You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@karaf.apache.org by "Prabhakaran Rajendran (Jira)" <ji...@apache.org> on 2023/03/29 10:10:00 UTC
[jira] [Updated] (KARAF-7683) Impact of CVE-2021-26291 on Karaf
[ https://issues.apache.org/jira/browse/KARAF-7683?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Prabhakaran Rajendran updated KARAF-7683:
-----------------------------------------
Description:
We are using Apache Karaf 4.4.3 and our security scans report CVE-2021-26291 ([https://nvd.nist.gov/vuln/detail/CVE-2021-26291|https://nvd.nist.gov/vuln/detail/CVE-2021-26291).]) on our package because Karaf by default packs maven 3.6.x. The fix for the specified CVE is Maven 3.8.1+. Apache Karaf 4.4.3 includes pax-url-aether which packs Maven artifacts of version maven-resolver-api-1.8.2. So the CVE impacts Karaf 4.4.2.
Earlier tool reported this issue on Apache Karaf 4.3.2 with Maven artifacts of version 3.6.x, and it got resolved in 4.4.2 as per tickets below, but still anchor grype tool is reporting this vulnerability on latest Karaf 4.4.3 with different maven library maven-resolver-api-1.8.2.
https://issues.apache.org/jira/browse/KARAF-7224
https://issues.apache.org/jira/browse/KARAF-7223
But does the issue specified in the CVE like maven pulling dependencies from remote directories really affect Karaf during runtime? Is it possible that a PoC has been done to validate this impact on Karaf? Or is it false positive?
was:
We are using Apache Karaf 4.3.2 in our project and our security scans report CVE-2021-26291 ([https://nvd.nist.gov/vuln/detail/CVE-2021-26291|https://nvd.nist.gov/vuln/detail/CVE-2021-26291).]) on our package because Karaf by default packs maven 3.6.x. The fix for the specified CVE is Maven 3.8.1+. ([https://maven.apache.org/docs/3.8.1/release-notes.html]) . Apache Karaf should update to use later versions of Maven resolver etc so that this vulnerability is mitigated.
Apache Karaf 4.4.3 includes pax-url-aether which packs Maven artifacts of version
maven-resolver-api-1.8.2. So the CVE impacts Karaf 4.4.2.
Earlier tool reported this issue on Apache Karaf 4.3.2 with Maven artifacts of version 3.6.x, and it got resolved in 4.4.2 as per tickets below, but still anchor grype tool is reporting this vulnerability on latest Karaf 4.4.3 with different maven library maven-resolver-api-1.8.2.
https://issues.apache.org/jira/browse/KARAF-7224
https://issues.apache.org/jira/browse/KARAF-7223
But does the issue specified in the CVE like maven pulling dependencies from remote directories really affect Karaf during runtime? Is it possible that a PoC has been done to validate this impact on Karaf? Or is it false positive?
> Impact of CVE-2021-26291 on Karaf
> ---------------------------------
>
> Key: KARAF-7683
> URL: https://issues.apache.org/jira/browse/KARAF-7683
> Project: Karaf
> Issue Type: Dependency upgrade
> Components: karaf
> Affects Versions: 4.4.3
> Environment: Apache Karaf - OSGi
> Reporter: Prabhakaran Rajendran
> Priority: Major
>
> We are using Apache Karaf 4.4.3 and our security scans report CVE-2021-26291 ([https://nvd.nist.gov/vuln/detail/CVE-2021-26291|https://nvd.nist.gov/vuln/detail/CVE-2021-26291).]) on our package because Karaf by default packs maven 3.6.x. The fix for the specified CVE is Maven 3.8.1+. Apache Karaf 4.4.3 includes pax-url-aether which packs Maven artifacts of version maven-resolver-api-1.8.2. So the CVE impacts Karaf 4.4.2.
>
> Earlier tool reported this issue on Apache Karaf 4.3.2 with Maven artifacts of version 3.6.x, and it got resolved in 4.4.2 as per tickets below, but still anchor grype tool is reporting this vulnerability on latest Karaf 4.4.3 with different maven library maven-resolver-api-1.8.2.
> https://issues.apache.org/jira/browse/KARAF-7224
> https://issues.apache.org/jira/browse/KARAF-7223
>
> But does the issue specified in the CVE like maven pulling dependencies from remote directories really affect Karaf during runtime? Is it possible that a PoC has been done to validate this impact on Karaf? Or is it false positive?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)