| -----BEGIN PGP SIGNED MESSAGE----- |
| Hash: SHA256 |
| |
| CVE-2018-11786: Apache Karaf SSH RBAC security enforcement |
| |
| Severity: Moderate |
| |
| Vendor: The Apache Software Foundation |
| |
| Versions Affected: all versions of Apache Karaf prior to 4.2.0.M1 |
| |
| Description: |
| |
| If the sshd service in Karaf is left on so an administrator can manage |
| the running instance, any user with rights to the Karaf console can |
| pivot and read/write any file on the file system to which the Karaf |
| process user has access. This can be locked down a bit by using chroot |
| to change the root directory to protect files outside of the Karaf |
| install directory; it can be further locked down by defining a |
| security manager policy that limits file system access to those |
| directories beneath the Karaf home that are necessary for the system |
| to run. However, this still allows anyone with ssh access to the Karaf |
| process to read and write a large number of files as the Karaf process |
| user. |
| |
| |
| This has been fixed in revision: |
| |
| https://gitbox.apache.org/repos/asf?p=karaf.git;h=24fb477 |
| https://gitbox.apache.org/repos/asf?p=karaf.git;h=7ad0da3 |
| |
| Mitigation: Apache Karaf users should upgrade to 4.2.0.M1 or later as soon as possible. |
| |
| JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-5427 |
| |
| Credit: This issue was reported by R.A. Porter |
| -----BEGIN PGP SIGNATURE----- |
| |
| iQIzBAEBCAAdFiEEGqjPktQJpzOT0Lc2v/LuQsgoLnYFAlwzikQACgkQv/LuQsgo |
| LnYK4A/+PtcvlkBpAu1kPJLxqyyDpl/sZrKSj6dAhuR4KImEaJZojGNoCYmL14AC |
| d5UCJYIEBgICxqSszedR24iWOI6oDIKAnCzD/xqQ1MQV7myQ/C3vvhEroVnd1MhK |
| 8qZeWqvrYiiQ+JULvyYlD9ASW1f0nL8NRvoz9I8BVsGH3s+bAEwjtp6+Rs7OJgYo |
| wqp59aJ70yt6dCgR/3WTPgWZh/rBLO+LjzbRMuuOrLftKq2CLDcpJ7DIYp9P7VbR |
| jDBGJkwt+PpjTIQ8395VZZbdoJotrwPtJV2EvL8//zCgwQ50q4fds7xz7UPIxx2e |
| wOGNS0GDilj73+Vu3otf/URz/2Gc1Kl2KdePrAs7PJoQwn1mqQFbUodi/RhFq7G6 |
| fIWX2SPaEbbPjc+TwcerMMdAVVOi+K4egNE2oDjNbgmb17GZ1/qfFwRvWq3FHNOE |
| vFgpcuzr21waHFbD0Olf+uWSh6lbviNUCDmTiKae3TFYa909CEPAiULW5Cj0lSwX |
| 0MxqvmkBnzxZAEBMpnOKfyTejLDb7NI+0HtVeEiOK8jq/Tt+WpRXiHlCiNlTQR7K |
| fKqTEQJxLBUk1FomiuMo8Qznw76xHjv6hrW1PYfF7BsjlLypIrhcOAPj7oEoE94+ |
| cZQhqb/duVRn1TyNAV28Uqvw1z5D2a04v2+HW426Weo68uh1PN4= |
| =9qPL |
| -----END PGP SIGNATURE----- |