You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@karaf.apache.org by "Jean-Baptiste Onofré (JIRA)" <ji...@apache.org> on 2015/12/16 21:02:46 UTC
[jira] [Updated] (KARAF-4214) Deserialization of Untrusted Data
[ https://issues.apache.org/jira/browse/KARAF-4214?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jean-Baptiste Onofré updated KARAF-4214:
----------------------------------------
Description:
HP Fortify SCA and SciTools Understand were used to perform an application security analysis on the karaf source code.
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. An adversary could attack the application by tampering with the resource "karaf.key".
File: client\src\main\java\org\apache\karaf\client\Main.java
Line: 297
Main.java, lines 291-313:
{code}
291 private static SshAgent startAgent(String user, URL privateKeyUrl, String keyFile) {
292 InputStream is = null;
293 try {
294 SshAgent agent = new AgentImpl();
295 is = privateKeyUrl.openStream();
296 ObjectInputStream r = new ObjectInputStream(is);
297 KeyPair keyPair = (KeyPair) r.readObject();
298 is.close();
299 agent.addIdentity(keyPair, user);
300 if (keyFile != null) {
301 String[] keyFiles = new String[]{keyFile};
302 FileKeyPairProvider fileKeyPairProvider = new FileKeyPairProvider(keyFiles);
303 for (KeyPair key : fileKeyPairProvider.loadKeys()) {
304 agent.addIdentity(key, user);
305 }
306 }
307 return agent;
308 } catch (Throwable e) {
309 close(is);
310 System.err.println("Error starting ssh agent for: " + e.getMessage());
311 return null;
312 }
313 }
{code}
was:
HP Fortify SCA and SciTools Understand were used to perform an application security analysis on the karaf source code.
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. An adversary could attack the application by tampering with the resource "karaf.key".
File: client\src\main\java\org\apache\karaf\client\Main.java
Line: 297
Main.java, lines 291-313:
291 private static SshAgent startAgent(String user, URL privateKeyUrl, String keyFile) {
292 InputStream is = null;
293 try {
294 SshAgent agent = new AgentImpl();
295 is = privateKeyUrl.openStream();
296 ObjectInputStream r = new ObjectInputStream(is);
297 KeyPair keyPair = (KeyPair) r.readObject();
298 is.close();
299 agent.addIdentity(keyPair, user);
300 if (keyFile != null) {
301 String[] keyFiles = new String[]{keyFile};
302 FileKeyPairProvider fileKeyPairProvider = new FileKeyPairProvider(keyFiles);
303 for (KeyPair key : fileKeyPairProvider.loadKeys()) {
304 agent.addIdentity(key, user);
305 }
306 }
307 return agent;
308 } catch (Throwable e) {
309 close(is);
310 System.err.println("Error starting ssh agent for: " + e.getMessage());
311 return null;
312 }
313 }
> Deserialization of Untrusted Data
> ---------------------------------
>
> Key: KARAF-4214
> URL: https://issues.apache.org/jira/browse/KARAF-4214
> Project: Karaf
> Issue Type: Bug
> Affects Versions: 4.0.3
> Reporter: Eduardo Aguinaga
>
> HP Fortify SCA and SciTools Understand were used to perform an application security analysis on the karaf source code.
> The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. An adversary could attack the application by tampering with the resource "karaf.key".
> File: client\src\main\java\org\apache\karaf\client\Main.java
> Line: 297
> Main.java, lines 291-313:
> {code}
> 291 private static SshAgent startAgent(String user, URL privateKeyUrl, String keyFile) {
> 292 InputStream is = null;
> 293 try {
> 294 SshAgent agent = new AgentImpl();
> 295 is = privateKeyUrl.openStream();
> 296 ObjectInputStream r = new ObjectInputStream(is);
> 297 KeyPair keyPair = (KeyPair) r.readObject();
> 298 is.close();
> 299 agent.addIdentity(keyPair, user);
> 300 if (keyFile != null) {
> 301 String[] keyFiles = new String[]{keyFile};
> 302 FileKeyPairProvider fileKeyPairProvider = new FileKeyPairProvider(keyFiles);
> 303 for (KeyPair key : fileKeyPairProvider.loadKeys()) {
> 304 agent.addIdentity(key, user);
> 305 }
> 306 }
> 307 return agent;
> 308 } catch (Throwable e) {
> 309 close(is);
> 310 System.err.println("Error starting ssh agent for: " + e.getMessage());
> 311 return null;
> 312 }
> 313 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)