This is an automated email from the ASF dual-hosted git repository.
jbonofre pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/karaf-site.git
The following commit(s) were added to refs/heads/trunk by this push:
new 5695d37 Publish CVE-2018-11787 advisory
5695d37 is described below
commit 5695d37fa02a481d63a5b2df966a9fe612c93f31
Author: Jean-Baptiste Onofré <[email protected]>
AuthorDate: Fri Sep 14 18:11:08 2018 +0200
Publish CVE-2018-11787 advisory
---
src/main/webapp/documentation.html | 4 +++
src/main/webapp/security/cve-2018-11787.txt | 44 +++++++++++++++++++++++++++++
2 files changed, 48 insertions(+)
diff --git a/src/main/webapp/documentation.html
b/src/main/webapp/documentation.html
index 2f62d90..ceb7007 100644
--- a/src/main/webapp/documentation.html
+++ b/src/main/webapp/documentation.html
@@ -321,6 +321,10 @@
<p>CVE-2018-11786 : Enforce SSH permission based on RBAC.</p>
<a class="btn
btn-outline-primary" href="security/cve-2018-11786.txt">Notes »</a>
</div>
+ <div class="pb-4 mb-3">
+
<p>CVE-2018-11787 : Unsecure access to Gogo shell in the webconsole.</p>
+ <a class="btn
btn-outline-primary" href="security/cve-2018-11787.txt">Notes »</a>
+ </div>
</div><!-- /.blog-main -->
</div>
diff --git a/src/main/webapp/security/cve-2018-11787.txt
b/src/main/webapp/security/cve-2018-11787.txt
new file mode 100644
index 0000000..44ec4b3
--- /dev/null
+++ b/src/main/webapp/security/cve-2018-11787.txt
@@ -0,0 +1,44 @@
+CVS-2018-11787: Apache Karaf unsecure access to Gogo shell in the webconsole
+
+Severity: Moderate
+
+Vendor: The Apache Software Foundation
+
+Versions Affected:
+
+This vulnerability affects all versions of Apache Karaf prior to 3.0.9, 4.0.9,
4.1.1.
+
+Description:
+
+When the webconsole feature is installed in Karaf, it is available at
+.../system/console and requires authentication to access it. One part
+of the console is a Gogo shell/console that gives access to the
+command line console of Karaf via a Web browser, and when navigated to
+it is available at .../system/console/gogo. Trying to go directly to
+that URL does require authentication.
+
+And optional bundle that some applications use is the Pax Web Extender
+Whiteboard, it is part of the pax-war feature and perhaps others.
+When it is installed, the Gogo console becomes available at another
+URL .../gogo/, and that URL is not secured giving access to the Karaf
+console to unauthenticated users.
+
+A mitigation for the issue is to manually stop/uninstall Gogo plugin
+bundle that is installed with the webconsole feature, although of
+course this removes the console from the .../system/console
+application, not only from the unauthenticated endpoint. One could
+also stop/uninstall the Pax Web Extender Whiteboard, but other
+components/applications may require it and so their functionality
+would be reduced/compromised.
+
+This has been fixed in revision:
+
+https://gitbox.apache.org/repos/asf?p=karaf.git;h=cfa213a
+https://gitbox.apache.org/repos/asf?p=karaf.git;h=434e525
+https://gitbox.apache.org/repos/asf?p=karaf.git;h=1fc60d7
+
+Migration:
+
+Apache Karaf users should upgrade to 3.0.9, 4.0.9, 4.1.1 or later as soon as
possible.
+
+Credit: This issue was reported by Kevin Schmidt
