Prabhakaran Rajendran created KARAF-7683:
--------------------------------------------
Summary: Impact of CVE-2021-26291 on Karaf
Key: KARAF-7683
URL: https://issues.apache.org/jira/browse/KARAF-7683
Project: Karaf
Issue Type: Dependency upgrade
Components: karaf
Affects Versions: 4.4.3
Environment: Apache Karaf - OSGi
Reporter: Prabhakaran Rajendran
We are using Apache Karaf 4.3.2 in our project and our security scans report
CVE-2021-26291
([https://nvd.nist.gov/vuln/detail/CVE-2021-26291|https://nvd.nist.gov/vuln/detail/CVE-2021-26291).])
on our package because Karaf by default packs maven 3.6.x. The fix for the
specified CVE is Maven 3.8.1+.
([https://maven.apache.org/docs/3.8.1/release-notes.html]) . Apache Karaf
should update to use later versions of Maven resolver etc so that this
vulnerability is mitigated.
Apache Karaf 4.4.3 includes pax-url-aether which packs Maven artifacts of
version
maven-resolver-api-1.8.2. So the CVE impacts Karaf 4.4.2.
Earlier tool reported this issue on Apache Karaf 4.3.2 with Maven artifacts of
version 3.6.x, and it got resolved in 4.4.2 as per tickets below, but still
anchor grype tool is reporting this vulnerability on latest Karaf 4.4.3 with
different maven library maven-resolver-api-1.8.2.
https://issues.apache.org/jira/browse/KARAF-7224
https://issues.apache.org/jira/browse/KARAF-7223
But does the issue specified in the CVE like maven pulling dependencies from
remote directories really affect Karaf during runtime? Is it possible that a
PoC has been done to validate this impact on Karaf? Or is it false positive?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
