[
https://issues.apache.org/jira/browse/KARAF-4214?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Baptiste Onofré updated KARAF-4214:
----------------------------------------
Fix Version/s: (was: 4.0.7)
4.0.8
> Deserialization of Untrusted Data
> ---------------------------------
>
> Key: KARAF-4214
> URL: https://issues.apache.org/jira/browse/KARAF-4214
> Project: Karaf
> Issue Type: Bug
> Affects Versions: 4.0.3
> Reporter: Eduardo Aguinaga
> Fix For: 4.1.0, 4.0.8
>
>
> HP Fortify SCA and SciTools Understand were used to perform an application
> security analysis on the karaf source code.
> The application deserializes untrusted data without sufficiently verifying
> that the resulting data will be valid. An adversary could attack the
> application by tampering with the resource "karaf.key".
> File: client\src\main\java\org\apache\karaf\client\Main.java
> Line: 297
> Main.java, lines 291-313:
> {code}
> 291 private static SshAgent startAgent(String user, URL privateKeyUrl, String
> keyFile) {
> 292 InputStream is = null;
> 293 try {
> 294 SshAgent agent = new AgentImpl();
> 295 is = privateKeyUrl.openStream();
> 296 ObjectInputStream r = new ObjectInputStream(is);
> 297 KeyPair keyPair = (KeyPair) r.readObject();
> 298 is.close();
> 299 agent.addIdentity(keyPair, user);
> 300 if (keyFile != null) {
> 301 String[] keyFiles = new String[]{keyFile};
> 302 FileKeyPairProvider fileKeyPairProvider = new
> FileKeyPairProvider(keyFiles);
> 303 for (KeyPair key : fileKeyPairProvider.loadKeys()) {
> 304 agent.addIdentity(key, user);
> 305 }
> 306 }
> 307 return agent;
> 308 } catch (Throwable e) {
> 309 close(is);
> 310 System.err.println("Error starting ssh agent for: " +
> e.getMessage());
> 311 return null;
> 312 }
> 313 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
