You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@karaf.apache.org by jb...@apache.org on 2018/09/14 15:55:52 UTC
svn commit: r1840937 - in /karaf/site/production: documentation.html
security/cve-2018-11786.txt
Author: jbonofre
Date: Fri Sep 14 15:55:52 2018
New Revision: 1840937
URL: http://svn.apache.org/viewvc?rev=1840937&view=rev
Log:
[scm-publish] Updating main website contents
Added:
karaf/site/production/security/cve-2018-11786.txt
Modified:
karaf/site/production/documentation.html
Modified: karaf/site/production/documentation.html
URL: http://svn.apache.org/viewvc/karaf/site/production/documentation.html?rev=1840937&r1=1840936&r2=1840937&view=diff
==============================================================================
--- karaf/site/production/documentation.html (original)
+++ karaf/site/production/documentation.html Fri Sep 14 15:55:52 2018
@@ -317,6 +317,10 @@
<p>CVE-2016-8750 : Apache Karaf's LDAPLoginModule is vulnerable to LDAP injection.</p>
<a class="btn btn-outline-primary" href="security/cve-2016-8750.txt">Notes »</a>
</div><!-- /.blog-post -->
+ <div class="pb-4 mb-3">
+ <p>CVE-2018-11786 : Enforce SSH permission based on RBAC.</p>
+ <a class="btn btn-outline-primary" href="security/cve-2018-11786.txt">Notes »</a>
+ </div>
</div><!-- /.blog-main -->
</div>
Added: karaf/site/production/security/cve-2018-11786.txt
URL: http://svn.apache.org/viewvc/karaf/site/production/security/cve-2018-11786.txt?rev=1840937&view=auto
==============================================================================
--- karaf/site/production/security/cve-2018-11786.txt (added)
+++ karaf/site/production/security/cve-2018-11786.txt Fri Sep 14 15:55:52 2018
@@ -0,0 +1,54 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+CVS-2018-11786: Apache Karaf SSH RBAC security enforcement
+
+Severity: Moderate
+
+Vendor: The Apache Software Foundation
+
+Versions Affected:
+
+This vulnerability affects all versions of Apache Karaf prior to 4.2.0.M1
+
+Description:
+
+If the sshd service in Karaf is left on so an administrator can manage
+the running instance, any user with rights to the Karaf console can
+pivot and read/write any file on the file system to which the Karaf
+process user has access. This can be locked down a bit by using chroot
+to change the root directory to protect files outside of the Karaf
+install directory; it can be further locked down by defining a
+security manager policy that limits file system access to those
+directories beneath the Karaf home that are necessary for the system
+to run. However, this still allows anyone with ssh access to the Karaf
+process to read and write a large number of files as the Karaf process
+user.
+
+
+This has been fixed in revision:
+
+https://gitbox.apache.org/repos/asf?p=karaf.git;h=24fb477
+https://gitbox.apache.org/repos/asf?p=karaf.git;h=7ad0da3
+
+Migration:
+
+Apache Karaf users should upgrade to 4.2.0.M1 or later as soon as possible.
+
+Credit: This issue was reported by R.A. Porter
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEGqjPktQJpzOT0Lc2v/LuQsgoLnYFAlub2JoACgkQv/LuQsgo
+LnYoQA//eF2PK0zi6DxHYgecHMSjGS5qMerMD9xof/WBuMq/WYPm8DOjgkhqtbKu
+K1vzXicpBNmUu0rZqVqgoKfE24dEwax00gUARxMtiCV0qW6G4VWwe9Afn+2cKfYk
+EbF7NRqiiriwDdVP2u3nMciR3/h1YliZwmtSz5xYqgh3+L+wvwesu94kbzWDJy0U
+mkYy2TbA3K9lI1XuTjtefNdt9vPHwqC1Ay46ahSQCzcQk09t4M8r+lP/gBzAmH1l
+dqJ7Rii0TD3qVWJR9Mfzg3HCnTp8t3f+9z9m/7zmXoRUXUU1CoS7LWYUBqtEztFC
+2eef67Thy1Lnjcc4h9KVbWneeit5P7eDX5W8w15A5EmAOEvwwNBFYQQGIbPxCFWZ
+CV2UYTM8mXy2GjW22HYim3ol35nPbfQg6lMnkSNTezAoeobFG3aWolDcYgUYMH4J
+4bZoF4Z+s1DB8PJf2nOzibCLwU0wpYkqGcbforxoVRfU0AqB3QOEoWYFix2ii8Wj
+IxCHWuSGIBHKEVMlm0ZF2S6rWL4XahFFqNsH+NKWJmoPG4ToKDWYl/XgENHIUERh
+//9lXyjzGCvr0gHpfSuEM4mFCc8Psco71dcUva5rD+ULsa1Dsi9tPrF3ytBw0Md9
+Kjl5N9Z59WKmIU+HIwQ4Q9dI6TQoYrDwFD3+Lfx8VSbtqhVh1Bk=
+=5peJ
+-----END PGP SIGNATURE-----