You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@karaf.apache.org by "Prabhakaran Rajendran (Jira)" <ji...@apache.org> on 2023/03/29 10:09:00 UTC

[jira] [Created] (KARAF-7683) Impact of CVE-2021-26291 on Karaf

Prabhakaran Rajendran created KARAF-7683:
--------------------------------------------

             Summary: Impact of CVE-2021-26291 on Karaf
                 Key: KARAF-7683
                 URL: https://issues.apache.org/jira/browse/KARAF-7683
             Project: Karaf
          Issue Type: Dependency upgrade
          Components: karaf
    Affects Versions: 4.4.3
         Environment: Apache Karaf - OSGi
            Reporter: Prabhakaran Rajendran


We are using Apache Karaf 4.3.2 in our project and our security scans report CVE-2021-26291 ([https://nvd.nist.gov/vuln/detail/CVE-2021-26291|https://nvd.nist.gov/vuln/detail/CVE-2021-26291).]) on our package because Karaf by default packs maven 3.6.x. The fix for the specified CVE is Maven 3.8.1+. ([https://maven.apache.org/docs/3.8.1/release-notes.html]) . Apache Karaf should update to use later versions of Maven resolver etc so that this vulnerability is mitigated.

Apache Karaf 4.4.3 includes pax-url-aether which packs Maven artifacts of version
maven-resolver-api-1.8.2. So the CVE impacts Karaf 4.4.2. 
 
Earlier tool reported this issue on Apache Karaf 4.3.2 with Maven artifacts of version 3.6.x, and it got resolved in 4.4.2 as per tickets below, but still anchor grype tool is reporting this vulnerability on latest Karaf 4.4.3 with different maven library maven-resolver-api-1.8.2.
https://issues.apache.org/jira/browse/KARAF-7224
https://issues.apache.org/jira/browse/KARAF-7223
 
But does the issue specified in the CVE like maven pulling dependencies from remote directories really affect Karaf during runtime? Is it possible that a PoC has been done to validate this impact on Karaf?  Or is it false positive?



--
This message was sent by Atlassian Jira
(v8.20.10#820010)