security/cve-2019-0226.txt - karaf-site - Git at Google

 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA256

 CVE-2019-0226: Arbitrary file write vulnerability in Config service

 Severity: Low

 Vendor: The Apache Software Foundation

 Versions Affected: all versions of Apache Karaf prior to 4.2.5

 Description:

 Apache Karaf Config service provides a install method (via service or MBean)
 that could be used to travel in any directory and overwrite existing file.

 The vulnerability is low if the Karaf process user has limited permission on
 the filesystem.

 The mitigation is to prevent travel "outside" of Karaf etc folder by checking
 the path argument of the method and prevent use of ".." in the path.

 This has been fixed in revision:

 https://gitbox.apache.org/repos/asf?p=karaf.git;h=fe3bc41
 https://gitbox.apache.org/repos/asf?p=karaf.git;h=bf5ed62

 Mitigation: Apache Karaf users should upgrade to 4.2.5
 or later as soon as possible, or limit filesystem permission for the Karaf
 process user.

 JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-6230

 Credit: This issue was reported by 马凌涛 <malingtao1019@163.com>
 -----BEGIN PGP SIGNATURE-----

 iQIzBAEBCAAdFiEEGqjPktQJpzOT0Lc2v/LuQsgoLnYFAlzP38wACgkQv/LuQsgo
 LnYiUQ//XNFT3Wo+dAypBMMCxNUWZfVw9MNkgqsZaYzCm8GjbgrEOkMB6DELQHDe
 4ZAnjqD3L8CoQzMrfCpR9rC5B+Gmn29+2yd4GKWs3g/vEHMusKezk/Fe9fsoaqH8
 f7nHQyCHEexHVNOi+i69af2iCi0RPTgSTi97D9ln8xyhl0WyU7J6+KjQkf0jJ2iW
 u1FB4Lu0zPvNup7oa7+ulP9AJYWk/Y5w/SnOakqdMROHaKbUCxH8A4gBSAe99gWn
 Bjw08KKuHyLDn43MYp5vLu3yZ7rZDwI25/694ZFLcbAzqXLc0aa9DDbtzyCsOWis
 tbekmbAAOw/5mr5nC59iaaihslyYv3aR6sQNVALo8ISH2ydW3xf0FNMoZrO81Xtm
 kYInKBCYTmfv33yEmQ8/jnyOLqorisRLD2mLqRHJghQWsC1+BrRhksgW1Tam/0RM
 7q0udX5gc9XEQWXxDsuaUtakrVvR/hfsxb96qmyL7pJObqWBUa78iJ2dJcxdiWtK
 S81oElGxmok8hIpbX0CTqD4r3bfWCnDbBiries46OSJShorlCAvZWqwWATkA8WOv
 D1Wn1KZoSut1xiexu1Eb+lemvXlKNONzEmg4qoojWCPg3zP9S+XsvcVtC9/uAALI
 MkhI0mkl0y4o8tJuFm6sIL4haTQDkGZX381QR2zToir0z+B+du8=
 =7xvR
 -----END PGP SIGNATURE-----
	-----BEGIN PGP SIGNED MESSAGE-----
	Hash: SHA256

	CVE-2019-0226: Arbitrary file write vulnerability in Config service

	Severity: Low

	Vendor: The Apache Software Foundation

	Versions Affected: all versions of Apache Karaf prior to 4.2.5

	Description:

	Apache Karaf Config service provides a install method (via service or MBean)
	that could be used to travel in any directory and overwrite existing file.

	The vulnerability is low if the Karaf process user has limited permission on
	the filesystem.

	The mitigation is to prevent travel "outside" of Karaf etc folder by checking
	the path argument of the method and prevent use of ".." in the path.

	This has been fixed in revision:

	https://gitbox.apache.org/repos/asf?p=karaf.git;h=fe3bc41
	https://gitbox.apache.org/repos/asf?p=karaf.git;h=bf5ed62

	Mitigation: Apache Karaf users should upgrade to 4.2.5
	or later as soon as possible, or limit filesystem permission for the Karaf
	process user.

	JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-6230

	Credit: This issue was reported by 马凌涛 <malingtao1019@163.com>
	-----BEGIN PGP SIGNATURE-----

	iQIzBAEBCAAdFiEEGqjPktQJpzOT0Lc2v/LuQsgoLnYFAlzP38wACgkQv/LuQsgo
	LnYiUQ//XNFT3Wo+dAypBMMCxNUWZfVw9MNkgqsZaYzCm8GjbgrEOkMB6DELQHDe
	4ZAnjqD3L8CoQzMrfCpR9rC5B+Gmn29+2yd4GKWs3g/vEHMusKezk/Fe9fsoaqH8
	f7nHQyCHEexHVNOi+i69af2iCi0RPTgSTi97D9ln8xyhl0WyU7J6+KjQkf0jJ2iW
	u1FB4Lu0zPvNup7oa7+ulP9AJYWk/Y5w/SnOakqdMROHaKbUCxH8A4gBSAe99gWn
	Bjw08KKuHyLDn43MYp5vLu3yZ7rZDwI25/694ZFLcbAzqXLc0aa9DDbtzyCsOWis
	tbekmbAAOw/5mr5nC59iaaihslyYv3aR6sQNVALo8ISH2ydW3xf0FNMoZrO81Xtm
	kYInKBCYTmfv33yEmQ8/jnyOLqorisRLD2mLqRHJghQWsC1+BrRhksgW1Tam/0RM
	7q0udX5gc9XEQWXxDsuaUtakrVvR/hfsxb96qmyL7pJObqWBUa78iJ2dJcxdiWtK
	S81oElGxmok8hIpbX0CTqD4r3bfWCnDbBiries46OSJShorlCAvZWqwWATkA8WOv
	D1Wn1KZoSut1xiexu1Eb+lemvXlKNONzEmg4qoojWCPg3zP9S+XsvcVtC9/uAALI
	MkhI0mkl0y4o8tJuFm6sIL4haTQDkGZX381QR2zToir0z+B+du8=
	=7xvR
	-----END PGP SIGNATURE-----