karaf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jbono...@apache.org
Subject svn commit: r1854975 - in /karaf/site/production: documentation.html security/cve-2019-0191.txt
Date Thu, 07 Mar 2019 13:02:41 GMT
Author: jbonofre
Date: Thu Mar  7 13:02:41 2019
New Revision: 1854975

URL: http://svn.apache.org/viewvc?rev=1854975&view=rev
[scm-publish] Updating main website contents


Modified: karaf/site/production/documentation.html
URL: http://svn.apache.org/viewvc/karaf/site/production/documentation.html?rev=1854975&r1=1854974&r2=1854975&view=diff
--- karaf/site/production/documentation.html (original)
+++ karaf/site/production/documentation.html Thu Mar  7 13:02:41 2019
@@ -372,6 +372,10 @@
 								<p>CVE-2018-11788 : XXE vulnerability found on Apache Karaf.</p>
 								<a class="btn btn-outline-primary" href="security/cve-2018-11788.txt">Notes
+              <div class="pb-4 mb-3">
+                <p>CVE-2019-0191: Zip-slip vulnerability in KAR deployer.</p>
+                <a class="btn btn-outline-primary" href="security/cve-2019-0191.txt">Notes
+              </div>
             </div><!-- /.blog-main -->

Added: karaf/site/production/security/cve-2019-0191.txt
URL: http://svn.apache.org/viewvc/karaf/site/production/security/cve-2019-0191.txt?rev=1854975&view=auto
--- karaf/site/production/security/cve-2019-0191.txt (added)
+++ karaf/site/production/security/cve-2019-0191.txt Thu Mar  7 13:02:41 2019
@@ -0,0 +1,57 @@
+Hash: SHA256
+CVE-2019-0191: Zip-slip vulnerability in KAR deployer
+Severity: Low
+Vendor: The Apache Software Foundation
+Versions Affected: all versions of Apache Karaf prior to 4.2.3
+Apache Karaf kar deployer reads .kar archives and extracts the paths from
+the "repository/" and "resources/" entries in the zip file.
+It then writes out the content of these paths to the Karaf repo and resources
+directories. However, it doesn't do any validation on the paths in the zip
+file. This means that a malicious user could craft a .kar file with ".."
+directory names and break out of the directories to write arbitrary content
+to the filesystem. This is the "Zip-slip" vulnerability -
+This vulnerability is low if the Karaf process user has limited permission
+on the filesystem.
+The mitigation is to prevent "Zip-slip" by checking the path used in kar zip
+entries and prevent use of ".." path.
+This has been fixed in revision:
+Mitigation: Apache Karaf users should upgrade to 4.2.3
+or later as soon as possible, or limit filesystem permission for the Karaf
+process user.
+JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-6090
+Credit: This issue was reported by Colm O hEigeartaigh

View raw message