[
https://issues.apache.org/jira/browse/KARAF-7683?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Prabhakaran Rajendran updated KARAF-7683:
-----------------------------------------
Description:
We are using Apache Karaf 4.4.3 and our security scans report CVE-2021-26291
([https://nvd.nist.gov/vuln/detail/CVE-2021-26291|https://nvd.nist.gov/vuln/detail/CVE-2021-26291).])
on our package because Karaf by default packs maven 3.6.x. The fix for the
specified CVE is Maven 3.8.1+. Apache Karaf 4.4.3 includes pax-url-aether
which packs Maven artifacts of version maven-resolver-api-1.8.2. So the CVE
impacts Karaf 4.4.2.
Earlier tool reported this issue on Apache Karaf 4.3.2 with Maven artifacts of
version 3.6.x, and it got resolved in 4.4.2 as per tickets below, but still
anchor grype tool is reporting this vulnerability on latest Karaf 4.4.3 with
different maven library maven-resolver-api-1.8.2.
https://issues.apache.org/jira/browse/KARAF-7224
https://issues.apache.org/jira/browse/KARAF-7223
But does the issue specified in the CVE like maven pulling dependencies from
remote directories really affect Karaf during runtime? Is it possible that a
PoC has been done to validate this impact on Karaf? Or is it false positive?
was:
We are using Apache Karaf 4.3.2 in our project and our security scans report
CVE-2021-26291
([https://nvd.nist.gov/vuln/detail/CVE-2021-26291|https://nvd.nist.gov/vuln/detail/CVE-2021-26291).])
on our package because Karaf by default packs maven 3.6.x. The fix for the
specified CVE is Maven 3.8.1+.
([https://maven.apache.org/docs/3.8.1/release-notes.html]) . Apache Karaf
should update to use later versions of Maven resolver etc so that this
vulnerability is mitigated.
Apache Karaf 4.4.3 includes pax-url-aether which packs Maven artifacts of
version
maven-resolver-api-1.8.2. So the CVE impacts Karaf 4.4.2.
Earlier tool reported this issue on Apache Karaf 4.3.2 with Maven artifacts of
version 3.6.x, and it got resolved in 4.4.2 as per tickets below, but still
anchor grype tool is reporting this vulnerability on latest Karaf 4.4.3 with
different maven library maven-resolver-api-1.8.2.
https://issues.apache.org/jira/browse/KARAF-7224
https://issues.apache.org/jira/browse/KARAF-7223
But does the issue specified in the CVE like maven pulling dependencies from
remote directories really affect Karaf during runtime? Is it possible that a
PoC has been done to validate this impact on Karaf? Or is it false positive?
> Impact of CVE-2021-26291 on Karaf
> ---------------------------------
>
> Key: KARAF-7683
> URL: https://issues.apache.org/jira/browse/KARAF-7683
> Project: Karaf
> Issue Type: Dependency upgrade
> Components: karaf
> Affects Versions: 4.4.3
> Environment: Apache Karaf - OSGi
> Reporter: Prabhakaran Rajendran
> Priority: Major
>
> We are using Apache Karaf 4.4.3 and our security scans report CVE-2021-26291
> ([https://nvd.nist.gov/vuln/detail/CVE-2021-26291|https://nvd.nist.gov/vuln/detail/CVE-2021-26291).])
> on our package because Karaf by default packs maven 3.6.x. The fix for the
> specified CVE is Maven 3.8.1+. Apache Karaf 4.4.3 includes pax-url-aether
> which packs Maven artifacts of version maven-resolver-api-1.8.2. So the CVE
> impacts Karaf 4.4.2.
>
> Earlier tool reported this issue on Apache Karaf 4.3.2 with Maven artifacts
> of version 3.6.x, and it got resolved in 4.4.2 as per tickets below, but
> still anchor grype tool is reporting this vulnerability on latest Karaf 4.4.3
> with different maven library maven-resolver-api-1.8.2.
> https://issues.apache.org/jira/browse/KARAF-7224
> https://issues.apache.org/jira/browse/KARAF-7223
>
> But does the issue specified in the CVE like maven pulling dependencies from
> remote directories really affect Karaf during runtime? Is it possible that a
> PoC has been done to validate this impact on Karaf? Or is it false positive?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
