Eduardo Aguinaga created KARAF-4214:
---------------------------------------
Summary: Deserialization of Untrusted Data
Key: KARAF-4214
URL: https://issues.apache.org/jira/browse/KARAF-4214
Project: Karaf
Issue Type: Bug
Affects Versions: 4.0.3
Reporter: Eduardo Aguinaga
HP Fortify SCA and SciTools Understand were used to perform an application
security analysis on the karaf source code.
The application deserializes untrusted data without sufficiently verifying that
the resulting data will be valid. An adversary could attack the application by
tampering with the resource "karaf.key".
File: client\src\main\java\org\apache\karaf\client\Main.java
Line: 297
Main.java, lines 291-313:
291 private static SshAgent startAgent(String user, URL privateKeyUrl, String
keyFile) {
292 InputStream is = null;
293 try {
294 SshAgent agent = new AgentImpl();
295 is = privateKeyUrl.openStream();
296 ObjectInputStream r = new ObjectInputStream(is);
297 KeyPair keyPair = (KeyPair) r.readObject();
298 is.close();
299 agent.addIdentity(keyPair, user);
300 if (keyFile != null) {
301 String[] keyFiles = new String[]{keyFile};
302 FileKeyPairProvider fileKeyPairProvider = new
FileKeyPairProvider(keyFiles);
303 for (KeyPair key : fileKeyPairProvider.loadKeys()) {
304 agent.addIdentity(key, user);
305 }
306 }
307 return agent;
308 } catch (Throwable e) {
309 close(is);
310 System.err.println("Error starting ssh agent for: " +
e.getMessage());
311 return null;
312 }
313 }
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
