[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] [SECURITY] New security advisory for CVE-2019-0226 released for Apache Karaf
From:       Jean-Baptiste_Onofré <jb () nanthrax ! net>
Date:       2019-05-06 7:33:49
Message-ID: 5ae336cf-623c-6aee-e50f-9d60c6dc15a4 () nanthrax ! net
[Download RAW message or body]

A new security advisory has been released for Apache Karaf, that is
fixed in recent 4.2.5 release.

CVE-2019-0226: Arbitrary file write vulnerability in Config service

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected: all versions of Apache Karaf prior to 4.2.5

Description:

Apache Karaf Config service provides a install method (via service or
MBean) that could be used to travel in any directory and overwrite
existing file.

The vulnerability is low if the Karaf process user has limited
permission on the filesystem.

The mitigation is to prevent travel "outside" of Karaf etc folder by
checking the path argument of the method and prevent use of ".." in the
path.

This has been fixed in revision:

https://gitbox.apache.org/repos/asf?p=karaf.git;h=fe3bc41
https://gitbox.apache.org/repos/asf?p=karaf.git;h=bf5ed62

Mitigation: Apache Karaf users should upgrade to 4.2.5
or later as soon as possible, or limit filesystem permission for the
Karaf process user.

JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-6230

Credit: This issue was reported by 马凌涛 <malingtao1019@163.com>


[prev in list] [next in list] [prev in thread] [next in thread]