You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@karaf.apache.org by jb...@apache.org on 2022/01/21 10:05:47 UTC
[karaf-site] branch trunk updated: Publish CVE-2021-41766 and CVE-2022-22932
This is an automated email from the ASF dual-hosted git repository.
jbonofre pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/karaf-site.git
The following commit(s) were added to refs/heads/trunk by this push:
new 706699a Publish CVE-2021-41766 and CVE-2022-22932
706699a is described below
commit 706699a284f6d8016a1f6850c722789dd8686ec5
Author: Jean-Baptiste Onofré <jb...@apache.org>
AuthorDate: Fri Jan 21 11:05:22 2022 +0100
Publish CVE-2021-41766 and CVE-2022-22932
---
documentation.html | 8 +++++++
security/cve-2021-41766.txt | 58 +++++++++++++++++++++++++++++++++++++++++++++
security/cve-2022-22932.txt | 45 +++++++++++++++++++++++++++++++++++
3 files changed, 111 insertions(+)
diff --git a/documentation.html b/documentation.html
index ca0745d..97128c0 100644
--- a/documentation.html
+++ b/documentation.html
@@ -356,6 +356,14 @@ permalink: /documentation
<p>CVE-2020-11980: A remote client could create MBeans from arbitrary URLs.</p>
<a class="btn btn-outline-primary" href="/security/cve-2020-11980.txt">Notes »</a>
</div>
+ <div class="pb-4 mb-3">
+ <p>CVE-2021-41766: Insecure Java Deserialization.</p>
+ <a class="btn btn-outline-primary" href="/security/cve-2021-41766.txt">Notes »</a>
+ </div>
+ <div class="pb-4 mb-3">
+ <p>CVE-2022-22932: Path traversal flaws</p>
+ <a class="btn btn-outline-primary" href="/security/cve-2022-22932.txt">Notes »</a>
+ </div>
</div><!-- /.blog-main -->
</div>
diff --git a/security/cve-2021-41766.txt b/security/cve-2021-41766.txt
new file mode 100644
index 0000000..0b8d2f8
--- /dev/null
+++ b/security/cve-2021-41766.txt
@@ -0,0 +1,58 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+CVE-2021-41766: Insecure Java Deserialization in Apache Karaf
+
+Severity: Low
+
+Vendor: The Apache Software Foundation
+
+Versions Affected: all versions of Apache Karaf prior to 4.3.6
+
+Description:
+
+Apache Karaf allows monitoring of applications and the Java runtime by
+using the Java Management Extensions (JMX).
+JMX is a Java RMI based technology that relies on Java serialized
+objects for client server communication.
+Whereas the default JMX implementation is hardened against
+unauthenticated deserialization attacks, the implementation
+used by Apache Karaf is not protected against this kind of attack.
+
+The impact of Java deserialization vulnerabilities strongly depends
+on the classes that are available within the targets
+class path.
+Generally speaking, deserialization of untrusted data does always
+represent a high security risk and should be prevented.
+
+The risk is low as, by default, Karaf uses a limited set of classes in the JMX server class path.
+It depends of system scoped classes (e.g. jar in the lib folder).
+
+This has been fixed in revision:
+
+https://gitbox.apache.org/repos/asf?p=karaf.git;h=b42c82c
+https://gitbox.apache.org/repos/asf?p=karaf.git;h=93a019c
+
+Mitigation: Apache Karaf users should upgrade to 4.3.6
+or later as soon as possible, or disable remote access to JMX server.
+
+JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-7312
+
+Credit: This issue was reported by Daniel Heyne, Konstantin Samuel and Tobias
+Neitzel
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEGqjPktQJpzOT0Lc2v/LuQsgoLnYFAmHlgMUACgkQv/LuQsgo
+Lnb4phAAg8ccLRsJX7fMr7SPPvbA9h7AyBkCupY1NErKUqDcnssmAlbBwfe07ztI
+xRn0Fvv3TSD077beEtt7qjgO+W5xmi6F7b6CBdrUnAE+d6mbEUiL0Ur5SJKaeN3s
+sMbQb0RhlfcSG7uBSYwSXGaikuWzHedWMemQilZzjNLc/qJhllmptFkM1TANq4W8
+51uglaiA1+7mQapl8mfwxlFbNqzWuVOmKq+PwvrKmSRjS4Uf4TLU5j4liH4thhS8
+wsZpKCNEAKpeDqNI/zCkU4QHzdE67va1IJ5rhsbiXMCO/5g7GiOUbwlnEkbjENX2
+vYKMeLdNPxiXYlVROwOo1Z2vQEGvZYLPvYJy9LJeHn0FJtYE5CImaC9NnpHoq6YB
+pxlw6ZcVeEOic6jj2UOA1t7aBh2KEmLhqe1JXPZTXHB3r6baGnsXbNKPnG7VEDF0
+TlxGvK6Wx6yVGaaqX7OemLWumhEftRWE5oiUxQtbdxYUgXD0qfnFfYJkIgIeG5B4
+H0MjlDLhLW03t7xK5hPsr0ibfBgyHgwx7uYpUvkuaNnPIMCupEmeW/SWrsmheAkK
+R231ARKeUUhFshjLFV+WxgxdEPh9cJB6R98UvRRtlXm5UHXCbTeYtFPBouA2ZsyF
+KDNTcFDXUUD+3jEvI6HlLPQ1ij7aTAGGlj7nR9PXeMfzkBBjBRU=
+=kBXw
+-----END PGP SIGNATURE-----
diff --git a/security/cve-2022-22932.txt b/security/cve-2022-22932.txt
new file mode 100644
index 0000000..07d0afe
--- /dev/null
+++ b/security/cve-2022-22932.txt
@@ -0,0 +1,45 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+CVE-2022-22932: Path traversal flaws
+
+Severity: Low
+
+Vendor: The Apache Software Foundation
+
+Versions Affected: all versions of Apache Karaf prior to 4.2.15 or 4.3.6
+
+Description:
+
+Apache Karaf obr:* commands and run goal on the karaf-maven-plugin have partial
+path traversal which allows to break out of expected folder.
+
+The risk is low as obr:* commands are not very used and the entry is set by user.
+
+This has been fixed in revision:
+
+https://gitbox.apache.org/repos/asf?p=karaf.git;h=36a2bc4
+https://gitbox.apache.org/repos/asf?p=karaf.git;h=52b70cf
+
+Mitigation: Apache Karaf users should upgrade to 4.2.15 or 4.3.6
+or later as soon as possible, or use correct path.
+
+JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-7326
+
+Credit: This issue was discovered and reported by GHSL team member Jaroslav Lobacevski.
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEGqjPktQJpzOT0Lc2v/LuQsgoLnYFAmHlhlkACgkQv/LuQsgo
+Lna91A//YplFoZ+fe1v7oiYzskpGBPNoYJeM8i22vkBQmDEd6PDEXhURI/QFQWTX
+tBg5segXR+xG/vCE5il6ihPuUBMi+gXxPXOnpmiIFhprNgNjLAUk/q2uhUXhkDNQ
+L9z0uSmArNxcdaTE3x5M7r0VV/DWRRw61KWqsG3m5zurk/aGP2fYwTQxTqyAB0qr
+Wuo4wuq4ae2Wf20xqnlc19uCf15EkYxqdCuDRXfp7Iwh0VchUe/wMsJ8gobjfAuH
+o9r/PsVhFKo9iwTKvWOsbQOC7tpA9qqZBGa2+25sZTvYEFGWu/XrxfXE+5BOOk31
+3z26EMvLOfy70YFfIP4iQRGkK93g8TruW82vf8+LAASjjOVvJsHX0diAY6PAH8sZ
+qFjfmiTrK7I5DsSsPUphcDMRJWx/fAASdmcE/gCbLdPxCrkVQbv367/1wqUKMEQ7
+yQRWjEajTACphFLtjhe02YFvLkoa0M0F2u1bm2BvSNT9VwI8IM/9KqiFpdtP/de0
+Mt31S2Od10BFYUSTZ9uKgTzA+aMKw+pcXowQvYSvXj23t9YieMqajW5vKE8LxutW
+y44hwBpi2Rt0c+SRhpNRv5ot5/yUy6T9MffuAm1qlleeSHLqNMnpzpKfsf9QdXRt
+CM5KMeF1oyI06c69xjLGrr8vfddR+Z3uAmWU9OW0UqHsC93bezE=
+=gTgN
+-----END PGP SIGNATURE-----