Bug 1850450 (CVE-2020-11980) - CVE-2020-11980 karaf: A remote client could create MBeans from arbitrary URLs
Summary: CVE-2020-11980 karaf: A remote client could create MBeans from arbitrary URLs
Keywords:
Status: NEW
Alias: CVE-2020-11980
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1850451
TreeView+ depends on / blocked
 
Reported: 2020-06-24 10:46 UTC by Michael Kaplan
Modified: 2020-07-10 21:45 UTC (History)
37 users (show)

Fixed In Version: Apache Karaf 4.2.9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Michael Kaplan 2020-06-24 10:46:55 UTC
In Karaf, JMX authentication takes place using JAAS and authorization takes place using ACL files. By default, only an "admin" can actually invoke on an MBean. However there is a vulnerability there for someone who is not an admin, but has a "viewer" role. In the 'etc/jmx.acl.cfg', such as role can call get*. It's possible to authenticate as a viewer role + invokes on the MLet getMBeansFromURL method, which goes off to a remote server to fetch the desired MBean, which is then registered in Karaf. At this point the attack fails as "viewer" doesn't have the permission to invoke on the MBean. Still, it could act as a SSRF style attack and also it essentially allows a "viewer" role to pollute the MBean registry, which is a kind of privilege escalation. The vulnerability is low as it's possible to add a ACL to limit access. Users should update to Apache Karaf 4.2.9 or newer.

References:
http://karaf.apache.org/security/cve-2020-11980.txt

Comment 5 Ted (Jong Seok) Won 2020-06-25 08:53:32 UTC
Mitigation:

It's possible to add a JMX ACL in etc configuration to limit access.


Note You need to log in before you can comment on or make changes to this bug.