You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@karaf.apache.org by jb...@apache.org on 2019/03/07 13:02:41 UTC
svn commit: r1854975 - in /karaf/site/production: documentation.html
security/cve-2019-0191.txt
Author: jbonofre
Date: Thu Mar 7 13:02:41 2019
New Revision: 1854975
URL: http://svn.apache.org/viewvc?rev=1854975&view=rev
Log:
[scm-publish] Updating main website contents
Added:
karaf/site/production/security/cve-2019-0191.txt
Modified:
karaf/site/production/documentation.html
Modified: karaf/site/production/documentation.html
URL: http://svn.apache.org/viewvc/karaf/site/production/documentation.html?rev=1854975&r1=1854974&r2=1854975&view=diff
==============================================================================
--- karaf/site/production/documentation.html (original)
+++ karaf/site/production/documentation.html Thu Mar 7 13:02:41 2019
@@ -372,6 +372,10 @@
<p>CVE-2018-11788 : XXE vulnerability found on Apache Karaf.</p>
<a class="btn btn-outline-primary" href="security/cve-2018-11788.txt">Notes »</a>
</div>
+ <div class="pb-4 mb-3">
+ <p>CVE-2019-0191: Zip-slip vulnerability in KAR deployer.</p>
+ <a class="btn btn-outline-primary" href="security/cve-2019-0191.txt">Notes »</a>
+ </div>
</div><!-- /.blog-main -->
</div>
Added: karaf/site/production/security/cve-2019-0191.txt
URL: http://svn.apache.org/viewvc/karaf/site/production/security/cve-2019-0191.txt?rev=1854975&view=auto
==============================================================================
--- karaf/site/production/security/cve-2019-0191.txt (added)
+++ karaf/site/production/security/cve-2019-0191.txt Thu Mar 7 13:02:41 2019
@@ -0,0 +1,57 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+CVE-2019-0191: Zip-slip vulnerability in KAR deployer
+
+Severity: Low
+
+Vendor: The Apache Software Foundation
+
+Versions Affected: all versions of Apache Karaf prior to 4.2.3
+
+Description:
+
+Apache Karaf kar deployer reads .kar archives and extracts the paths from
+the "repository/" and "resources/" entries in the zip file.
+
+It then writes out the content of these paths to the Karaf repo and resources
+directories. However, it doesn't do any validation on the paths in the zip
+file. This means that a malicious user could craft a .kar file with ".."
+directory names and break out of the directories to write arbitrary content
+to the filesystem. This is the "Zip-slip" vulnerability -
+https://snyk.io/research/zip-slip-vulnerability
+
+This vulnerability is low if the Karaf process user has limited permission
+on the filesystem.
+
+The mitigation is to prevent "Zip-slip" by checking the path used in kar zip
+entries and prevent use of ".." path.
+
+This has been fixed in revision:
+
+https://gitbox.apache.org/repos/asf?p=karaf.git;h=fef9a61
+https://gitbox.apache.org/repos/asf?p=karaf.git;h=e36a7a6
+
+Mitigation: Apache Karaf users should upgrade to 4.2.3
+or later as soon as possible, or limit filesystem permission for the Karaf
+process user.
+
+JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-6090
+
+Credit: This issue was reported by Colm O hEigeartaigh
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCAAdFiEEGqjPktQJpzOT0Lc2v/LuQsgoLnYFAlyBFD0ACgkQv/LuQsgo
+LnbxYA//VC4yJ8uWEyBx5cozyCjwEgJo9um5P7DGx9VkqGtOBmOrlfVlP7kmVdJV
+FWOWDAAPw93UYwlqdEsBiM5hxZQW5I9W9QZv5HFY/wzyY+AdCG7vf1VDBq9Vnj/4
+tHbIs53yke83+q9xMQFFenOHmMrN/L4L+5y0eXkjtQOdMno3m8EIuwTS32tSEl2v
+nG7CiCRazDLziMG4gxgb8rSFBx7ZVjuTuHUbqtfTxHAYtHjGoP5+EFFk//iqtVR+
+mr4KXAPG+PY0I4iq3FN3PTaS/ljPtcJOUtP1LcqPhll5iWpqOnGULUCHzgQTk8ZN
+auPxfsyXnBMT+zt4VwHEWWQ66Zf5EQYhP2MBHTS2RHsTgTn0GP8cH7gAhg1jnozH
+tdZ25B2xPRFqWqqNBgdIOvKvPlQ9aOryZLZkjmK3DkGA0GLpKjUWmZS30edQ5bOP
+ovFTN0YRDb4YK7UNR4cvqEF2zOjT77DQz2uaOIKwaEae86702Zyg21sww8yEbJ71
+LfQMKh6sNCAgBuYMCNcmIbTs4GMjws07UJa9kmgcrYnzzzF2pLCUl9I4uXw5zs/G
+xsM3hexiKTYjeR4mO8t6TERVaB58h0aJrb3envL9hbiMy8bOGCNW5x8zpqdw/cH8
++1pRzxMkFNw+SIQtb+1hqdbh+KwzZAzks2gnlmS3zfRU506mzQ0=
+=SVQ5
+-----END PGP SIGNATURE-----