-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 CVS-2018-11786: Apache Karaf SSH RBAC security enforcement Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: all versions of Apache Karaf prior to 4.2.0.M1 Description: If the sshd service in Karaf is left on so an administrator can manage the running instance, any user with rights to the Karaf console can pivot and read/write any file on the file system to which the Karaf process user has access. This can be locked down a bit by using chroot to change the root directory to protect files outside of the Karaf install directory; it can be further locked down by defining a security manager policy that limits file system access to those directories beneath the Karaf home that are necessary for the system to run. However, this still allows anyone with ssh access to the Karaf process to read and write a large number of files as the Karaf process user. This has been fixed in revision: https://gitbox.apache.org/repos/asf?p=karaf.git;h=24fb477 https://gitbox.apache.org/repos/asf?p=karaf.git;h=7ad0da3 Mitigation: Apache Karaf users should upgrade to 4.2.0.M1 or later as soon as possible. JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-5427 Credit: This issue was reported by R.A. Porter -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEGqjPktQJpzOT0Lc2v/LuQsgoLnYFAlub2JoACgkQv/LuQsgo LnYoQA//eF2PK0zi6DxHYgecHMSjGS5qMerMD9xof/WBuMq/WYPm8DOjgkhqtbKu K1vzXicpBNmUu0rZqVqgoKfE24dEwax00gUARxMtiCV0qW6G4VWwe9Afn+2cKfYk EbF7NRqiiriwDdVP2u3nMciR3/h1YliZwmtSz5xYqgh3+L+wvwesu94kbzWDJy0U mkYy2TbA3K9lI1XuTjtefNdt9vPHwqC1Ay46ahSQCzcQk09t4M8r+lP/gBzAmH1l dqJ7Rii0TD3qVWJR9Mfzg3HCnTp8t3f+9z9m/7zmXoRUXUU1CoS7LWYUBqtEztFC 2eef67Thy1Lnjcc4h9KVbWneeit5P7eDX5W8w15A5EmAOEvwwNBFYQQGIbPxCFWZ CV2UYTM8mXy2GjW22HYim3ol35nPbfQg6lMnkSNTezAoeobFG3aWolDcYgUYMH4J 4bZoF4Z+s1DB8PJf2nOzibCLwU0wpYkqGcbforxoVRfU0AqB3QOEoWYFix2ii8Wj IxCHWuSGIBHKEVMlm0ZF2S6rWL4XahFFqNsH+NKWJmoPG4ToKDWYl/XgENHIUERh //9lXyjzGCvr0gHpfSuEM4mFCc8Psco71dcUva5rD+ULsa1Dsi9tPrF3ytBw0Md9 Kjl5N9Z59WKmIU+HIwQ4Q9dI6TQoYrDwFD3+Lfx8VSbtqhVh1Bk= =5peJ -----END PGP SIGNATURE-----