You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@karaf.apache.org by jb...@apache.org on 2019/05/06 07:28:47 UTC
svn commit: r1858752 - in /karaf/site/production: documentation.html
security/cve-2019-0226.txt
Author: jbonofre
Date: Mon May 6 07:28:47 2019
New Revision: 1858752
URL: http://svn.apache.org/viewvc?rev=1858752&view=rev
Log:
[scm-publish] Updating main website contents
Added:
karaf/site/production/security/cve-2019-0226.txt
Modified:
karaf/site/production/documentation.html
Modified: karaf/site/production/documentation.html
URL: http://svn.apache.org/viewvc/karaf/site/production/documentation.html?rev=1858752&r1=1858751&r2=1858752&view=diff
==============================================================================
--- karaf/site/production/documentation.html (original)
+++ karaf/site/production/documentation.html Mon May 6 07:28:47 2019
@@ -376,6 +376,10 @@
<p>CVE-2019-0191: Zip-slip vulnerability in KAR deployer.</p>
<a class="btn btn-outline-primary" href="security/cve-2019-0191.txt">Notes »</a>
</div>
+ <div class="pb-4 mb-3">
+ <p>CVE-2019-0226: Arbitrary file write vulnerability in Config service.</p>
+ <a class="btn btn-outline-primary" href="security/cve-2019-0226.txt">Notes »</a>
+ </div>
</div><!-- /.blog-main -->
</div>
Added: karaf/site/production/security/cve-2019-0226.txt
URL: http://svn.apache.org/viewvc/karaf/site/production/security/cve-2019-0226.txt?rev=1858752&view=auto
==============================================================================
--- karaf/site/production/security/cve-2019-0226.txt (added)
+++ karaf/site/production/security/cve-2019-0226.txt Mon May 6 07:28:47 2019
@@ -0,0 +1,50 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+CVE-2019-0226: Arbitrary file write vulnerability in Config service
+
+Severity: Low
+
+Vendor: The Apache Software Foundation
+
+Versions Affected: all versions of Apache Karaf prior to 4.2.5
+
+Description:
+
+Apache Karaf Config service provides a install method (via service or MBean)
+that could be used to travel in any directory and overwrite existing file.
+
+The vulnerability is low if the Karaf process user has limited permission on
+the filesystem.
+
+The mitigation is to prevent travel "outside" of Karaf etc folder by checking
+the path argument of the method and prevent use of ".." in the path.
+
+This has been fixed in revision:
+
+https://gitbox.apache.org/repos/asf?p=karaf.git;h=fe3bc41
+https://gitbox.apache.org/repos/asf?p=karaf.git;h=bf5ed62
+
+Mitigation: Apache Karaf users should upgrade to 4.2.5
+or later as soon as possible, or limit filesystem permission for the Karaf
+process user.
+
+JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-6230
+
+Credit: This issue was reported by 马åæ¶ <ma...@163.com>
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCAAdFiEEGqjPktQJpzOT0Lc2v/LuQsgoLnYFAlzP38wACgkQv/LuQsgo
+LnYiUQ//XNFT3Wo+dAypBMMCxNUWZfVw9MNkgqsZaYzCm8GjbgrEOkMB6DELQHDe
+4ZAnjqD3L8CoQzMrfCpR9rC5B+Gmn29+2yd4GKWs3g/vEHMusKezk/Fe9fsoaqH8
+f7nHQyCHEexHVNOi+i69af2iCi0RPTgSTi97D9ln8xyhl0WyU7J6+KjQkf0jJ2iW
+u1FB4Lu0zPvNup7oa7+ulP9AJYWk/Y5w/SnOakqdMROHaKbUCxH8A4gBSAe99gWn
+Bjw08KKuHyLDn43MYp5vLu3yZ7rZDwI25/694ZFLcbAzqXLc0aa9DDbtzyCsOWis
+tbekmbAAOw/5mr5nC59iaaihslyYv3aR6sQNVALo8ISH2ydW3xf0FNMoZrO81Xtm
+kYInKBCYTmfv33yEmQ8/jnyOLqorisRLD2mLqRHJghQWsC1+BrRhksgW1Tam/0RM
+7q0udX5gc9XEQWXxDsuaUtakrVvR/hfsxb96qmyL7pJObqWBUa78iJ2dJcxdiWtK
+S81oElGxmok8hIpbX0CTqD4r3bfWCnDbBiries46OSJShorlCAvZWqwWATkA8WOv
+D1Wn1KZoSut1xiexu1Eb+lemvXlKNONzEmg4qoojWCPg3zP9S+XsvcVtC9/uAALI
+MkhI0mkl0y4o8tJuFm6sIL4haTQDkGZX381QR2zToir0z+B+du8=
+=7xvR
+-----END PGP SIGNATURE-----