8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-41766

GHSA ID

GHSA-jh5g-9m4v-9vv9

EPSS Score

0.5576%

CWE

CWE-502

Published

1/28/2022

Updated

9/25/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-41766

CVE-2021-41766:
Insecure Java Deserialization in Apache Karaf

Apache Karaf allows monitoring of applications and the Java runtime by using the Java Management Extensions (JMX). JMX is a Java RMI based technology that relies on Java serialized objects for client server communication. Whereas the default JMX implementation is hardened against unauthenticated deserialization attacks, the implementation used by Apache Karaf is not protected against this kind of attack. The impact of Java deserialization vulnerabilities strongly depends on the classes that are available within the targets class path. Generally speaking, deserialization of untrusted data does always represent a high security risk and should be prevented. The risk is low as, by default, Karaf uses a limited set of classes in the JMX server class path. It depends of system scoped classes (e.g. jar in the lib folder).

(GitHub Advisory)

8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-41766

GHSA ID

GHSA-jh5g-9m4v-9vv9

EPSS Score

0.5576%

CWE

CWE-502

Published

1/28/2022

Updated

9/25/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.karaf.management:org.apache.karaf.management.server	maven	< 4.3.6	4.3.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the lack of a deserialization filter in Karaf's JMX implementation. The patch introduced the CREDENTIALS_FILTER_PATTERN to the environment map in Activator.java, which was previously missing. The start() method in Activator.java is responsible for configuring the JMX connector server's environment. Before the fix, this method did not include the critical security filter, leaving the system vulnerable to deserialization attacks. The commit diff explicitly shows the addition of this filter pattern to harden the environment, confirming the function's role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** K*r** *llows monitorin* o* *ppli**tions *n* t** J*v* runtim* *y usin* t** J*v* M*n***m*nt *xt*nsions (JMX). JMX is * J*v* RMI **s** t***nolo*y t**t r*li*s on J*v* s*ri*liz** o*j**ts *or *li*nt s*rv*r *ommuni**tion. W**r**s t** ****ult JMX impl

Reasoning

T** vuln*r**ility st*ms *rom t** l**k o* * **s*ri*liz*tion *ilt*r in K*r**'s JMX impl*m*nt*tion. T** p*t** intro*u*** t** *R***NTI*LS_*ILT*R_P*TT*RN to t** *nvironm*nt m*p in **tiv*tor.j*v*, w*i** w*s pr*viously missin*. T** st*rt() m*t*o* in **tiv*t

8.1

Basic Information

Concerned about an active attack path?

CVE-2021-41766: Insecure Java Deserialization in Apache Karaf

8.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2021-41766:
Insecure Java Deserialization in Apache Karaf

Vulnerability Intelligence
Miggo AI