CVE-2020-11980: SSRF
First published: Fri Jun 12 2020(Updated: )
In Karaf, JMX authentication takes place using JAAS and authorization takes place using ACL files. By default, only an "admin" can actually invoke on an MBean. However there is a vulnerability there for someone who is not an admin, but has a "viewer" role. In the 'etc/jmx.acl.cfg', such as role can call get*. It's possible to authenticate as a viewer role + invokes on the MLet getMBeansFromURL method, which goes off to a remote server to fetch the desired MBean, which is then registered in Karaf. At this point the attack fails as "viewer" doesn't have the permission to invoke on the MBean. Still, it could act as a SSRF style attack and also it essentially allows a "viewer" role to pollute the MBean registry, which is a kind of privilege escalation. The vulnerability is low as it's possible to add a ACL to limit access. Users should update to Apache Karaf 4.2.9 or newer.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/Apache Karaf | <4.2.9 | 4.2.9 |
| Apache Karaf | <4.2.9 | |
| maven/org.apache.karaf.management:org.apache.karaf.management.server | <4.2.9 | 4.2.9 |
Remedy
It's possible to add a JMX ACL in etc configuration to limit access.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2020-11980
- http://karaf.apache.org/security/cve-2020-11980.txt
- https://github.com/apache/karaf/commit/3e4c4bed2d08e81ca5961ab5fcadab23470db1c9
- https://github.com/advisories/GHSA-9jg9-6wm2-x7p5 (Advisory)
- https://access.redhat.com/errata/RHSA-2020:5568
- https://access.redhat.com/security/cve/cve-2020-11980
- https://bugzilla.redhat.com/show_bug.cgi?id=1850450
- https://www.cve.org/CVERecord?id=CVE-2020-11980 https://nvd.nist.gov/vuln/detail/CVE-2020-11980
Frequently Asked Questions
What is CVE-2020-11980?
CVE-2020-11980 is a vulnerability in Apache Karaf which allows unauthorized users with a 'viewer' role to execute operations on MBeans.
How does the authentication and authorization work in Karaf?
Karaf uses JAAS for authentication and ACL files for authorization in the JMX system.
Who can invoke operations on MBeans by default in Karaf?
By default, only an 'admin' user can invoke operations on MBeans in Karaf.
How can the CVE-2020-11980 vulnerability be mitigated?
To mitigate CVE-2020-11980, make sure to update Apache Karaf to version 4.2.9 or higher.
What is the severity of CVE-2020-11980?
The severity of CVE-2020-11980 is high, with a CVSS score of 8.8.
- collector/redhat-cve
- collector/nvd-index
- collector/github-advisory-latest
- alias/GHSA-9jg9-6wm2-x7p5
- alias/CVE-2020-11980
- collector/nvd-cve
- collector/github-advisory
- agent/author
- agent/type
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/references
- agent/remedy
- agent/severity
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/tags
- agent/event
- collector/mitre-cve
- source/MITRE
- vendor/apache
- canonical/apache karaf
- package-manager/maven
- package-manager/redhat