A critical vulnerability has been discovered in Eclipse Che that allows an unauthenticated attacker to remotely execute arbitrary code and steal sensitive information. This flaw could lead to the complete compromise of developer workspaces, resulting in the theft of source code, credentials, and other intellectual property.

The vulnerability exists within the che-machine-exec component of Eclipse Che. This component exposes an unauthenticated JSON-RPC / websocket API on TCP port 3333. A remote, unauthenticated attacker can connect to this exposed endpoint and send specially crafted requests to execute arbitrary commands within any user's Developer Workspace container. Successful exploitation allows the attacker to gain full control over the container, enabling the exfiltration of sensitive data such as SSH keys, API tokens, and source code.

This vulnerability is rated as critical severity with a CVSS score of 9.0, reflecting the high potential for significant damage. A successful exploit could lead to the complete compromise of developer environments, resulting in the theft of valuable intellectual property, source code, and embedded secrets. This could facilitate further attacks, allowing an adversary to pivot from a compromised developer workspace into the broader corporate network, escalate privileges, and potentially disrupt development operations or introduce malicious code into the software supply chain.

Immediate Action: Update all affected instances of Eclipse Che to the latest patched version as recommended by the vendor. After patching, it is crucial to review access logs for the che-machine-exec component and container execution logs for any signs of compromise that may have occurred prior to the update.

Proactive Monitoring: Implement monitoring for any anomalous network traffic targeting TCP port 3333 on Eclipse Che instances. Security teams should create alerts for unexpected processes running within developer workspace containers or for outbound connections from these containers to unknown destinations.

Compensating Controls: If immediate patching is not feasible, implement strict network firewall rules to restrict access to TCP port 3333. Access should be limited to only trusted internal components that require communication with the che-machine-exec API, effectively segmenting the vulnerable service from unauthorized access.

Public Exploit Available: false

Given the critical severity (CVSS 9.0) and the potential for complete system compromise, this vulnerability requires immediate attention. We strongly recommend that all affected Eclipse Che instances be patched immediately to prevent exploitation. If patching cannot be performed right away, the compensating controls outlined above, specifically restricting network access to TCP port 3333, must be implemented as a matter of urgency. Although this vulnerability is not currently listed on the CISA KEV catalog, its severity warrants treating it as an active threat to the organization.