[
https://issues.apache.org/jira/browse/KARAF-7683?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Baptiste Onofré reassigned KARAF-7683:
-------------------------------------------
Assignee: Jean-Baptiste Onofré
> Impact of CVE-2021-26291 on Karaf
> ---------------------------------
>
> Key: KARAF-7683
> URL: https://issues.apache.org/jira/browse/KARAF-7683
> Project: Karaf
> Issue Type: Dependency upgrade
> Components: karaf
> Affects Versions: 4.4.3
> Environment: Apache Karaf - OSGi
> Reporter: Prabhakaran Rajendran
> Assignee: Jean-Baptiste Onofré
> Priority: Major
>
> We are using Apache Karaf 4.4.3 and our security scans report CVE-2021-26291
> ([https://nvd.nist.gov/vuln/detail/CVE-2021-26291|https://nvd.nist.gov/vuln/detail/CVE-2021-26291).])
> on our package because Karaf by default packs maven 3.6.x. The fix for the
> specified CVE is Maven 3.8.1+. Apache Karaf 4.4.3 includes pax-url-aether
> which packs Maven artifacts of version maven-resolver-api-1.8.2. So the CVE
> impacts Karaf 4.4.2.
>
> Earlier tool reported this issue on Apache Karaf 4.3.2 with Maven artifacts
> of version 3.6.x, and it got resolved in 4.4.2 as per tickets below, but
> still anchor grype tool is reporting this vulnerability on latest Karaf 4.4.3
> with different maven library maven-resolver-api-1.8.2.
> https://issues.apache.org/jira/browse/KARAF-7224
> https://issues.apache.org/jira/browse/KARAF-7223
>
> But does the issue specified in the CVE like maven pulling dependencies from
> remote directories really affect Karaf during runtime? Is it possible that a
> PoC has been done to validate this impact on Karaf? Or is it false positive?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
