| -----BEGIN PGP SIGNED MESSAGE----- |
| Hash: SHA512 |
| |
| CVE-2021-41766: Insecure Java Deserialization in Apache Karaf |
| |
| Severity: Low |
| |
| Vendor: The Apache Software Foundation |
| |
| Versions Affected: all versions of Apache Karaf prior to 4.3.6 |
| |
| Description: |
| |
| Apache Karaf allows monitoring of applications and the Java runtime by |
| using the Java Management Extensions (JMX). |
| JMX is a Java RMI based technology that relies on Java serialized |
| objects for client server communication. |
| Whereas the default JMX implementation is hardened against |
| unauthenticated deserialization attacks, the implementation |
| used by Apache Karaf is not protected against this kind of attack. |
| |
| The impact of Java deserialization vulnerabilities strongly depends |
| on the classes that are available within the targets |
| class path. |
| Generally speaking, deserialization of untrusted data does always |
| represent a high security risk and should be prevented. |
| |
| The risk is low as, by default, Karaf uses a limited set of classes in the JMX server class path. |
| It depends of system scoped classes (e.g. jar in the lib folder). |
| |
| This has been fixed in revision: |
| |
| https://gitbox.apache.org/repos/asf?p=karaf.git;h=b42c82c |
| https://gitbox.apache.org/repos/asf?p=karaf.git;h=93a019c |
| |
| Mitigation: Apache Karaf users should upgrade to 4.3.6 |
| or later as soon as possible, or disable remote access to JMX server. |
| |
| JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-7312 |
| |
| Credit: This issue was reported by Daniel Heyne, Konstantin Samuel and Tobias |
| Neitzel |
| -----BEGIN PGP SIGNATURE----- |
| |
| iQIzBAEBCgAdFiEEGqjPktQJpzOT0Lc2v/LuQsgoLnYFAmHlgMUACgkQv/LuQsgo |
| Lnb4phAAg8ccLRsJX7fMr7SPPvbA9h7AyBkCupY1NErKUqDcnssmAlbBwfe07ztI |
| xRn0Fvv3TSD077beEtt7qjgO+W5xmi6F7b6CBdrUnAE+d6mbEUiL0Ur5SJKaeN3s |
| sMbQb0RhlfcSG7uBSYwSXGaikuWzHedWMemQilZzjNLc/qJhllmptFkM1TANq4W8 |
| 51uglaiA1+7mQapl8mfwxlFbNqzWuVOmKq+PwvrKmSRjS4Uf4TLU5j4liH4thhS8 |
| wsZpKCNEAKpeDqNI/zCkU4QHzdE67va1IJ5rhsbiXMCO/5g7GiOUbwlnEkbjENX2 |
| vYKMeLdNPxiXYlVROwOo1Z2vQEGvZYLPvYJy9LJeHn0FJtYE5CImaC9NnpHoq6YB |
| pxlw6ZcVeEOic6jj2UOA1t7aBh2KEmLhqe1JXPZTXHB3r6baGnsXbNKPnG7VEDF0 |
| TlxGvK6Wx6yVGaaqX7OemLWumhEftRWE5oiUxQtbdxYUgXD0qfnFfYJkIgIeG5B4 |
| H0MjlDLhLW03t7xK5hPsr0ibfBgyHgwx7uYpUvkuaNnPIMCupEmeW/SWrsmheAkK |
| R231ARKeUUhFshjLFV+WxgxdEPh9cJB6R98UvRRtlXm5UHXCbTeYtFPBouA2ZsyF |
| KDNTcFDXUUD+3jEvI6HlLPQ1ij7aTAGGlj7nR9PXeMfzkBBjBRU= |
| =kBXw |
| -----END PGP SIGNATURE----- |