| -----BEGIN PGP SIGNED MESSAGE----- |
| Hash: SHA256 |
| |
| CVE-2018-11788: XXE vulnerability found on Apache Karaf |
| |
| Severity: Moderate |
| |
| Vendor: The Apache Software Foundation |
| |
| Versions Affected: all versions of Apache Karaf prior to 4.1.7, 4.2.2. |
| |
| Description: |
| |
| Apache Karaf provides a features deployer, which allows users to "hot deploy" |
| a features XML by dropping the file directly in the deploy folder. |
| |
| The features XML is parsed by XMLInputFactory class. |
| |
| Apache Karaf XMLInputFactory class doesn't contain any mitigation codes |
| against XXE. |
| This is a potential security risk as an user can inject external XML entities. |
| |
| The mitigation is to prevent XXE by disabling external entities loading feature |
| in XMLInputFactory and XmlUtils. |
| |
| This has been fixed in revision: |
| |
| https://gitbox.apache.org/repos/asf?p=karaf.git;h=cc3332e |
| https://gitbox.apache.org/repos/asf?p=karaf.git;h=1ffa6d1 |
| |
| Mitigation: Apache Karaf users should upgrade to 4.1.7, 4.2.2 |
| or later as soon as possible. |
| |
| JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-5911 |
| |
| Credit: This issue was reported by Brian Wang. |
| -----BEGIN PGP SIGNATURE----- |
| |
| iQIzBAEBCAAdFiEEGqjPktQJpzOT0Lc2v/LuQsgoLnYFAlwzirgACgkQv/LuQsgo |
| LnY7Fw//TmHeK8l2XvWAuFh1MtoWOub4hugpnMeadoQMJP1IwKgKI4oQIsGh0iz2 |
| GCBy6lv4T/6w6o/rS7k8RRg/B8Dc19+PbhYfjBvImeZgheQNYUJWPAI5xc+fRt+L |
| QJR3ffAVOHgegQE6ulB3GCH6Bmzisk9fcUJJXorcQpgPYcklABLQ+0y7DnV9kj9B |
| iK0GQNaXASj3WMrNHUswCvUI7DFrjOYGrTD/ZXAgmSvgLMCFt+WP/R/JFCzyin71 |
| +s4JtZesjXdvbmsjX5NZcatAvSQmSaHopvi5M7MBqNd4+hRJPwUu2kL7nYGTqSwz |
| 8N6wr7ZfAmYxzQXqikUI0HUXPM43cb3tfiukG5gvv4E/v+HpY3DTNy8BJdZbAtez |
| oJgwjjRQpUlldyanutPCYcYZ7tYGQyr+0IkyuQxmnQHg4qRj7O+ibWc5iP5wsK62 |
| omfJCgJoBwdLZR608trHuxWilJfeXDjzA3JaYRN8quq22gZABs62fgKLFDsUI0ae |
| PnBxncas0PkppSHbQKFDBfg7WROjME4+GmNTN+KMbilIGyb477MVl7dNepKxH491 |
| m1n2DptXyd2vFy6cwk7UJ2U1uPjfN0rRM8uyohYYZvko/pId9ivjXc+A+NJjvSBh |
| D595TpOs3lsi0mM1AwUW1vUI7a0/ao/trco+tFWOH/6qtcfPnkY= |
| =J+MM |
| -----END PGP SIGNATURE----- |