This is an automated email from the ASF dual-hosted git repository.
jbonofre pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/karaf-site.git
The following commit(s) were added to refs/heads/trunk by this push:
new 1ebfa39 Publish CVE-2018-11788
1ebfa39 is described below
commit 1ebfa39eceb6ad7eddd8ac430cdb7db87bda8353
Author: Jean-Baptiste Onofré <[email protected]>
AuthorDate: Sun Jan 6 07:12:44 2019 +0100
Publish CVE-2018-11788
---
src/main/webapp/documentation.html | 12 +++++++----
src/main/webapp/security/cve-2018-11788.txt | 33 +++++++++++++++++++++++++++++
2 files changed, 41 insertions(+), 4 deletions(-)
diff --git a/src/main/webapp/documentation.html
b/src/main/webapp/documentation.html
index 39674da..602d8bc 100644
--- a/src/main/webapp/documentation.html
+++ b/src/main/webapp/documentation.html
@@ -350,6 +350,10 @@
<h2 class="pb-3 mb-4 font-italic border-bottom"><i class="fas
fa-lock"></i> Security Advisories</h2>
<div class="pb-4 mb-3">
+ <p>CVE-2014-0219 : Apache Karaf enables a shutdown port on the
loopback interface, which allows local users to cause a denial of service
(shutdown) by sending a shutdown command to all listening high ports.</p>
+ <a class="btn btn-outline-primary"
href="security/cve-2014-0219.txt">Notes »</a>
+ </div>
+ <div class="pb-4 mb-3">
<p>CVE-2016-8750 : Apache Karaf's LDAPLoginModule is
vulnerable to LDAP injection.</p>
<a class="btn btn-outline-primary"
href="security/cve-2016-8750.txt">Notes »</a>
</div><!-- /.blog-post -->
@@ -361,10 +365,10 @@
<p>CVE-2018-11787 : Unsecure access to Gogo shell in the webconsole.</p>
<a class="btn
btn-outline-primary" href="security/cve-2018-11787.txt">Notes »</a>
</div>
- <div class="pb-4 mb-3">
- <p>CVE-2014-0219 : Apache Karaf enables a shutdown port on the
loopback interface, which allows local users to cause a denial of service
(shutdown) by sending a shutdown command to all listening high ports.</p>
- <a class="btn btn-outline-primary"
href="security/cve-2014-0219.txt">Notes »</a>
- </div>
+ <div class="pb-4 mb-3">
+
<p>CVE-2018-11788 : XXE vulnerability found on Apache Karaf.</p>
+ <a class="btn
btn-outline-primary" href="security/cve-2018-11788.txt">Notes »</a>
+ </div>
</div><!-- /.blog-main -->
</div>
diff --git a/src/main/webapp/security/cve-2018-11788.txt
b/src/main/webapp/security/cve-2018-11788.txt
new file mode 100644
index 0000000..8a09d76
--- /dev/null
+++ b/src/main/webapp/security/cve-2018-11788.txt
@@ -0,0 +1,33 @@
+CVS-2018-11788: XXE vulnerability found on Apache Karaf
+
+Severity: Moderate
+
+Vendor: The Apache Software Foundation
+
+Versions Affected: all versions of Apache Karaf prior to 4.1.7, 4.2.2.
+
+Description:
+
+Apache Karaf provides a features deployer, which allows users to "hot deploy"
+a features XML by dropping the file directly in the deploy folder.
+
+The features XML is parsed by XMLInputFactory class.
+
+Apache Karaf XMLInputFactory class doesn't contain any mitigation codes
+against XXE.
+This is a potential security risk as an user can inject external XML entities.
+
+The mitigation is to prevent XXE by disabling external entities loading feature
+in XMLInputFactory and XmlUtils.
+
+This has been fixed in revision:
+
+https://gitbox.apache.org/repos/asf?p=karaf.git;h=cc3332e
+https://gitbox.apache.org/repos/asf?p=karaf.git;h=1ffa6d1
+
+Mitigation: Apache Karaf users should upgrade to 4.1.7, 4.2.2
+or later as soon as possible.
+
+JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-5911
+
+Credit: This issue was reported by Brian Wang.
