Date: Fri, 12 Jun 2020 07:09:13 +0200 From: Jean-Baptiste Onofre <jb@...thrax.net> To: oss-security@...ts.openwall.com Subject: [CVE-2020-11980] A remote client could create MBeans from arbitrary URLs CVE-2020-11980: A remote client could create MBeans from arbitrary URLs Severity: Low Vendor: The Apache Software Foundation Versions Affected: all versions of Apache Karaf prior to 4.2.9 Description: In Karaf, JMX authentication takes place using JAAS and authorization takes place using ACL files. By default, only an "admin" can actually invoke on an MBean. However there is a vulnerability there for someone who is not an admin, but has a "viewer" role. In the 'etc/jmx.acl.cfg', such as role can call get*. This leaves it partially vulnerable to this attack: https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html "A remote client could create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs, at least if there is no security manager. In other words, a rogue remote client could make your Java application execute arbitrary code." It's possible to authenticate as a viewer role + invokes on the MLet getMBeansFromURL method, which goes off to a remote server to fetch the desired MBean, which is then registered in Karaf. At this point the attack fails as "viewer" doesn't have the permission to invoke on the MBean. Still, it could act as a SSRF style attack and also it essentially allows a "viewer" role to pollute the MBean registry, which is a kind of privilege escalation. The vulnerability is low as it's possible to add a ACL to limit access. This has been fixed in revision: https://gitbox.apache.org/repos/asf?p=karaf.git;a=commit;h=3e4c4bed2d08e81ca5961ab5fcadab23470db1c9 https://gitbox.apache.org/repos/asf?p=karaf.git;a=commit;h=2ccfba48bdfac6c2cd09c8f058641da0011e4c7e Mitigation: Apache Karaf users should upgrade to 4.2.9 or later as soon as possible, or a new JMX ACL in etc configuration. JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-6763 Credit: This issue was reported by Colm O hEigeartaigh
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.