security/cve-2021-41766.txt - karaf-site - Git at Google

 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512

 CVE-2021-41766: Insecure Java Deserialization in Apache Karaf

 Severity: Low

 Vendor: The Apache Software Foundation

 Versions Affected: all versions of Apache Karaf prior to 4.3.6

 Description:

 Apache Karaf allows monitoring of applications and the Java runtime by
 using the Java Management Extensions (JMX).
 JMX is a Java RMI based technology that relies on Java serialized
 objects for client server communication.
 Whereas the default JMX implementation is hardened against
 unauthenticated deserialization attacks, the implementation
 used by Apache Karaf is not protected against this kind of attack.

 The impact of Java deserialization vulnerabilities strongly depends
 on the classes that are available within the targets
 class path.
 Generally speaking, deserialization of untrusted data does always
 represent a high security risk and should be prevented.

 The risk is low as, by default, Karaf uses a limited set of classes in the JMX server class path.
 It depends of system scoped classes (e.g. jar in the lib folder).

 This has been fixed in revision:

 https://gitbox.apache.org/repos/asf?p=karaf.git;h=b42c82c
 https://gitbox.apache.org/repos/asf?p=karaf.git;h=93a019c

 Mitigation: Apache Karaf users should upgrade to 4.3.6
 or later as soon as possible, or disable remote access to JMX server.

 JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-7312

 Credit: This issue was reported by Daniel Heyne, Konstantin Samuel and Tobias
 Neitzel
 -----BEGIN PGP SIGNATURE-----

 iQIzBAEBCgAdFiEEGqjPktQJpzOT0Lc2v/LuQsgoLnYFAmHlgMUACgkQv/LuQsgo
 Lnb4phAAg8ccLRsJX7fMr7SPPvbA9h7AyBkCupY1NErKUqDcnssmAlbBwfe07ztI
 xRn0Fvv3TSD077beEtt7qjgO+W5xmi6F7b6CBdrUnAE+d6mbEUiL0Ur5SJKaeN3s
 sMbQb0RhlfcSG7uBSYwSXGaikuWzHedWMemQilZzjNLc/qJhllmptFkM1TANq4W8
 51uglaiA1+7mQapl8mfwxlFbNqzWuVOmKq+PwvrKmSRjS4Uf4TLU5j4liH4thhS8
 wsZpKCNEAKpeDqNI/zCkU4QHzdE67va1IJ5rhsbiXMCO/5g7GiOUbwlnEkbjENX2
 vYKMeLdNPxiXYlVROwOo1Z2vQEGvZYLPvYJy9LJeHn0FJtYE5CImaC9NnpHoq6YB
 pxlw6ZcVeEOic6jj2UOA1t7aBh2KEmLhqe1JXPZTXHB3r6baGnsXbNKPnG7VEDF0
 TlxGvK6Wx6yVGaaqX7OemLWumhEftRWE5oiUxQtbdxYUgXD0qfnFfYJkIgIeG5B4
 H0MjlDLhLW03t7xK5hPsr0ibfBgyHgwx7uYpUvkuaNnPIMCupEmeW/SWrsmheAkK
 R231ARKeUUhFshjLFV+WxgxdEPh9cJB6R98UvRRtlXm5UHXCbTeYtFPBouA2ZsyF
 KDNTcFDXUUD+3jEvI6HlLPQ1ij7aTAGGlj7nR9PXeMfzkBBjBRU=
 =kBXw
 -----END PGP SIGNATURE-----
	-----BEGIN PGP SIGNED MESSAGE-----
	Hash: SHA512

	CVE-2021-41766: Insecure Java Deserialization in Apache Karaf

	Severity: Low

	Vendor: The Apache Software Foundation

	Versions Affected: all versions of Apache Karaf prior to 4.3.6

	Description:

	Apache Karaf allows monitoring of applications and the Java runtime by
	using the Java Management Extensions (JMX).
	JMX is a Java RMI based technology that relies on Java serialized
	objects for client server communication.
	Whereas the default JMX implementation is hardened against
	unauthenticated deserialization attacks, the implementation
	used by Apache Karaf is not protected against this kind of attack.

	The impact of Java deserialization vulnerabilities strongly depends
	on the classes that are available within the targets
	class path.
	Generally speaking, deserialization of untrusted data does always
	represent a high security risk and should be prevented.

	The risk is low as, by default, Karaf uses a limited set of classes in the JMX server class path.
	It depends of system scoped classes (e.g. jar in the lib folder).

	This has been fixed in revision:

	https://gitbox.apache.org/repos/asf?p=karaf.git;h=b42c82c
	https://gitbox.apache.org/repos/asf?p=karaf.git;h=93a019c

	Mitigation: Apache Karaf users should upgrade to 4.3.6
	or later as soon as possible, or disable remote access to JMX server.

	JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-7312

	Credit: This issue was reported by Daniel Heyne, Konstantin Samuel and Tobias
	Neitzel
	-----BEGIN PGP SIGNATURE-----

	iQIzBAEBCgAdFiEEGqjPktQJpzOT0Lc2v/LuQsgoLnYFAmHlgMUACgkQv/LuQsgo
	Lnb4phAAg8ccLRsJX7fMr7SPPvbA9h7AyBkCupY1NErKUqDcnssmAlbBwfe07ztI
	xRn0Fvv3TSD077beEtt7qjgO+W5xmi6F7b6CBdrUnAE+d6mbEUiL0Ur5SJKaeN3s
	sMbQb0RhlfcSG7uBSYwSXGaikuWzHedWMemQilZzjNLc/qJhllmptFkM1TANq4W8
	51uglaiA1+7mQapl8mfwxlFbNqzWuVOmKq+PwvrKmSRjS4Uf4TLU5j4liH4thhS8
	wsZpKCNEAKpeDqNI/zCkU4QHzdE67va1IJ5rhsbiXMCO/5g7GiOUbwlnEkbjENX2
	vYKMeLdNPxiXYlVROwOo1Z2vQEGvZYLPvYJy9LJeHn0FJtYE5CImaC9NnpHoq6YB
	pxlw6ZcVeEOic6jj2UOA1t7aBh2KEmLhqe1JXPZTXHB3r6baGnsXbNKPnG7VEDF0
	TlxGvK6Wx6yVGaaqX7OemLWumhEftRWE5oiUxQtbdxYUgXD0qfnFfYJkIgIeG5B4
	H0MjlDLhLW03t7xK5hPsr0ibfBgyHgwx7uYpUvkuaNnPIMCupEmeW/SWrsmheAkK
	R231ARKeUUhFshjLFV+WxgxdEPh9cJB6R98UvRRtlXm5UHXCbTeYtFPBouA2ZsyF
	KDNTcFDXUUD+3jEvI6HlLPQ1ij7aTAGGlj7nR9PXeMfzkBBjBRU=
	=kBXw
	-----END PGP SIGNATURE-----