security/cve-2018-11786.txt - karaf-site - Git at Google

 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA256

 CVE-2018-11786: Apache Karaf SSH RBAC security enforcement

 Severity: Moderate

 Vendor: The Apache Software Foundation

 Versions Affected: all versions of Apache Karaf prior to 4.2.0.M1

 Description:

 If the sshd service in Karaf is left on so an administrator can manage
 the running instance, any user with rights to the Karaf console can
 pivot and read/write any file on the file system to which the Karaf
 process user has access. This can be locked down a bit by using chroot
 to change the root directory to protect files outside of the Karaf
 install directory; it can be further locked down by defining a
 security manager policy that limits file system access to those
 directories beneath the Karaf home that are necessary for the system
 to run. However, this still allows anyone with ssh access to the Karaf
 process to read and write a large number of files as the Karaf process
 user.


 This has been fixed in revision:

 https://gitbox.apache.org/repos/asf?p=karaf.git;h=24fb477
 https://gitbox.apache.org/repos/asf?p=karaf.git;h=7ad0da3

 Mitigation: Apache Karaf users should upgrade to 4.2.0.M1 or later as soon as possible.

 JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-5427

 Credit: This issue was reported by R.A. Porter
 -----BEGIN PGP SIGNATURE-----

 iQIzBAEBCAAdFiEEGqjPktQJpzOT0Lc2v/LuQsgoLnYFAlwzikQACgkQv/LuQsgo
 LnYK4A/+PtcvlkBpAu1kPJLxqyyDpl/sZrKSj6dAhuR4KImEaJZojGNoCYmL14AC
 d5UCJYIEBgICxqSszedR24iWOI6oDIKAnCzD/xqQ1MQV7myQ/C3vvhEroVnd1MhK
 8qZeWqvrYiiQ+JULvyYlD9ASW1f0nL8NRvoz9I8BVsGH3s+bAEwjtp6+Rs7OJgYo
 wqp59aJ70yt6dCgR/3WTPgWZh/rBLO+LjzbRMuuOrLftKq2CLDcpJ7DIYp9P7VbR
 jDBGJkwt+PpjTIQ8395VZZbdoJotrwPtJV2EvL8//zCgwQ50q4fds7xz7UPIxx2e
 wOGNS0GDilj73+Vu3otf/URz/2Gc1Kl2KdePrAs7PJoQwn1mqQFbUodi/RhFq7G6
 fIWX2SPaEbbPjc+TwcerMMdAVVOi+K4egNE2oDjNbgmb17GZ1/qfFwRvWq3FHNOE
 vFgpcuzr21waHFbD0Olf+uWSh6lbviNUCDmTiKae3TFYa909CEPAiULW5Cj0lSwX
 0MxqvmkBnzxZAEBMpnOKfyTejLDb7NI+0HtVeEiOK8jq/Tt+WpRXiHlCiNlTQR7K
 fKqTEQJxLBUk1FomiuMo8Qznw76xHjv6hrW1PYfF7BsjlLypIrhcOAPj7oEoE94+
 cZQhqb/duVRn1TyNAV28Uqvw1z5D2a04v2+HW426Weo68uh1PN4=
 =9qPL
 -----END PGP SIGNATURE-----
	-----BEGIN PGP SIGNED MESSAGE-----
	Hash: SHA256

	CVE-2018-11786: Apache Karaf SSH RBAC security enforcement

	Severity: Moderate

	Vendor: The Apache Software Foundation

	Versions Affected: all versions of Apache Karaf prior to 4.2.0.M1

	Description:

	If the sshd service in Karaf is left on so an administrator can manage
	the running instance, any user with rights to the Karaf console can
	pivot and read/write any file on the file system to which the Karaf
	process user has access. This can be locked down a bit by using chroot
	to change the root directory to protect files outside of the Karaf
	install directory; it can be further locked down by defining a
	security manager policy that limits file system access to those
	directories beneath the Karaf home that are necessary for the system
	to run. However, this still allows anyone with ssh access to the Karaf
	process to read and write a large number of files as the Karaf process
	user.


	This has been fixed in revision:

	https://gitbox.apache.org/repos/asf?p=karaf.git;h=24fb477
	https://gitbox.apache.org/repos/asf?p=karaf.git;h=7ad0da3

	Mitigation: Apache Karaf users should upgrade to 4.2.0.M1 or later as soon as possible.

	JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-5427

	Credit: This issue was reported by R.A. Porter
	-----BEGIN PGP SIGNATURE-----

	iQIzBAEBCAAdFiEEGqjPktQJpzOT0Lc2v/LuQsgoLnYFAlwzikQACgkQv/LuQsgo
	LnYK4A/+PtcvlkBpAu1kPJLxqyyDpl/sZrKSj6dAhuR4KImEaJZojGNoCYmL14AC
	d5UCJYIEBgICxqSszedR24iWOI6oDIKAnCzD/xqQ1MQV7myQ/C3vvhEroVnd1MhK
	8qZeWqvrYiiQ+JULvyYlD9ASW1f0nL8NRvoz9I8BVsGH3s+bAEwjtp6+Rs7OJgYo
	wqp59aJ70yt6dCgR/3WTPgWZh/rBLO+LjzbRMuuOrLftKq2CLDcpJ7DIYp9P7VbR
	jDBGJkwt+PpjTIQ8395VZZbdoJotrwPtJV2EvL8//zCgwQ50q4fds7xz7UPIxx2e
	wOGNS0GDilj73+Vu3otf/URz/2Gc1Kl2KdePrAs7PJoQwn1mqQFbUodi/RhFq7G6
	fIWX2SPaEbbPjc+TwcerMMdAVVOi+K4egNE2oDjNbgmb17GZ1/qfFwRvWq3FHNOE
	vFgpcuzr21waHFbD0Olf+uWSh6lbviNUCDmTiKae3TFYa909CEPAiULW5Cj0lSwX
	0MxqvmkBnzxZAEBMpnOKfyTejLDb7NI+0HtVeEiOK8jq/Tt+WpRXiHlCiNlTQR7K
	fKqTEQJxLBUk1FomiuMo8Qznw76xHjv6hrW1PYfF7BsjlLypIrhcOAPj7oEoE94+
	cZQhqb/duVRn1TyNAV28Uqvw1z5D2a04v2+HW426Weo68uh1PN4=
	=9qPL
	-----END PGP SIGNATURE-----