-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CVE-2021-41766: Insecure Java Deserialization in Apache Karaf

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected: all versions of Apache Karaf prior to 4.3.6

Description:

Apache Karaf allows monitoring of applications and the Java runtime by
using the Java Management Extensions (JMX).
JMX is a Java RMI based technology that relies on Java serialized
objects for client server communication.
Whereas the default JMX implementation is hardened against
unauthenticated deserialization attacks, the implementation
used by Apache Karaf is not protected against this kind of attack.

The impact of Java deserialization vulnerabilities strongly depends
on the classes that are available within the targets
class path. 
Generally speaking, deserialization of untrusted data does always 
represent a high security risk and should be prevented.

The risk is low as, by default, Karaf uses a limited set of classes in the JMX server class path.
It depends of system scoped classes (e.g. jar in the lib folder).

This has been fixed in revision:

https://gitbox.apache.org/repos/asf?p=karaf.git;h=b42c82c
https://gitbox.apache.org/repos/asf?p=karaf.git;h=93a019c

Mitigation: Apache Karaf users should upgrade to 4.3.6
or later as soon as possible, or disable remote access to JMX server.

JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-7312

Credit: This issue was reported by Daniel Heyne, Konstantin Samuel and Tobias
Neitzel
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEGqjPktQJpzOT0Lc2v/LuQsgoLnYFAmHlgMUACgkQv/LuQsgo
Lnb4phAAg8ccLRsJX7fMr7SPPvbA9h7AyBkCupY1NErKUqDcnssmAlbBwfe07ztI
xRn0Fvv3TSD077beEtt7qjgO+W5xmi6F7b6CBdrUnAE+d6mbEUiL0Ur5SJKaeN3s
sMbQb0RhlfcSG7uBSYwSXGaikuWzHedWMemQilZzjNLc/qJhllmptFkM1TANq4W8
51uglaiA1+7mQapl8mfwxlFbNqzWuVOmKq+PwvrKmSRjS4Uf4TLU5j4liH4thhS8
wsZpKCNEAKpeDqNI/zCkU4QHzdE67va1IJ5rhsbiXMCO/5g7GiOUbwlnEkbjENX2
vYKMeLdNPxiXYlVROwOo1Z2vQEGvZYLPvYJy9LJeHn0FJtYE5CImaC9NnpHoq6YB
pxlw6ZcVeEOic6jj2UOA1t7aBh2KEmLhqe1JXPZTXHB3r6baGnsXbNKPnG7VEDF0
TlxGvK6Wx6yVGaaqX7OemLWumhEftRWE5oiUxQtbdxYUgXD0qfnFfYJkIgIeG5B4
H0MjlDLhLW03t7xK5hPsr0ibfBgyHgwx7uYpUvkuaNnPIMCupEmeW/SWrsmheAkK
R231ARKeUUhFshjLFV+WxgxdEPh9cJB6R98UvRRtlXm5UHXCbTeYtFPBouA2ZsyF
KDNTcFDXUUD+3jEvI6HlLPQ1ij7aTAGGlj7nR9PXeMfzkBBjBRU=
=kBXw
-----END PGP SIGNATURE-----