svn commit: r1840938 - in /karaf/site/production: documentation.html security/cve-2018-11787.txt

[jbonofre]

Author: jbonofre
Date: Fri Sep 14 16:12:44 2018
New Revision: 1840938

URL: http://svn.apache.org/viewvc?rev=1840938&view=rev
Log:
[scm-publish] Updating main website contents

Added:
    karaf/site/production/security/cve-2018-11787.txt
Modified:
    karaf/site/production/documentation.html

Modified: karaf/site/production/documentation.html
URL: 
http://svn.apache.org/viewvc/karaf/site/production/documentation.html?rev=1840938&r1=1840937&r2=1840938&view=diff
==============================================================================
--- karaf/site/production/documentation.html (original)
+++ karaf/site/production/documentation.html Fri Sep 14 16:12:44 2018
@@ -321,6 +321,10 @@
                                                                
<p>CVE-2018-11786 : Enforce SSH permission based on RBAC.</p>
                                                                <a class="btn 
btn-outline-primary" href="security/cve-2018-11786.txt">Notes &raquo;</a>
                                                        </div>
+                                                       <div class="pb-4 mb-3">
+                                                               
<p>CVE-2018-11787 : Unsecure access to Gogo shell in the webconsole.</p>
+                                                               <a class="btn 
btn-outline-primary" href="security/cve-2018-11787.txt">Notes &raquo;</a>
+                                                       </div>
 
             </div><!-- /.blog-main -->
         </div>

Added: karaf/site/production/security/cve-2018-11787.txt
URL: 
http://svn.apache.org/viewvc/karaf/site/production/security/cve-2018-11787.txt?rev=1840938&view=auto
==============================================================================
--- karaf/site/production/security/cve-2018-11787.txt (added)
+++ karaf/site/production/security/cve-2018-11787.txt Fri Sep 14 16:12:44 2018
@@ -0,0 +1,44 @@
+CVS-2018-11787: Apache Karaf unsecure access to Gogo shell in the webconsole
+
+Severity: Moderate
+
+Vendor: The Apache Software Foundation
+
+Versions Affected:
+
+This vulnerability affects all versions of Apache Karaf prior to 3.0.9, 4.0.9, 
4.1.1.
+
+Description:
+
+When the webconsole feature is installed in Karaf, it is available at
+.../system/console and requires authentication to access it.  One part
+of the console is a Gogo shell/console that gives access to the
+command line console of Karaf via a Web browser, and when navigated to
+it is available at .../system/console/gogo.  Trying to go directly to
+that URL does require authentication.
+
+And optional bundle that some applications use is the Pax Web Extender
+Whiteboard, it is part of the pax-war feature and perhaps others.
+When it is installed, the Gogo console becomes available at another
+URL .../gogo/, and that URL is not secured giving access to the Karaf
+console to unauthenticated users.
+
+A mitigation for the issue is to manually stop/uninstall Gogo plugin
+bundle that is installed with the webconsole feature, although of
+course this removes the console from the .../system/console
+application, not only from the unauthenticated endpoint.  One could
+also stop/uninstall the Pax Web Extender Whiteboard, but other
+components/applications may require it and so their functionality
+would be reduced/compromised.
+
+This has been fixed in revision:
+
+https://gitbox.apache.org/repos/asf?p=karaf.git;h=cfa213a
+https://gitbox.apache.org/repos/asf?p=karaf.git;h=434e525
+https://gitbox.apache.org/repos/asf?p=karaf.git;h=1fc60d7
+
+Migration:
+
+Apache Karaf users should upgrade to 3.0.9, 4.0.9, 4.1.1 or later as soon as 
possible.
+
+Credit: This issue was reported by Kevin Schmidt