You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@karaf.apache.org by "Eduardo Aguinaga (JIRA)" <ji...@apache.org> on 2015/12/15 18:56:46 UTC
[jira] [Created] (KARAF-4214) Deserialization of Untrusted Data
Eduardo Aguinaga created KARAF-4214:
---------------------------------------
Summary: Deserialization of Untrusted Data
Key: KARAF-4214
URL: https://issues.apache.org/jira/browse/KARAF-4214
Project: Karaf
Issue Type: Bug
Affects Versions: 4.0.3
Reporter: Eduardo Aguinaga
HP Fortify SCA and SciTools Understand were used to perform an application security analysis on the karaf source code.
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. An adversary could attack the application by tampering with the resource "karaf.key".
File: client\src\main\java\org\apache\karaf\client\Main.java
Line: 297
Main.java, lines 291-313:
291 private static SshAgent startAgent(String user, URL privateKeyUrl, String keyFile) {
292 InputStream is = null;
293 try {
294 SshAgent agent = new AgentImpl();
295 is = privateKeyUrl.openStream();
296 ObjectInputStream r = new ObjectInputStream(is);
297 KeyPair keyPair = (KeyPair) r.readObject();
298 is.close();
299 agent.addIdentity(keyPair, user);
300 if (keyFile != null) {
301 String[] keyFiles = new String[]{keyFile};
302 FileKeyPairProvider fileKeyPairProvider = new FileKeyPairProvider(keyFiles);
303 for (KeyPair key : fileKeyPairProvider.loadKeys()) {
304 agent.addIdentity(key, user);
305 }
306 }
307 return agent;
308 } catch (Throwable e) {
309 close(is);
310 System.err.println("Error starting ssh agent for: " + e.getMessage());
311 return null;
312 }
313 }
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)