You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@karaf.apache.org by "Guillaume Nodet (JIRA)" <ji...@apache.org> on 2017/02/10 09:48:41 UTC
[jira] [Assigned] (KARAF-4214) Deserialization of Untrusted Data
[ https://issues.apache.org/jira/browse/KARAF-4214?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Guillaume Nodet reassigned KARAF-4214:
--------------------------------------
Assignee: Guillaume Nodet
> Deserialization of Untrusted Data
> ---------------------------------
>
> Key: KARAF-4214
> URL: https://issues.apache.org/jira/browse/KARAF-4214
> Project: Karaf
> Issue Type: Bug
> Affects Versions: 4.0.3
> Reporter: Eduardo Aguinaga
> Assignee: Guillaume Nodet
>
> HP Fortify SCA and SciTools Understand were used to perform an application security analysis on the karaf source code.
> The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. An adversary could attack the application by tampering with the resource "karaf.key".
> File: client\src\main\java\org\apache\karaf\client\Main.java
> Line: 297
> Main.java, lines 291-313:
> {code}
> 291 private static SshAgent startAgent(String user, URL privateKeyUrl, String keyFile) {
> 292 InputStream is = null;
> 293 try {
> 294 SshAgent agent = new AgentImpl();
> 295 is = privateKeyUrl.openStream();
> 296 ObjectInputStream r = new ObjectInputStream(is);
> 297 KeyPair keyPair = (KeyPair) r.readObject();
> 298 is.close();
> 299 agent.addIdentity(keyPair, user);
> 300 if (keyFile != null) {
> 301 String[] keyFiles = new String[]{keyFile};
> 302 FileKeyPairProvider fileKeyPairProvider = new FileKeyPairProvider(keyFiles);
> 303 for (KeyPair key : fileKeyPairProvider.loadKeys()) {
> 304 agent.addIdentity(key, user);
> 305 }
> 306 }
> 307 return agent;
> 308 } catch (Throwable e) {
> 309 close(is);
> 310 System.err.println("Error starting ssh agent for: " + e.getMessage());
> 311 return null;
> 312 }
> 313 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)