Karaf security issue?

[Mark R Green <ma...@raytheon.com>]

We had a software team trying to use this but the OSVDB site shows a
security issue with Karaf.
http://osvdb.org/show/osvdb/119812

This does not appear to be fixed in 4.0.3?

Mark

Re: Karaf security issue?

[Jean-Baptiste Onofré <jb...@nanthrax.net>]

Actually, we implemented some workaround like the possibility to provide 
the shutdown command.

The random command ID is already generated by Karaf at startup.

I agree with Christian that it's not a huge security issue.

The corresponding Jira is there:

https://issues.apache.org/jira/browse/KARAF-3825

Regards
JB

On 12/02/2015 12:43 PM, Christian Schneider wrote:
> Yes.. as far as I can tell there is currently no fix.
> We could create a random secret at karaf start that then needs to be
> sent to the port to improve security.
>
> As the problem is only locally I would also not consider it to be too
> critical in most cases.
>
> Christian
>
> Am 01.12.2015 um 23:37 schrieb Mark R Green:
>> We had a software team trying to use this but the OSVDB site shows a
>> security issue with Karaf.
>> http://osvdb.org/show/osvdb/119812
>>
>> This does not appear to be fixed in 4.0.3?
>>
>> Mark
>

-- 
Jean-Baptiste Onofré
jbonofre@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com

Re: Karaf security issue?

[Christian Schneider <ch...@die-schneider.net>]

Yes.. as far as I can tell there is currently no fix.
We could create a random secret at karaf start that then needs to be 
sent to the port to improve security.

As the problem is only locally I would also not consider it to be too 
critical in most cases.

Christian

Am 01.12.2015 um 23:37 schrieb Mark R Green:
> We had a software team trying to use this but the OSVDB site shows a
> security issue with Karaf.
> http://osvdb.org/show/osvdb/119812
>
> This does not appear to be fixed in 4.0.3?
>
> Mark