| -----BEGIN PGP SIGNED MESSAGE----- |
| Hash: SHA256 |
| |
| CVE-2020-11980: A remote client could create MBeans from arbitrary URLs |
| |
| Severity: Low |
| |
| Vendor: The Apache Software Foundation |
| |
| Versions Affected: all versions of Apache Karaf prior to 4.2.9 |
| |
| Description: |
| |
| In Karaf, JMX authentication takes place using JAAS and authorization takes |
| place using ACL files. By default, only an "admin" can actually invoke on |
| an MBean. However there is a vulnerability there for someone who is not an |
| admin, but has a "viewer" role. In the 'etc/jmx.acl.cfg', such as role can |
| call get*. This leaves it partially vulnerable to this attack: |
| |
| https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html |
| |
| "A remote client could create a javax.management.loading.MLet MBean and use |
| it to create new MBeans from arbitrary URLs, at least if there is no |
| security manager. In other words, a rogue remote client could make your |
| Java application execute arbitrary code." |
| |
| It's possible to authenticate as a viewer role + invokes on the MLet |
| getMBeansFromURL method, which goes off to a remote server to fetch the |
| desired MBean, which is then registered in Karaf. At this point the attack |
| fails as "viewer" doesn't have the permission to invoke on the MBean. |
| Still, it could act as a SSRF style attack and also it essentially allows a |
| "viewer" role to pollute the MBean registry, which is a kind of privilege |
| escalation. |
| |
| |
| The vulnerability is low as it's possible to add a ACL to limit access. |
| |
| This has been fixed in revision: |
| |
| https://gitbox.apache.org/repos/asf?p=karaf.git;a=commit;h=3e4c4bed2d08e81ca5961ab5fcadab23470db1c9 |
| https://gitbox.apache.org/repos/asf?p=karaf.git;a=commit;h=2ccfba48bdfac6c2cd09c8f058641da0011e4c7e |
| |
| Mitigation: Apache Karaf users should upgrade to 4.2.9 |
| or later as soon as possible, or a new JMX ACL in etc configuration. |
| |
| JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-6763 |
| |
| Credit: This issue was reported by Colm O hEigeartaigh |
| -----BEGIN PGP SIGNATURE----- |
| |
| iQIzBAEBCAAdFiEEGqjPktQJpzOT0Lc2v/LuQsgoLnYFAl7jCTsACgkQv/LuQsgo |
| Lnbt+RAApiq4nPPx0TMuTyMDLVKuWXlxXLrDBnkwj2hEjDhFnZrosPmwk8hyIK92 |
| GQXW+iKO/7vFL1KqxN7yQBOktzhqkhDAPuqALuPk1nAhe8GqnszAx6nkR8VpGqqW |
| OJxAnHY01m9HtV1hBQy5G/OqRr2GFKSxHhWnUSs3g1tVXox1oxTRwfJrRh2NcJv4 |
| wX+I7mOUr+SplnJJZfLX+FWSvPPHvCWIiQrPHlp1tG8xmWVyuWhjiLuBqmeINsU3 |
| mHB1t8u5XPJNE+KlQqjDDVEIiQi2nuzZO2UgfZiXhU3rzcoLGKTVvBDPdetZtc9t |
| xzUFooDJdr00hMlR8ZGTPKCUQsxsTleYWEplVI92dub2fVUJ3EZ6VOd9l9oEvs/P |
| abYsO3xDadhI+Za11aMAB7R2obbWl2Z69DlPCvGGCyTsxQA55raPlSgZDxydjdov |
| apDAVPVjn3liW02JtApmejRoVCvVA9j+IQSFsP846pLGEXZuSfwNwrn3bZWcHpEK |
| eFezU69TxWV2mHqAaeoNr7Ygzo6zD0PEPlALRzIzXWQhIr1HfL2hRgnfjna6gTvC |
| DyI93MQdA2J7SbRHARGjA4OuvZNs2r/ojFUPkwEQ2Crnu09mcw/Ga2RqE4cKCTXv |
| IFcq6TbyWvm3NzLqiwFF98w9SgUQKnJT9d9o8RXpDUZ/d2L68pI= |
| =bVxi |
| -----END PGP SIGNATURE----- |