telnet handshake and payload delivery process. Rapid7 has also published a Metasploit module ("Eclipse Equinox OSGi Console Command Execution") that packages the exploit into a point and click tool for penetration testers and, inevitably, threat actors.
Affected Systems and Versions
The vulnerability affects Eclipse Equinox OSGi versions 3.8 through 3.18 when the console interface is enabled and network accessible.
Specific vulnerable configurations include:
- Any Equinox deployment where the OSGi console is enabled via the
osgi.consoleproperty with a port binding - Deployments where the console is bound to
0.0.0.0or any externally reachable interface - Systems using the telnet console without firewall restrictions limiting source IP addresses
- Any downstream application or product embedding the Equinox runtime with the console enabled
Mitigation Strategies
Organizations should take immediate action to secure or disable the OSGi console. The following options are available, ordered from most to least restrictive:
Disable the console entirely: Set osgi.console=none in the configuration file. This is the most effective mitigation if the console is not required for production operations.
Bind telnet to localhost only: Set osgi.console=localhost:1234 to prevent external network access. This limits exposure to local processes.
Enable SSH with authentication: Use the osgi.console.ssh configuration and set up JAAS based user authentication or public key based authentication. This replaces the unauthenticated telnet interface with a properly authenticated SSH session.
Restrict network traffic: Implement dedicated firewall rules that allow connections to the console port only from specific, trusted administrative IP addresses.
If the console must remain enabled for operational reasons, transitioning from unauthenticated telnet to SSH sessions with proper authentication is strongly recommended. Network segmentation should ensure the console is only accessible from dedicated administrative workstations.
Threat Intelligence
The public availability of exploit code makes this vulnerability immediately actionable for attackers of all skill levels. The Exploit DB script (EDB ID 51878) and the Rapid7 Metasploit module both provide turnkey exploitation capabilities that require minimal customization.
No specific advanced persistent threat groups have been publicly attributed as actively exploiting CVE-2023-54342 at the time of writing. However, the combination of a high CVSS score, unauthenticated access, and ready made exploit tooling makes opportunistic exploitation highly likely. Defenders should watch for inbound connections to OSGi console ports, fork command execution in console logs, and unexpected outbound connections from systems running Equinox.
References
- VulnCheck Advisory: Eclipse Equinox OSGi 3.8-3.18 Console Remote Code Execution
- Exploit DB: OSGi v3.8-3.18 Console RCE (EDB ID 51878)
- Rapid7: Eclipse Equinox OSGi Console Command Execution Metasploit Module
- VisionSpace Technologies: Exploitation of the OSGi Console
- Eclipse Bug 169603: Option to Disable Builtin Console
- Eclipse Help: Console Shell Documentation
- Mat Booth: Using the Remote OSGi Console with Equinox
- Eclipse Equinox Project Page
- Eclipse Equinox GitHub Repository
