You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@karaf.apache.org by Mark R Green <ma...@raytheon.com> on 2015/12/01 23:37:56 UTC
Karaf security issue?
We had a software team trying to use this but the OSVDB site shows a
security issue with Karaf.
http://osvdb.org/show/osvdb/119812
This does not appear to be fixed in 4.0.3?
Mark
Re: Karaf security issue?
Posted by Jean-Baptiste Onofré <jb...@nanthrax.net>.
Actually, we implemented some workaround like the possibility to provide
the shutdown command.
The random command ID is already generated by Karaf at startup.
I agree with Christian that it's not a huge security issue.
The corresponding Jira is there:
https://issues.apache.org/jira/browse/KARAF-3825
Regards
JB
On 12/02/2015 12:43 PM, Christian Schneider wrote:
> Yes.. as far as I can tell there is currently no fix.
> We could create a random secret at karaf start that then needs to be
> sent to the port to improve security.
>
> As the problem is only locally I would also not consider it to be too
> critical in most cases.
>
> Christian
>
> Am 01.12.2015 um 23:37 schrieb Mark R Green:
>> We had a software team trying to use this but the OSVDB site shows a
>> security issue with Karaf.
>> http://osvdb.org/show/osvdb/119812
>>
>> This does not appear to be fixed in 4.0.3?
>>
>> Mark
>
--
Jean-Baptiste Onofré
jbonofre@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com
Re: Karaf security issue?
Posted by Christian Schneider <ch...@die-schneider.net>.
Yes.. as far as I can tell there is currently no fix.
We could create a random secret at karaf start that then needs to be
sent to the port to improve security.
As the problem is only locally I would also not consider it to be too
critical in most cases.
Christian
Am 01.12.2015 um 23:37 schrieb Mark R Green:
> We had a software team trying to use this but the OSVDB site shows a
> security issue with Karaf.
> http://osvdb.org/show/osvdb/119812
>
> This does not appear to be fixed in 4.0.3?
>
> Mark