CVE-2018-11787 in Karaf
Summary
by MITRE
In Apache Karaf version prior to 3.0.9, 4.0.9, 4.1.1, when the webconsole feature is installed in Karaf, it is available at .../system/console and requires authentication to access it. One part of the console is a Gogo shell/console that gives access to the command line console of Karaf via a Web browser, and when navigated to it is available at .../system/console/gogo. Trying to go directly to that URL does require authentication. And optional bundle that some applications use is the Pax Web Extender Whiteboard, it is part of the pax-war feature and perhaps others. When it is installed, the Gogo console becomes available at another URL .../gogo/, and that URL is not secured giving access to the Karaf console to unauthenticated users. A mitigation for the issue is to manually stop/uninstall Gogo plugin bundle that is installed with the webconsole feature, although of course this removes the console from the .../system/console application, not only from the unauthenticated endpoint. One could also stop/uninstall the Pax Web Extender Whiteboard, but other components/applications may require it and so their functionality would be reduced/compromised.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/24/2020
Apache Karaf versions prior to 3.0.9, 4.0.9, and 4.1.1 contain a critical authentication bypass vulnerability in the webconsole feature that exposes the Gogo shell console to unauthenticated users. This vulnerability stems from the improper implementation of access controls when the Pax Web Extender Whiteboard bundle is installed, creating a security gap that allows attackers to gain command-line access to the Karaf container without proper authentication. The issue manifests when the pax-war feature or similar components are present, as they automatically register the Gogo console at the /gogo/ endpoint without requiring authentication, despite the main webconsole at /system/console properly enforcing access controls.
The technical flaw represents a weakness in the web application's authorization mechanisms, specifically related to how servlet mappings are handled when additional bundles are installed. When the Pax Web Extender Whiteboard is present, it registers the Gogo console at a different URL path that bypasses the authentication checks implemented for the primary webconsole interface. This creates a privilege escalation vector where unauthenticated users can access the underlying Karaf command-line interface, potentially enabling them to execute arbitrary commands, access sensitive system information, or manipulate the container configuration. The vulnerability is classified as a bypass of access control mechanisms and aligns with CWE-284 Access Control Issues, specifically CWE-285: Improper Authorization.
The operational impact of this vulnerability is severe as it allows attackers to gain full administrative access to the Karaf container through a web browser interface. An attacker could perform reconnaissance, execute commands, modify configuration files, access system resources, or potentially escalate privileges to gain deeper system control. The exposure of the Gogo console means that attackers can leverage the full capabilities of the Karaf environment, including access to deployed applications, system properties, and potentially sensitive data stored within the container. This vulnerability affects organizations that rely on Apache Karaf for application deployment and management, particularly those with exposed web interfaces.
Mitigation strategies for this vulnerability include manually stopping or uninstalling the Gogo plugin bundle that is installed with the webconsole feature, though this approach removes console access from the legitimate /system/console application as well. Alternative approaches involve stopping or uninstalling the Pax Web Extender Whiteboard bundle, but this may compromise other applications or components that depend on this functionality. Organizations should implement proper access controls and network segmentation to limit exposure of the affected endpoints. The recommended solution is to upgrade to Apache Karaf versions 3.0.9, 4.0.9, or 4.1.1 where this vulnerability has been addressed through proper authentication enforcement. This vulnerability is also categorized under ATT&CK technique T1059 Command and Scripting Interpreter, as it enables adversaries to execute commands on the target system through the exposed command-line interface.