CVE-2022-24721 is a medium-severity vulnerability affecting the CometD project, a scalable comet implementation used for web messaging. The vulnerability arises from incorrect authorization (CWE-863) in the handling of internal Oort and Seti channels in CometD versions prior to 5.0.11, 6.0.6, and 7.0.6. These channels are intended for internal cluster communication and should not be accessible to remote users. However, due to improper authorization checks, any remote user can subscribe to and publish messages on these channels. Subscribing to these channels allows an attacker to eavesdrop on cluster-internal traffic, potentially exposing sensitive data belonging to other users. Publishing to these channels enables an attacker to create, modify, or delete data of other users and alter the cluster structure, which could disrupt service integrity and availability. The vulnerability does not require authentication or user interaction, making exploitation relatively straightforward for any remote user with network access to the CometD service. The issue is addressed in CometD versions 5.0.11, 6.0.6, and 7.0.6. As an interim mitigation, deploying a custom SecurityPolicy that restricts subscription and publishing rights on Oort and Seti channels for remote, non-Oort sessions is recommended. No known exploits have been reported in the wild as of the published date in March 2022.

For European organizations using vulnerable versions of CometD, this vulnerability poses significant risks to confidentiality, integrity, and availability of internal cluster communications. Confidentiality is compromised as attackers can intercept sensitive data exchanged within the cluster. Integrity is at risk because attackers can manipulate or delete data belonging to other users and alter the cluster topology, potentially causing service disruptions or unauthorized data modifications. Availability could be affected if the cluster structure is destabilized. Organizations relying on CometD for real-time messaging in critical applications such as financial services, telecommunications, or industrial control systems may face operational disruptions and data breaches. The lack of authentication requirement and ease of exploitation increase the threat level, especially in environments where CometD services are exposed to untrusted networks or insufficiently segmented internal networks. This vulnerability could also facilitate lateral movement within compromised networks, amplifying the impact of initial breaches.

1. Upgrade CometD to the fixed versions 5.0.11, 6.0.6, or 7.0.6 as soon as possible to fully remediate the vulnerability. 2. Until patching is feasible, implement a custom SecurityPolicy that explicitly forbids subscription and publishing to Oort and Seti channels from remote, non-Oort sessions to prevent unauthorized access. 3. Restrict network access to CometD services by enforcing strict firewall rules and network segmentation, limiting exposure to trusted internal hosts only. 4. Monitor CometD logs for unusual subscription or publishing activity on Oort and Seti channels, which may indicate exploitation attempts. 5. Conduct regular security assessments and penetration tests targeting CometD deployments to identify and remediate any residual authorization weaknesses. 6. Educate development and operations teams about secure configuration of CometD and the importance of timely patching for messaging infrastructure.