karaf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jbono...@apache.org
Subject [karaf-site] branch trunk updated: Publish CVE-2019-0191 security advisory
Date Thu, 07 Mar 2019 12:59:01 GMT
This is an automated email from the ASF dual-hosted git repository.

jbonofre pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/karaf-site.git

The following commit(s) were added to refs/heads/trunk by this push:
     new e007900  Publish CVE-2019-0191 security advisory
e007900 is described below

commit e0079003cc907c5b7145e390b66c422400793221
Author: Jean-Baptiste Onofré <jbonofre@apache.org>
AuthorDate: Thu Mar 7 13:58:39 2019 +0100

    Publish CVE-2019-0191 security advisory
 src/main/webapp/documentation.html         |  4 +++
 src/main/webapp/security/cve-2019-0191.txt | 57 ++++++++++++++++++++++++++++++
 2 files changed, 61 insertions(+)

diff --git a/src/main/webapp/documentation.html b/src/main/webapp/documentation.html
index 2f57464..b9d8251 100644
--- a/src/main/webapp/documentation.html
+++ b/src/main/webapp/documentation.html
@@ -372,6 +372,10 @@
 								<p>CVE-2018-11788 : XXE vulnerability found on Apache Karaf.</p>
 								<a class="btn btn-outline-primary" href="security/cve-2018-11788.txt">Notes
+              <div class="pb-4 mb-3">
+                <p>CVE-2019-0191: Zip-slip vulnerability in KAR deployer.</p>
+                <a class="btn btn-outline-primary" href="security/cve-2019-0191.txt">Notes
+              </div>
             </div><!-- /.blog-main -->
diff --git a/src/main/webapp/security/cve-2019-0191.txt b/src/main/webapp/security/cve-2019-0191.txt
new file mode 100644
index 0000000..01c75dc
--- /dev/null
+++ b/src/main/webapp/security/cve-2019-0191.txt
@@ -0,0 +1,57 @@
+Hash: SHA256
+CVE-2019-0191: Zip-slip vulnerability in KAR deployer
+Severity: Low
+Vendor: The Apache Software Foundation
+Versions Affected: all versions of Apache Karaf prior to 4.2.3
+Apache Karaf kar deployer reads .kar archives and extracts the paths from
+the "repository/" and "resources/" entries in the zip file.
+It then writes out the content of these paths to the Karaf repo and resources
+directories. However, it doesn't do any validation on the paths in the zip
+file. This means that a malicious user could craft a .kar file with ".."
+directory names and break out of the directories to write arbitrary content
+to the filesystem. This is the "Zip-slip" vulnerability -
+This vulnerability is low if the Karaf process user has limited permission
+on the filesystem.
+The mitigation is to prevent "Zip-slip" by checking the path used in kar zip
+entries and prevent use of ".." path.
+This has been fixed in revision:
+Mitigation: Apache Karaf users should upgrade to 4.2.3
+or later as soon as possible, or limit filesystem permission for the Karaf
+process user.
+JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-6090
+Credit: This issue was reported by Colm O hEigeartaigh

View raw message