-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

CVE-2019-0226: Arbitrary file write vulnerability in Config service

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected: all versions of Apache Karaf prior to 4.2.5

Description:

Apache Karaf Config service provides a install method (via service or MBean)
that could be used to travel in any directory and overwrite existing file.

The vulnerability is low if the Karaf process user has limited permission on
the filesystem.

The mitigation is to prevent travel "outside" of Karaf etc folder by checking
the path argument of the method and prevent use of ".." in the path.

This has been fixed in revision:

https://gitbox.apache.org/repos/asf?p=karaf.git;h=fe3bc41
https://gitbox.apache.org/repos/asf?p=karaf.git;h=bf5ed62

Mitigation: Apache Karaf users should upgrade to 4.2.5
or later as soon as possible, or limit filesystem permission for the Karaf
process user.

JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-6230

Credit: This issue was reported by 马凌涛 <malingtao1019@163.com>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEGqjPktQJpzOT0Lc2v/LuQsgoLnYFAlzP38wACgkQv/LuQsgo
LnYiUQ//XNFT3Wo+dAypBMMCxNUWZfVw9MNkgqsZaYzCm8GjbgrEOkMB6DELQHDe
4ZAnjqD3L8CoQzMrfCpR9rC5B+Gmn29+2yd4GKWs3g/vEHMusKezk/Fe9fsoaqH8
f7nHQyCHEexHVNOi+i69af2iCi0RPTgSTi97D9ln8xyhl0WyU7J6+KjQkf0jJ2iW
u1FB4Lu0zPvNup7oa7+ulP9AJYWk/Y5w/SnOakqdMROHaKbUCxH8A4gBSAe99gWn
Bjw08KKuHyLDn43MYp5vLu3yZ7rZDwI25/694ZFLcbAzqXLc0aa9DDbtzyCsOWis
tbekmbAAOw/5mr5nC59iaaihslyYv3aR6sQNVALo8ISH2ydW3xf0FNMoZrO81Xtm
kYInKBCYTmfv33yEmQ8/jnyOLqorisRLD2mLqRHJghQWsC1+BrRhksgW1Tam/0RM
7q0udX5gc9XEQWXxDsuaUtakrVvR/hfsxb96qmyL7pJObqWBUa78iJ2dJcxdiWtK
S81oElGxmok8hIpbX0CTqD4r3bfWCnDbBiries46OSJShorlCAvZWqwWATkA8WOv
D1Wn1KZoSut1xiexu1Eb+lemvXlKNONzEmg4qoojWCPg3zP9S+XsvcVtC9/uAALI
MkhI0mkl0y4o8tJuFm6sIL4haTQDkGZX381QR2zToir0z+B+du8=
=7xvR
-----END PGP SIGNATURE-----