Bug 1850450 (CVE-2020-11980) - CVE-2020-11980 karaf: A remote client could create MBeans from arbitrary URLs
Summary: CVE-2020-11980 karaf: A remote client could create MBeans from arbitrary URLs
Alias: CVE-2020-11980
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
Blocks: Embargoed1850451
TreeView+ depends on / blocked
Reported: 2020-06-24 10:46 UTC by Michael Kaplan
Modified: 2021-02-16 19:47 UTC (History)
36 users (show)

Fixed In Version: Apache Karaf 4.2.9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-12-16 16:19:11 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:5568 0 None None None 2020-12-16 12:14:37 UTC

Description Michael Kaplan 2020-06-24 10:46:55 UTC
In Karaf, JMX authentication takes place using JAAS and authorization takes place using ACL files. By default, only an "admin" can actually invoke on an MBean. However there is a vulnerability there for someone who is not an admin, but has a "viewer" role. In the 'etc/jmx.acl.cfg', such as role can call get*. It's possible to authenticate as a viewer role + invokes on the MLet getMBeansFromURL method, which goes off to a remote server to fetch the desired MBean, which is then registered in Karaf. At this point the attack fails as "viewer" doesn't have the permission to invoke on the MBean. Still, it could act as a SSRF style attack and also it essentially allows a "viewer" role to pollute the MBean registry, which is a kind of privilege escalation. The vulnerability is low as it's possible to add a ACL to limit access. Users should update to Apache Karaf 4.2.9 or newer.


Comment 5 Ted Jongseok Won 2020-06-25 08:53:32 UTC

It's possible to add a JMX ACL in etc configuration to limit access.

Comment 10 errata-xmlrpc 2020-12-16 12:14:30 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.8.0

Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568

Comment 11 Product Security DevOps Team 2020-12-16 16:19:11 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.