R.A. Porter

**Name of the Vulnerable Software and Affected Versions** Apache Karaf versions prior to 4.2.0 **Description** The issue allows any user with rights to the Karaf console to read and write files on the file system that the Karaf process user has access to, if the sshd service is enabled. This can be partially mitigated by using chroot to change the root directory or by defining a security manager policy to limit file system access. However, users with ssh access can still read and write a large number of files as the Karaf process user. **Recommendations** For Apache Karaf versions prior to 4.2.0, update to version 4.2.0 or later to resolve the issue. As a temporary workaround, consider using chroot to change the root directory to protect files outside of the Karaf install directory, and define a security manager policy to limit file system access to necessary directories beneath the Karaf home. Restrict access to the sshd service to minimize the risk of exploitation.