oss-sec mailing list archives
[SECURITY] New security advisory for CVE-2019-0226 released for Apache Karaf
From: Jean-Baptiste Onofré <jb () nanthrax net>
Date: Mon, 6 May 2019 09:33:49 +0200
A new security advisory has been released for Apache Karaf, that is fixed in recent 4.2.5 release. CVE-2019-0226: Arbitrary file write vulnerability in Config service Severity: Low Vendor: The Apache Software Foundation Versions Affected: all versions of Apache Karaf prior to 4.2.5 Description: Apache Karaf Config service provides a install method (via service or MBean) that could be used to travel in any directory and overwrite existing file. The vulnerability is low if the Karaf process user has limited permission on the filesystem. The mitigation is to prevent travel "outside" of Karaf etc folder by checking the path argument of the method and prevent use of ".." in the path. This has been fixed in revision: https://gitbox.apache.org/repos/asf?p=karaf.git;h=fe3bc41 https://gitbox.apache.org/repos/asf?p=karaf.git;h=bf5ed62 Mitigation: Apache Karaf users should upgrade to 4.2.5 or later as soon as possible, or limit filesystem permission for the Karaf process user. JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-6230 Credit: This issue was reported by 马凌涛 <malingtao1019 () 163 com>
Current thread:
- [SECURITY] New security advisory for CVE-2019-0226 released for Apache Karaf Jean-Baptiste Onofré (May 06)