-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 CVE-2020-11980: A remote client could create MBeans from arbitrary URLs Severity: Low Vendor: The Apache Software Foundation Versions Affected: all versions of Apache Karaf prior to 4.2.9 Description: In Karaf, JMX authentication takes place using JAAS and authorization takes place using ACL files. By default, only an "admin" can actually invoke on an MBean. However there is a vulnerability there for someone who is not an admin, but has a "viewer" role. In the 'etc/jmx.acl.cfg', such as role can call get*. This leaves it partially vulnerable to this attack: https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html "A remote client could create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs, at least if there is no security manager. In other words, a rogue remote client could make your Java application execute arbitrary code." It's possible to authenticate as a viewer role + invokes on the MLet getMBeansFromURL method, which goes off to a remote server to fetch the desired MBean, which is then registered in Karaf. At this point the attack fails as "viewer" doesn't have the permission to invoke on the MBean. Still, it could act as a SSRF style attack and also it essentially allows a "viewer" role to pollute the MBean registry, which is a kind of privilege escalation. The vulnerability is low as it's possible to add a ACL to limit access. This has been fixed in revision: https://gitbox.apache.org/repos/asf?p=karaf.git;a=commit;h=3e4c4bed2d08e81ca5961ab5fcadab23470db1c9 https://gitbox.apache.org/repos/asf?p=karaf.git;a=commit;h=2ccfba48bdfac6c2cd09c8f058641da0011e4c7e Mitigation: Apache Karaf users should upgrade to 4.2.9 or later as soon as possible, or a new JMX ACL in etc configuration. JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-6763 Credit: This issue was reported by Colm O hEigeartaigh -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEGqjPktQJpzOT0Lc2v/LuQsgoLnYFAl7jCTsACgkQv/LuQsgo Lnbt+RAApiq4nPPx0TMuTyMDLVKuWXlxXLrDBnkwj2hEjDhFnZrosPmwk8hyIK92 GQXW+iKO/7vFL1KqxN7yQBOktzhqkhDAPuqALuPk1nAhe8GqnszAx6nkR8VpGqqW OJxAnHY01m9HtV1hBQy5G/OqRr2GFKSxHhWnUSs3g1tVXox1oxTRwfJrRh2NcJv4 wX+I7mOUr+SplnJJZfLX+FWSvPPHvCWIiQrPHlp1tG8xmWVyuWhjiLuBqmeINsU3 mHB1t8u5XPJNE+KlQqjDDVEIiQi2nuzZO2UgfZiXhU3rzcoLGKTVvBDPdetZtc9t xzUFooDJdr00hMlR8ZGTPKCUQsxsTleYWEplVI92dub2fVUJ3EZ6VOd9l9oEvs/P abYsO3xDadhI+Za11aMAB7R2obbWl2Z69DlPCvGGCyTsxQA55raPlSgZDxydjdov apDAVPVjn3liW02JtApmejRoVCvVA9j+IQSFsP846pLGEXZuSfwNwrn3bZWcHpEK eFezU69TxWV2mHqAaeoNr7Ygzo6zD0PEPlALRzIzXWQhIr1HfL2hRgnfjna6gTvC DyI93MQdA2J7SbRHARGjA4OuvZNs2r/ojFUPkwEQ2Crnu09mcw/Ga2RqE4cKCTXv IFcq6TbyWvm3NzLqiwFF98w9SgUQKnJT9d9o8RXpDUZ/d2L68pI= =bVxi -----END PGP SIGNATURE-----