karaf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jbono...@apache.org
Subject [karaf-site] branch trunk updated: Publish CVE-2019-0191 security advisory
Date Thu, 07 Mar 2019 12:59:01 GMT
This is an automated email from the ASF dual-hosted git repository.

jbonofre pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/karaf-site.git


The following commit(s) were added to refs/heads/trunk by this push:
     new e007900  Publish CVE-2019-0191 security advisory
e007900 is described below

commit e0079003cc907c5b7145e390b66c422400793221
Author: Jean-Baptiste Onofré <jbonofre@apache.org>
AuthorDate: Thu Mar 7 13:58:39 2019 +0100

    Publish CVE-2019-0191 security advisory
---
 src/main/webapp/documentation.html         |  4 +++
 src/main/webapp/security/cve-2019-0191.txt | 57 ++++++++++++++++++++++++++++++
 2 files changed, 61 insertions(+)

diff --git a/src/main/webapp/documentation.html b/src/main/webapp/documentation.html
index 2f57464..b9d8251 100644
--- a/src/main/webapp/documentation.html
+++ b/src/main/webapp/documentation.html
@@ -372,6 +372,10 @@
 								<p>CVE-2018-11788 : XXE vulnerability found on Apache Karaf.</p>
 								<a class="btn btn-outline-primary" href="security/cve-2018-11788.txt">Notes
&raquo;</a>
 							</div>
+              <div class="pb-4 mb-3">
+                <p>CVE-2019-0191: Zip-slip vulnerability in KAR deployer.</p>
+                <a class="btn btn-outline-primary" href="security/cve-2019-0191.txt">Notes
&raquo;</a>
+              </div>
 
             </div><!-- /.blog-main -->
         </div>
diff --git a/src/main/webapp/security/cve-2019-0191.txt b/src/main/webapp/security/cve-2019-0191.txt
new file mode 100644
index 0000000..01c75dc
--- /dev/null
+++ b/src/main/webapp/security/cve-2019-0191.txt
@@ -0,0 +1,57 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+CVE-2019-0191: Zip-slip vulnerability in KAR deployer
+
+Severity: Low
+
+Vendor: The Apache Software Foundation
+
+Versions Affected: all versions of Apache Karaf prior to 4.2.3
+
+Description:
+
+Apache Karaf kar deployer reads .kar archives and extracts the paths from
+the "repository/" and "resources/" entries in the zip file.
+
+It then writes out the content of these paths to the Karaf repo and resources
+directories. However, it doesn't do any validation on the paths in the zip
+file. This means that a malicious user could craft a .kar file with ".."
+directory names and break out of the directories to write arbitrary content
+to the filesystem. This is the "Zip-slip" vulnerability -
+https://snyk.io/research/zip-slip-vulnerability
+
+This vulnerability is low if the Karaf process user has limited permission
+on the filesystem.
+
+The mitigation is to prevent "Zip-slip" by checking the path used in kar zip
+entries and prevent use of ".." path.
+
+This has been fixed in revision:
+
+https://gitbox.apache.org/repos/asf?p=karaf.git;h=fef9a61
+https://gitbox.apache.org/repos/asf?p=karaf.git;h=e36a7a6
+
+Mitigation: Apache Karaf users should upgrade to 4.2.3
+or later as soon as possible, or limit filesystem permission for the Karaf
+process user.
+
+JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-6090
+
+Credit: This issue was reported by Colm O hEigeartaigh
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCAAdFiEEGqjPktQJpzOT0Lc2v/LuQsgoLnYFAlyBFD0ACgkQv/LuQsgo
+LnbxYA//VC4yJ8uWEyBx5cozyCjwEgJo9um5P7DGx9VkqGtOBmOrlfVlP7kmVdJV
+FWOWDAAPw93UYwlqdEsBiM5hxZQW5I9W9QZv5HFY/wzyY+AdCG7vf1VDBq9Vnj/4
+tHbIs53yke83+q9xMQFFenOHmMrN/L4L+5y0eXkjtQOdMno3m8EIuwTS32tSEl2v
+nG7CiCRazDLziMG4gxgb8rSFBx7ZVjuTuHUbqtfTxHAYtHjGoP5+EFFk//iqtVR+
+mr4KXAPG+PY0I4iq3FN3PTaS/ljPtcJOUtP1LcqPhll5iWpqOnGULUCHzgQTk8ZN
+auPxfsyXnBMT+zt4VwHEWWQ66Zf5EQYhP2MBHTS2RHsTgTn0GP8cH7gAhg1jnozH
+tdZ25B2xPRFqWqqNBgdIOvKvPlQ9aOryZLZkjmK3DkGA0GLpKjUWmZS30edQ5bOP
+ovFTN0YRDb4YK7UNR4cvqEF2zOjT77DQz2uaOIKwaEae86702Zyg21sww8yEbJ71
+LfQMKh6sNCAgBuYMCNcmIbTs4GMjws07UJa9kmgcrYnzzzF2pLCUl9I4uXw5zs/G
+xsM3hexiKTYjeR4mO8t6TERVaB58h0aJrb3envL9hbiMy8bOGCNW5x8zpqdw/cH8
++1pRzxMkFNw+SIQtb+1hqdbh+KwzZAzks2gnlmS3zfRU506mzQ0=
+=SVQ5
+-----END PGP SIGNATURE-----


Mime
View raw message