You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@karaf.apache.org by "Jean-Baptiste Onofré (JIRA)" <ji...@apache.org> on 2015/12/16 21:02:46 UTC

[jira] [Updated] (KARAF-4214) Deserialization of Untrusted Data

     [ https://issues.apache.org/jira/browse/KARAF-4214?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jean-Baptiste Onofré updated KARAF-4214:
----------------------------------------
    Description: 
HP Fortify SCA and SciTools Understand were used to perform an application security analysis on the karaf source code.

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. An adversary could attack the application by tampering with the resource "karaf.key". 

File: client\src\main\java\org\apache\karaf\client\Main.java
Line: 297

Main.java, lines 291-313:
{code}
291 private static SshAgent startAgent(String user, URL privateKeyUrl, String keyFile) {
292     InputStream is = null;
293     try {
294         SshAgent agent = new AgentImpl();
295         is = privateKeyUrl.openStream();
296         ObjectInputStream r = new ObjectInputStream(is);
297         KeyPair keyPair = (KeyPair) r.readObject();
298         is.close();
299         agent.addIdentity(keyPair, user);
300         if (keyFile != null) {
301             String[] keyFiles = new String[]{keyFile};
302             FileKeyPairProvider fileKeyPairProvider = new FileKeyPairProvider(keyFiles);
303             for (KeyPair key : fileKeyPairProvider.loadKeys()) {
304                 agent.addIdentity(key, user);                
305             }
306         }
307         return agent;
308     } catch (Throwable e) {
309         close(is);
310         System.err.println("Error starting ssh agent for: " + e.getMessage());
311         return null;
312     }
313 }
{code}

  was:
HP Fortify SCA and SciTools Understand were used to perform an application security analysis on the karaf source code.

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. An adversary could attack the application by tampering with the resource "karaf.key". 

File: client\src\main\java\org\apache\karaf\client\Main.java
Line: 297

Main.java, lines 291-313:
291 private static SshAgent startAgent(String user, URL privateKeyUrl, String keyFile) {
292     InputStream is = null;
293     try {
294         SshAgent agent = new AgentImpl();
295         is = privateKeyUrl.openStream();
296         ObjectInputStream r = new ObjectInputStream(is);
297         KeyPair keyPair = (KeyPair) r.readObject();
298         is.close();
299         agent.addIdentity(keyPair, user);
300         if (keyFile != null) {
301             String[] keyFiles = new String[]{keyFile};
302             FileKeyPairProvider fileKeyPairProvider = new FileKeyPairProvider(keyFiles);
303             for (KeyPair key : fileKeyPairProvider.loadKeys()) {
304                 agent.addIdentity(key, user);                
305             }
306         }
307         return agent;
308     } catch (Throwable e) {
309         close(is);
310         System.err.println("Error starting ssh agent for: " + e.getMessage());
311         return null;
312     }
313 }


> Deserialization of Untrusted Data
> ---------------------------------
>
>                 Key: KARAF-4214
>                 URL: https://issues.apache.org/jira/browse/KARAF-4214
>             Project: Karaf
>          Issue Type: Bug
>    Affects Versions: 4.0.3
>            Reporter: Eduardo Aguinaga
>
> HP Fortify SCA and SciTools Understand were used to perform an application security analysis on the karaf source code.
> The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. An adversary could attack the application by tampering with the resource "karaf.key". 
> File: client\src\main\java\org\apache\karaf\client\Main.java
> Line: 297
> Main.java, lines 291-313:
> {code}
> 291 private static SshAgent startAgent(String user, URL privateKeyUrl, String keyFile) {
> 292     InputStream is = null;
> 293     try {
> 294         SshAgent agent = new AgentImpl();
> 295         is = privateKeyUrl.openStream();
> 296         ObjectInputStream r = new ObjectInputStream(is);
> 297         KeyPair keyPair = (KeyPair) r.readObject();
> 298         is.close();
> 299         agent.addIdentity(keyPair, user);
> 300         if (keyFile != null) {
> 301             String[] keyFiles = new String[]{keyFile};
> 302             FileKeyPairProvider fileKeyPairProvider = new FileKeyPairProvider(keyFiles);
> 303             for (KeyPair key : fileKeyPairProvider.loadKeys()) {
> 304                 agent.addIdentity(key, user);                
> 305             }
> 306         }
> 307         return agent;
> 308     } catch (Throwable e) {
> 309         close(is);
> 310         System.err.println("Error starting ssh agent for: " + e.getMessage());
> 311         return null;
> 312     }
> 313 }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)