Prior to Karaf 3.0.9, Karaf 4.0.9, and Karaf 4.1.1, HTTP endpoints published by Karaf features may also be published under the HTTP web root, in addition to the paths specifically configured by the installed feature. Authentication and access control rules may not cover this additional path, potentially leading to authentication bypass on published features. The Gogo shell provided by the webconsole feature is potentially accessible without authentication as a result.
Find out more about CVE-2018-11787 from the MITRE CVE dictionary dictionary and NIST NVD.
Open Daylight: The webconsole feature is not installed by default. In RHOSP12 and earlier, when the webconsole feature is installed, the gogo webshell potentially provides access to the Karaf console without authentication.
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
| CVSS3 Base Score | 9.4 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity Impact | High |
| Availability Impact | High |
| Platform | Package | State |
|---|---|---|
| Red Hat OpenStack Platform 9.0 | opendaylight | Affected |
| Red Hat OpenStack Platform 8.0 (Liberty) | opendaylight | Affected |
| Red Hat OpenStack Platform 13.0 (Queens) | opendaylight | Not affected |
| Red Hat OpenStack Platform 12.0 | opendaylight | Affected |
| Red Hat OpenStack Platform 10 | opendaylight | Affected |
| Red Hat JBoss Fuse Service Works 6 | karaf | Under investigation |
| Red Hat JBoss Fuse 7 | karaf | Under investigation |
| Red Hat JBoss Fuse 6 | karaf | Under investigation |
| Red Hat JBoss A-MQ 6 | karaf | Under investigation |
Vulmon