You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@karaf.apache.org by "Guillaume Nodet (JIRA)" <ji...@apache.org> on 2017/02/10 09:48:41 UTC

[jira] [Assigned] (KARAF-4214) Deserialization of Untrusted Data

     [ https://issues.apache.org/jira/browse/KARAF-4214?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Guillaume Nodet reassigned KARAF-4214:
--------------------------------------

    Assignee: Guillaume Nodet

> Deserialization of Untrusted Data
> ---------------------------------
>
>                 Key: KARAF-4214
>                 URL: https://issues.apache.org/jira/browse/KARAF-4214
>             Project: Karaf
>          Issue Type: Bug
>    Affects Versions: 4.0.3
>            Reporter: Eduardo Aguinaga
>            Assignee: Guillaume Nodet
>
> HP Fortify SCA and SciTools Understand were used to perform an application security analysis on the karaf source code.
> The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. An adversary could attack the application by tampering with the resource "karaf.key". 
> File: client\src\main\java\org\apache\karaf\client\Main.java
> Line: 297
> Main.java, lines 291-313:
> {code}
> 291 private static SshAgent startAgent(String user, URL privateKeyUrl, String keyFile) {
> 292     InputStream is = null;
> 293     try {
> 294         SshAgent agent = new AgentImpl();
> 295         is = privateKeyUrl.openStream();
> 296         ObjectInputStream r = new ObjectInputStream(is);
> 297         KeyPair keyPair = (KeyPair) r.readObject();
> 298         is.close();
> 299         agent.addIdentity(keyPair, user);
> 300         if (keyFile != null) {
> 301             String[] keyFiles = new String[]{keyFile};
> 302             FileKeyPairProvider fileKeyPairProvider = new FileKeyPairProvider(keyFiles);
> 303             for (KeyPair key : fileKeyPairProvider.loadKeys()) {
> 304                 agent.addIdentity(key, user);                
> 305             }
> 306         }
> 307         return agent;
> 308     } catch (Throwable e) {
> 309         close(is);
> 310         System.err.println("Error starting ssh agent for: " + e.getMessage());
> 311         return null;
> 312     }
> 313 }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)