security/cve-2020-11980.txt - karaf-site - Git at Google

 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA256

 CVE-2020-11980: A remote client could create MBeans from arbitrary URLs

 Severity: Low

 Vendor: The Apache Software Foundation

 Versions Affected: all versions of Apache Karaf prior to 4.2.9

 Description:

 In Karaf, JMX authentication takes place using JAAS and authorization takes
 place using ACL files. By default, only an "admin" can actually invoke on
 an MBean. However there is a vulnerability there for someone who is not an
 admin, but has a "viewer" role. In the 'etc/jmx.acl.cfg', such as role can
 call get*. This leaves it partially vulnerable to this attack:

 https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html

 "A remote client could create a javax.management.loading.MLet MBean and use
 it to create new MBeans from arbitrary URLs, at least if there is no
 security manager. In other words, a rogue remote client could make your
 Java application execute arbitrary code."

 It's possible to authenticate as a viewer role + invokes on the MLet
 getMBeansFromURL method, which goes off to a remote server to fetch the
 desired MBean, which is then registered in Karaf. At this point the attack
 fails as "viewer" doesn't have the permission to invoke on the MBean.
 Still, it could act as a SSRF style attack and also it essentially allows a
 "viewer" role to pollute the MBean registry, which is a kind of privilege
 escalation.


 The vulnerability is low as it's possible to add a ACL to limit access.

 This has been fixed in revision:

 https://gitbox.apache.org/repos/asf?p=karaf.git;a=commit;h=3e4c4bed2d08e81ca5961ab5fcadab23470db1c9
 https://gitbox.apache.org/repos/asf?p=karaf.git;a=commit;h=2ccfba48bdfac6c2cd09c8f058641da0011e4c7e

 Mitigation: Apache Karaf users should upgrade to 4.2.9
 or later as soon as possible, or a new JMX ACL in etc configuration.

 JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-6763

 Credit: This issue was reported by Colm O hEigeartaigh
 -----BEGIN PGP SIGNATURE-----

 iQIzBAEBCAAdFiEEGqjPktQJpzOT0Lc2v/LuQsgoLnYFAl7jCTsACgkQv/LuQsgo
 Lnbt+RAApiq4nPPx0TMuTyMDLVKuWXlxXLrDBnkwj2hEjDhFnZrosPmwk8hyIK92
 GQXW+iKO/7vFL1KqxN7yQBOktzhqkhDAPuqALuPk1nAhe8GqnszAx6nkR8VpGqqW
 OJxAnHY01m9HtV1hBQy5G/OqRr2GFKSxHhWnUSs3g1tVXox1oxTRwfJrRh2NcJv4
 wX+I7mOUr+SplnJJZfLX+FWSvPPHvCWIiQrPHlp1tG8xmWVyuWhjiLuBqmeINsU3
 mHB1t8u5XPJNE+KlQqjDDVEIiQi2nuzZO2UgfZiXhU3rzcoLGKTVvBDPdetZtc9t
 xzUFooDJdr00hMlR8ZGTPKCUQsxsTleYWEplVI92dub2fVUJ3EZ6VOd9l9oEvs/P
 abYsO3xDadhI+Za11aMAB7R2obbWl2Z69DlPCvGGCyTsxQA55raPlSgZDxydjdov
 apDAVPVjn3liW02JtApmejRoVCvVA9j+IQSFsP846pLGEXZuSfwNwrn3bZWcHpEK
 eFezU69TxWV2mHqAaeoNr7Ygzo6zD0PEPlALRzIzXWQhIr1HfL2hRgnfjna6gTvC
 DyI93MQdA2J7SbRHARGjA4OuvZNs2r/ojFUPkwEQ2Crnu09mcw/Ga2RqE4cKCTXv
 IFcq6TbyWvm3NzLqiwFF98w9SgUQKnJT9d9o8RXpDUZ/d2L68pI=
 =bVxi
 -----END PGP SIGNATURE-----
	-----BEGIN PGP SIGNED MESSAGE-----
	Hash: SHA256

	CVE-2020-11980: A remote client could create MBeans from arbitrary URLs

	Severity: Low

	Vendor: The Apache Software Foundation

	Versions Affected: all versions of Apache Karaf prior to 4.2.9

	Description:

	In Karaf, JMX authentication takes place using JAAS and authorization takes
	place using ACL files. By default, only an "admin" can actually invoke on
	an MBean. However there is a vulnerability there for someone who is not an
	admin, but has a "viewer" role. In the 'etc/jmx.acl.cfg', such as role can
	call get*. This leaves it partially vulnerable to this attack:

	https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html

	"A remote client could create a javax.management.loading.MLet MBean and use
	it to create new MBeans from arbitrary URLs, at least if there is no
	security manager. In other words, a rogue remote client could make your
	Java application execute arbitrary code."

	It's possible to authenticate as a viewer role + invokes on the MLet
	getMBeansFromURL method, which goes off to a remote server to fetch the
	desired MBean, which is then registered in Karaf. At this point the attack
	fails as "viewer" doesn't have the permission to invoke on the MBean.
	Still, it could act as a SSRF style attack and also it essentially allows a
	"viewer" role to pollute the MBean registry, which is a kind of privilege
	escalation.


	The vulnerability is low as it's possible to add a ACL to limit access.

	This has been fixed in revision:

	https://gitbox.apache.org/repos/asf?p=karaf.git;a=commit;h=3e4c4bed2d08e81ca5961ab5fcadab23470db1c9
	https://gitbox.apache.org/repos/asf?p=karaf.git;a=commit;h=2ccfba48bdfac6c2cd09c8f058641da0011e4c7e

	Mitigation: Apache Karaf users should upgrade to 4.2.9
	or later as soon as possible, or a new JMX ACL in etc configuration.

	JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-6763

	Credit: This issue was reported by Colm O hEigeartaigh
	-----BEGIN PGP SIGNATURE-----

	iQIzBAEBCAAdFiEEGqjPktQJpzOT0Lc2v/LuQsgoLnYFAl7jCTsACgkQv/LuQsgo
	Lnbt+RAApiq4nPPx0TMuTyMDLVKuWXlxXLrDBnkwj2hEjDhFnZrosPmwk8hyIK92
	GQXW+iKO/7vFL1KqxN7yQBOktzhqkhDAPuqALuPk1nAhe8GqnszAx6nkR8VpGqqW
	OJxAnHY01m9HtV1hBQy5G/OqRr2GFKSxHhWnUSs3g1tVXox1oxTRwfJrRh2NcJv4
	wX+I7mOUr+SplnJJZfLX+FWSvPPHvCWIiQrPHlp1tG8xmWVyuWhjiLuBqmeINsU3
	mHB1t8u5XPJNE+KlQqjDDVEIiQi2nuzZO2UgfZiXhU3rzcoLGKTVvBDPdetZtc9t
	xzUFooDJdr00hMlR8ZGTPKCUQsxsTleYWEplVI92dub2fVUJ3EZ6VOd9l9oEvs/P
	abYsO3xDadhI+Za11aMAB7R2obbWl2Z69DlPCvGGCyTsxQA55raPlSgZDxydjdov
	apDAVPVjn3liW02JtApmejRoVCvVA9j+IQSFsP846pLGEXZuSfwNwrn3bZWcHpEK
	eFezU69TxWV2mHqAaeoNr7Ygzo6zD0PEPlALRzIzXWQhIr1HfL2hRgnfjna6gTvC
	DyI93MQdA2J7SbRHARGjA4OuvZNs2r/ojFUPkwEQ2Crnu09mcw/Ga2RqE4cKCTXv
	IFcq6TbyWvm3NzLqiwFF98w9SgUQKnJT9d9o8RXpDUZ/d2L68pI=
	=bVxi
	-----END PGP SIGNATURE-----