| -----BEGIN PGP SIGNED MESSAGE----- |
| Hash: SHA256 |
| |
| CVE-2019-0191: Zip-slip vulnerability in KAR deployer |
| |
| Severity: Low |
| |
| Vendor: The Apache Software Foundation |
| |
| Versions Affected: all versions of Apache Karaf prior to 4.2.3 |
| |
| Description: |
| |
| Apache Karaf kar deployer reads .kar archives and extracts the paths from |
| the "repository/" and "resources/" entries in the zip file. |
| |
| It then writes out the content of these paths to the Karaf repo and resources |
| directories. However, it doesn't do any validation on the paths in the zip |
| file. This means that a malicious user could craft a .kar file with ".." |
| directory names and break out of the directories to write arbitrary content |
| to the filesystem. This is the "Zip-slip" vulnerability - |
| https://snyk.io/research/zip-slip-vulnerability |
| |
| This vulnerability is low if the Karaf process user has limited permission |
| on the filesystem. |
| |
| The mitigation is to prevent "Zip-slip" by checking the path used in kar zip |
| entries and prevent use of ".." path. |
| |
| This has been fixed in revision: |
| |
| https://gitbox.apache.org/repos/asf?p=karaf.git;h=fef9a61 |
| https://gitbox.apache.org/repos/asf?p=karaf.git;h=e36a7a6 |
| |
| Mitigation: Apache Karaf users should upgrade to 4.2.3 |
| or later as soon as possible, or limit filesystem permission for the Karaf |
| process user. |
| |
| JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-6090 |
| |
| Credit: This issue was reported by Colm O hEigeartaigh |
| -----BEGIN PGP SIGNATURE----- |
| |
| iQIzBAEBCAAdFiEEGqjPktQJpzOT0Lc2v/LuQsgoLnYFAlyBFD0ACgkQv/LuQsgo |
| LnbxYA//VC4yJ8uWEyBx5cozyCjwEgJo9um5P7DGx9VkqGtOBmOrlfVlP7kmVdJV |
| FWOWDAAPw93UYwlqdEsBiM5hxZQW5I9W9QZv5HFY/wzyY+AdCG7vf1VDBq9Vnj/4 |
| tHbIs53yke83+q9xMQFFenOHmMrN/L4L+5y0eXkjtQOdMno3m8EIuwTS32tSEl2v |
| nG7CiCRazDLziMG4gxgb8rSFBx7ZVjuTuHUbqtfTxHAYtHjGoP5+EFFk//iqtVR+ |
| mr4KXAPG+PY0I4iq3FN3PTaS/ljPtcJOUtP1LcqPhll5iWpqOnGULUCHzgQTk8ZN |
| auPxfsyXnBMT+zt4VwHEWWQ66Zf5EQYhP2MBHTS2RHsTgTn0GP8cH7gAhg1jnozH |
| tdZ25B2xPRFqWqqNBgdIOvKvPlQ9aOryZLZkjmK3DkGA0GLpKjUWmZS30edQ5bOP |
| ovFTN0YRDb4YK7UNR4cvqEF2zOjT77DQz2uaOIKwaEae86702Zyg21sww8yEbJ71 |
| LfQMKh6sNCAgBuYMCNcmIbTs4GMjws07UJa9kmgcrYnzzzF2pLCUl9I4uXw5zs/G |
| xsM3hexiKTYjeR4mO8t6TERVaB58h0aJrb3envL9hbiMy8bOGCNW5x8zpqdw/cH8 |
| +1pRzxMkFNw+SIQtb+1hqdbh+KwzZAzks2gnlmS3zfRU506mzQ0= |
| =SVQ5 |
| -----END PGP SIGNATURE----- |