[ https://issues.apache.org/jira/browse/KARAF-4214?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jean-Baptiste Onofré updated KARAF-4214: ---------------------------------------- Fix Version/s: (was: 4.0.8) 4.0.9 > Deserialization of Untrusted Data > --------------------------------- > > Key: KARAF-4214 > URL: https://issues.apache.org/jira/browse/KARAF-4214 > Project: Karaf > Issue Type: Bug > Affects Versions: 4.0.3 > Reporter: Eduardo Aguinaga > Fix For: 4.1.0, 4.0.9 > > > HP Fortify SCA and SciTools Understand were used to perform an application > security analysis on the karaf source code. > The application deserializes untrusted data without sufficiently verifying > that the resulting data will be valid. An adversary could attack the > application by tampering with the resource "karaf.key". > File: client\src\main\java\org\apache\karaf\client\Main.java > Line: 297 > Main.java, lines 291-313: > {code} > 291 private static SshAgent startAgent(String user, URL privateKeyUrl, String > keyFile) { > 292 InputStream is = null; > 293 try { > 294 SshAgent agent = new AgentImpl(); > 295 is = privateKeyUrl.openStream(); > 296 ObjectInputStream r = new ObjectInputStream(is); > 297 KeyPair keyPair = (KeyPair) r.readObject(); > 298 is.close(); > 299 agent.addIdentity(keyPair, user); > 300 if (keyFile != null) { > 301 String[] keyFiles = new String[]{keyFile}; > 302 FileKeyPairProvider fileKeyPairProvider = new > FileKeyPairProvider(keyFiles); > 303 for (KeyPair key : fileKeyPairProvider.loadKeys()) { > 304 agent.addIdentity(key, user); > 305 } > 306 } > 307 return agent; > 308 } catch (Throwable e) { > 309 close(is); > 310 System.err.println("Error starting ssh agent for: " + > e.getMessage()); > 311 return null; > 312 } > 313 } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)