Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN074
_____________________________________________________________________

DATE                : 26/01/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Karaf versions prior to
                                      2.12.0.

=====================================================================
https://lists.apache.org/thread/bvbq3drlbh2fsksckvj8oqbpz7m9lwgc
_____________________________________________________________________

https://karaf.apache.org/security/cve-2026-24656.txt: CVE-2026-24656:
Apache Karaf: Decanter log-socket collector has deserialization
vulnerability

Severity: important 

Affected versions:

- Apache Karaf (org.apache.karaf.decanter.collector:org.apache.karaf.decanter.collector.log.socket) before 2.12.0
- Apache Karaf (org.apache.karaf.decanter.collector:org.apache.karaf.decanter.collector.log.socket) 2.12.0 unaffected

Description:

Deserialization of Untrusted Data vulnerability in Apache Karaf
Decanter.


The Decanter log socket collector exposes the port 4560, without
authentication. If the collector exposes allowed classes property,
this configuration can be bypassed.
It means that the log socket collector is vulnerable to
deserialization of untrusted data, eventually causing DoS.


NB: Decanter log socket collector is not installed by default. Users
who have not installed Decanter log socket are not impacted by this
issue.

This issue affects Apache Karaf Decanter before 2.12.0.

Users are recommended to upgrade to version 2.12.0, which fixes the
issue.

This issue is being tracked as https://github.com/apache/karaf-decanter/issues/555 

Credit:

r00t4dm (finder)

References:

https://karaf.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-24656
https://issues.apache.org/jira/browse/https://github.com/apache/karaf-decanter/issues/555


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================