Potential Risk of CVE

Web server hosting on the cloud using elasticsearch, my brainstorming to cyber security (13th Dec 2022)

Leave a comment

Preface: Most people will agree that the best eCommerce platforms are BigCommerce and Shopify.
HCL Commerce (formerly known as WebSphere Commerce and WCS (WebSphere Commerce Suite)) is a software platform framework for e-commerce, including marketing, sales, customer and order processing functionality in a tailorable, integrated package. It was formerly product of IBM, the product was sold to HCL Technologies in July 2019.

Background: A Java application, which is running inside Open Liberty/WebSphere Liberty runtime (your application logs to hosted Elasticsearch ). For details, refer to attached diagram

  1. My assumption will be happened in below circumstances.
    2.Middleware servers include the following types: WebSphere® Application Server, Liberty servers, Apache Tomcat servers, JBoss servers, BEA WebLogic servers, PHP servers,….
  2. Quote for an example:
    Files used to display content on a website, such as HTML, CSS, and Javascript files, contain a lot of text. Due to the nature of these files, the text in these files contains many instances of the same word throughout the document.
  3. In order to improve the web server and client response time. Open Liberty able to configure “compress HTTP responses” function.
    Open Liberty is a lightweight open source Java runtime that is built by using modular features. WebSphere Liberty is a commercial version of Open Liberty.
  4. The http header compression algorithms use (gzip, brotli or zstd),
    In order for the GZIP compression functionality to work on the XML Firewall, the compressed request/response message will have to include the “Transfer-encoding” header instead of “Content-Encoding: gzip”. Specifically, the header is “Transfer-Encoding: gzip, chunked”. Without the Transfer encoding header, the compressed message will not be decompressed by the XML Firewall.
  5. If above settings  install on HCL commerce. It will causes vulnerability happen (CVE-2022-38656). HCL Commerce, when using Elasticsearch, can allow a remote attacker to cause a denial of service attack on the site and make administrative changes.
  6. use of such a decompression chain could result in a “malloc bomb”

Vulnerabilities close to this discussion: CVE-2022-38656 – Certain versions of HCL Commerce from HCL Software contain the following vulnerability:
HCL Commerce, when using Elasticsearch, can allow a remote attacker to cause a denial of service attack on the site and make administrative changes.


Official announcement: Please refer to the link for details : https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0101265

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.