Statement on DCOM Server Security bypass (CVE-2021-26414)


Version Française

DCOM (Distributed Component Object Model) is a technology that allows a computer application to call functions of another applications running on a different computer over the network, as if the two programs were running on the same computer. DCOM is similar and shares the same purpose and basic concept as CORBA (Common Object Request Broker Architecture).

While CORBA is an open standard, DCOM is proprietary to Microsoft and is only really available on the Windows operating system. Introduced in the 1990s, and while they may still be present in legacy applications, both technologies have long since been replaced with more modern protocols like HTTP and RESTful API programming.

DCOM and CORBA having been developed in the times when the nascent Internet was full of unicorns and harmless bunnies, security was not a primary concern in their design. This has obviously changed dramatically since.

To address serious security concerns, Microsoft has released a patch named KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass. More specifically, it addresses CVE-2021-26414 and fixes a vulnerability in DCOM security. Basically, it forces a lock on the door when a computer tries to call a function of another computer through DCOM. Other patches are scheduled to follow. The CVE-2021-26414 post details the timeline for previous and future patches from Microsoft to permanently resolve the vulnerability.

Some legacy applications may rely on the fact that DCOM is open. This may cause applications to break as they may not be prepared to handle the additional security layer.

None of the current or classic Objectif Lune product offerings use DCOM to communicate and perform operations over the network. After extensive review and testing, we could not identify any adverse effect of the patch on our applications.

However, due to the nature of our products, especially Connect Workflow, there may be underlying components on the computer that are impacted by the patch which, in turn, may have an impact on our products. For example, Connect Workflow may be using a database driver relying on DCOM to talk to a remote database. We therefore encourage customers to enable the patch in a test environment to make sure their entire solution is running properly.

Tagged in: CVE-2022-22965, Spring MVC, Spring WebFlux, Vulnerability

Leave a Reply

Your email address will not be published. Required fields are marked *