karaf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Baptiste Onofré (JIRA) <j...@apache.org>
Subject [jira] [Updated] (KARAF-4214) Deserialization of Untrusted Data
Date Wed, 16 Dec 2015 20:02:46 GMT

     [ https://issues.apache.org/jira/browse/KARAF-4214?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jean-Baptiste Onofré updated KARAF-4214:
----------------------------------------
    Description: 
HP Fortify SCA and SciTools Understand were used to perform an application security analysis
on the karaf source code.

The application deserializes untrusted data without sufficiently verifying that the resulting
data will be valid. An adversary could attack the application by tampering with the resource
"karaf.key". 

File: client\src\main\java\org\apache\karaf\client\Main.java
Line: 297

Main.java, lines 291-313:
{code}
291 private static SshAgent startAgent(String user, URL privateKeyUrl, String keyFile) {
292     InputStream is = null;
293     try {
294         SshAgent agent = new AgentImpl();
295         is = privateKeyUrl.openStream();
296         ObjectInputStream r = new ObjectInputStream(is);
297         KeyPair keyPair = (KeyPair) r.readObject();
298         is.close();
299         agent.addIdentity(keyPair, user);
300         if (keyFile != null) {
301             String[] keyFiles = new String[]{keyFile};
302             FileKeyPairProvider fileKeyPairProvider = new FileKeyPairProvider(keyFiles);
303             for (KeyPair key : fileKeyPairProvider.loadKeys()) {
304                 agent.addIdentity(key, user);                
305             }
306         }
307         return agent;
308     } catch (Throwable e) {
309         close(is);
310         System.err.println("Error starting ssh agent for: " + e.getMessage());
311         return null;
312     }
313 }
{code}

  was:
HP Fortify SCA and SciTools Understand were used to perform an application security analysis
on the karaf source code.

The application deserializes untrusted data without sufficiently verifying that the resulting
data will be valid. An adversary could attack the application by tampering with the resource
"karaf.key". 

File: client\src\main\java\org\apache\karaf\client\Main.java
Line: 297

Main.java, lines 291-313:
291 private static SshAgent startAgent(String user, URL privateKeyUrl, String keyFile) {
292     InputStream is = null;
293     try {
294         SshAgent agent = new AgentImpl();
295         is = privateKeyUrl.openStream();
296         ObjectInputStream r = new ObjectInputStream(is);
297         KeyPair keyPair = (KeyPair) r.readObject();
298         is.close();
299         agent.addIdentity(keyPair, user);
300         if (keyFile != null) {
301             String[] keyFiles = new String[]{keyFile};
302             FileKeyPairProvider fileKeyPairProvider = new FileKeyPairProvider(keyFiles);
303             for (KeyPair key : fileKeyPairProvider.loadKeys()) {
304                 agent.addIdentity(key, user);                
305             }
306         }
307         return agent;
308     } catch (Throwable e) {
309         close(is);
310         System.err.println("Error starting ssh agent for: " + e.getMessage());
311         return null;
312     }
313 }


> Deserialization of Untrusted Data
> ---------------------------------
>
>                 Key: KARAF-4214
>                 URL: https://issues.apache.org/jira/browse/KARAF-4214
>             Project: Karaf
>          Issue Type: Bug
>    Affects Versions: 4.0.3
>            Reporter: Eduardo Aguinaga
>
> HP Fortify SCA and SciTools Understand were used to perform an application security analysis
on the karaf source code.
> The application deserializes untrusted data without sufficiently verifying that the resulting
data will be valid. An adversary could attack the application by tampering with the resource
"karaf.key". 
> File: client\src\main\java\org\apache\karaf\client\Main.java
> Line: 297
> Main.java, lines 291-313:
> {code}
> 291 private static SshAgent startAgent(String user, URL privateKeyUrl, String keyFile)
{
> 292     InputStream is = null;
> 293     try {
> 294         SshAgent agent = new AgentImpl();
> 295         is = privateKeyUrl.openStream();
> 296         ObjectInputStream r = new ObjectInputStream(is);
> 297         KeyPair keyPair = (KeyPair) r.readObject();
> 298         is.close();
> 299         agent.addIdentity(keyPair, user);
> 300         if (keyFile != null) {
> 301             String[] keyFiles = new String[]{keyFile};
> 302             FileKeyPairProvider fileKeyPairProvider = new FileKeyPairProvider(keyFiles);
> 303             for (KeyPair key : fileKeyPairProvider.loadKeys()) {
> 304                 agent.addIdentity(key, user);                
> 305             }
> 306         }
> 307         return agent;
> 308     } catch (Throwable e) {
> 309         close(is);
> 310         System.err.println("Error starting ssh agent for: " + e.getMessage());
> 311         return null;
> 312     }
> 313 }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message