Action not permitted
Modal body text goes here.
Modal Title
Modal Body
cve-2016-9879
Vulnerability from cvelistv5
Published
2017-01-06 22:00
Modified
2024-08-06 03:07
Severity ?
EPSS score ?
Summary
An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded "/" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. The unexpected presence of path parameters can cause a constraint to be bypassed. Users of Apache Tomcat (all current versions) are not affected by this vulnerability since Tomcat follows the guidance previously provided by the Servlet Expert group and strips path parameters from the value returned by getContextPath(), getServletPath(), and getPathInfo(). Users of other Servlet containers based on Apache Tomcat may or may not be affected depending on whether or not the handling of path parameters has been modified. Users of IBM WebSphere Application Server 8.5.x are known to be affected. Users of other containers that implement the Servlet specification may be affected.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | n/a | Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1 |
Version: Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:07:30.183Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2017:1832",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
},
{
"name": "95142",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/95142"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pivotal.io/security/cve-2016-9879"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1"
}
]
}
],
"datePublic": "2017-01-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded \"/\" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. The unexpected presence of path parameters can cause a constraint to be bypassed. Users of Apache Tomcat (all current versions) are not affected by this vulnerability since Tomcat follows the guidance previously provided by the Servlet Expert group and strips path parameters from the value returned by getContextPath(), getServletPath(), and getPathInfo(). Users of other Servlet containers based on Apache Tomcat may or may not be affected depending on whether or not the handling of path parameters has been modified. Users of IBM WebSphere Application Server 8.5.x are known to be affected. Users of other containers that implement the Servlet specification may be affected."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Encoded \"/\" in path variables",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-04T19:57:01",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"name": "RHSA-2017:1832",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
},
{
"name": "95142",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/95142"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pivotal.io/security/cve-2016-9879"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security_alert@emc.com",
"ID": "CVE-2016-9879",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1",
"version": {
"version_data": [
{
"version_value": "Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded \"/\" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. The unexpected presence of path parameters can cause a constraint to be bypassed. Users of Apache Tomcat (all current versions) are not affected by this vulnerability since Tomcat follows the guidance previously provided by the Servlet Expert group and strips path parameters from the value returned by getContextPath(), getServletPath(), and getPathInfo(). Users of other Servlet containers based on Apache Tomcat may or may not be affected depending on whether or not the handling of path parameters has been modified. Users of IBM WebSphere Application Server 8.5.x are known to be affected. Users of other containers that implement the Servlet specification may be affected."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Encoded \"/\" in path variables"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2017:1832",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
},
{
"name": "95142",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/95142"
},
{
"name": "https://pivotal.io/security/cve-2016-9879",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2016-9879"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2016-9879",
"datePublished": "2017-01-06T22:00:00",
"dateReserved": "2016-12-06T00:00:00",
"dateUpdated": "2024-08-06T03:07:30.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vmware:spring_security:3.2.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"EFD426B7-885E-4C37-BA39-9877BB10685F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vmware:spring_security:3.2.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D32668E1-4839-474C-A97D-0A485BF3CE04\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vmware:spring_security:3.2.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"CF0DADB2-8D42-4592-9433-2941E3D57F95\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vmware:spring_security:3.2.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C97588A1-B874-41F2-871E-BD3D5057FAC0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vmware:spring_security:3.2.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"00D3C6A3-4C51-4B2D-867A-A17B3AA39A19\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vmware:spring_security:3.2.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B2D23169-794F-42BB-A03A-D6451756445B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vmware:spring_security:3.2.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"AE534FC0-0589-4DDA-9B5F-9ECD0BE5BE5C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vmware:spring_security:3.2.7:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D9E33A46-01D0-4EA0-997F-6EAE4342C422\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vmware:spring_security:3.2.8:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F9A0E838-84BB-4AE8-A673-CF6F18239B36\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vmware:spring_security:3.2.9:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9FAD6EE1-7E45-46A9-8B08-D08800E57980\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vmware:spring_security:4.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D4DC74CB-3FE2-436C-8F3B-6C607B1C868F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vmware:spring_security:4.1.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"605DF913-AB13-40BC-B03B-8663BB96BD44\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vmware:spring_security:4.1.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"55C17CD1-C6BC-4625-839E-55EEAFEB06D7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vmware:spring_security:4.1.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"614C55BF-7851-46B7-9D04-88D6354B48C8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:vmware:spring_security:4.2.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7F34640C-5004-4E2D-8F2E-BC214F750688\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ibm:websphere_application_server:8.5.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"1FD8F9CE-4E98-4187-B84A-429FA1C65E2D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ibm:websphere_application_server:8.5.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"FC1D7570-4AB4-44B0-B5ED-D103F0946F63\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ibm:websphere_application_server:8.5.0.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9E709E36-B5D0-42E5-A305-AF385FD7F347\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ibm:websphere_application_server:8.5.5.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"49506702-1B31-4421-8DEE-5B789272EC6E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ibm:websphere_application_server:8.5.5.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"158777FD-83D1-44B9-83B4-A3F490CA76F4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ibm:websphere_application_server:8.5.5.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"EDA2FE6B-6E42-4E97-B803-DAB671D30FF5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ibm:websphere_application_server:8.5.5.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"72F5A562-5B2E-4BC7-8A81-EFE5ED265803\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ibm:websphere_application_server:8.5.5.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"168E2F18-56C6-4789-BBAC-C99D4792046F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ibm:websphere_application_server:8.5.5.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B53EBD40-8E1A-4516-927D-ED1CF212B211\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ibm:websphere_application_server:8.5.5.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"1A4E88BA-F637-4400-A64F-E6516AE8917C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ibm:websphere_application_server:8.5.5.7:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"32C745A6-FDE7-4236-BA1D-8BB22D184AA2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ibm:websphere_application_server:8.5.5.8:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0C8EE753-8773-4DFF-90A7-35CE45C7EC30\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ibm:websphere_application_server:8.5.5.9:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F4B0179F-C523-4835-BDF2-E7C2166B4B8A\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded \\\"/\\\" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. The unexpected presence of path parameters can cause a constraint to be bypassed. Users of Apache Tomcat (all current versions) are not affected by this vulnerability since Tomcat follows the guidance previously provided by the Servlet Expert group and strips path parameters from the value returned by getContextPath(), getServletPath(), and getPathInfo(). Users of other Servlet containers based on Apache Tomcat may or may not be affected depending on whether or not the handling of path parameters has been modified. Users of IBM WebSphere Application Server 8.5.x are known to be affected. Users of other containers that implement the Servlet specification may be affected.\"}, {\"lang\": \"es\", \"value\": \"Se descubri\\u00f3 un problema en Pivotal Spring Security en versiones anteriores a 3.2.10, 4.1.x en versiones anteriores a 4.1.4 y 4.2.x en versiones anteriores a 4.2.1. Spring Security no considera par\\u00e1metros de ruta URL cuando procesa restricciones de seguridad. A\\u00f1adiendo un par\\u00e1metro de ruta URL con con un \\\"/\\\" codificado a una petici\\u00f3n, un atacante podr\\u00eda ser capaz de eludir una restricci\\u00f3n de seguridad. La causa principal de este problema es la falta de claridad en lo que se refiere al manejo de los par\\u00e1metros de ruta en las Servlet Specification. Algunos contenedores Servlet incluyen par\\u00e1metros de ruta en el valor devuelto para getPathInfo() y otros no. Spring Security utiliza el valor devuelto por getPathInfo() como parte del proceso de mapeo de peticiones a las restricciones de seguridad. La presencia inesperada de par\\u00e1metros de ruta puede provocar que una restricci\\u00f3n sea eludida. Los usuarios de Apache Tomcat (todas las versiones actuales) no est\\u00e1n afectados por esta vulnerabilidad ya que Tomcat sigue la gu\\u00eda proporcionada previamente por el grupo Servlet Expert y elimina los par\\u00e1metros de ruta del valor devuelto por getContextPath(), getServletPath() y getPathInfo(). Usuarios de otros contenedores Servlet basados en Apache Tomcat podr\\u00edan o no estar afectados dependiendo en si el manejo de los par\\u00e1metros ha sido modificado. Se sabe que los Usuarios de IBM WebSphere Application Server 8.5.x est\\u00e1n afectados. Usuarios de otros contenedores que implementan la especificaci\\u00f3n Servlet podr\\u00edan estar afectados.\"}]",
"id": "CVE-2016-9879",
"lastModified": "2024-11-21T03:01:56.490",
"metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:N/I:P/A:N\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2017-01-06T22:59:00.360",
"references": "[{\"url\": \"http://www.securityfocus.com/bid/95142\", \"source\": \"security_alert@emc.com\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:1832\", \"source\": \"security_alert@emc.com\"}, {\"url\": \"https://pivotal.io/security/cve-2016-9879\", \"source\": \"security_alert@emc.com\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/95142\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:1832\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://pivotal.io/security/cve-2016-9879\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}]",
"sourceIdentifier": "security_alert@emc.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-417\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2016-9879\",\"sourceIdentifier\":\"security_alert@emc.com\",\"published\":\"2017-01-06T22:59:00.360\",\"lastModified\":\"2024-11-21T03:01:56.490\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded \\\"/\\\" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. The unexpected presence of path parameters can cause a constraint to be bypassed. Users of Apache Tomcat (all current versions) are not affected by this vulnerability since Tomcat follows the guidance previously provided by the Servlet Expert group and strips path parameters from the value returned by getContextPath(), getServletPath(), and getPathInfo(). Users of other Servlet containers based on Apache Tomcat may or may not be affected depending on whether or not the handling of path parameters has been modified. Users of IBM WebSphere Application Server 8.5.x are known to be affected. Users of other containers that implement the Servlet specification may be affected.\"},{\"lang\":\"es\",\"value\":\"Se descubri\u00f3 un problema en Pivotal Spring Security en versiones anteriores a 3.2.10, 4.1.x en versiones anteriores a 4.1.4 y 4.2.x en versiones anteriores a 4.2.1. Spring Security no considera par\u00e1metros de ruta URL cuando procesa restricciones de seguridad. A\u00f1adiendo un par\u00e1metro de ruta URL con con un \\\"/\\\" codificado a una petici\u00f3n, un atacante podr\u00eda ser capaz de eludir una restricci\u00f3n de seguridad. La causa principal de este problema es la falta de claridad en lo que se refiere al manejo de los par\u00e1metros de ruta en las Servlet Specification. Algunos contenedores Servlet incluyen par\u00e1metros de ruta en el valor devuelto para getPathInfo() y otros no. Spring Security utiliza el valor devuelto por getPathInfo() como parte del proceso de mapeo de peticiones a las restricciones de seguridad. La presencia inesperada de par\u00e1metros de ruta puede provocar que una restricci\u00f3n sea eludida. Los usuarios de Apache Tomcat (todas las versiones actuales) no est\u00e1n afectados por esta vulnerabilidad ya que Tomcat sigue la gu\u00eda proporcionada previamente por el grupo Servlet Expert y elimina los par\u00e1metros de ruta del valor devuelto por getContextPath(), getServletPath() y getPathInfo(). Usuarios de otros contenedores Servlet basados en Apache Tomcat podr\u00edan o no estar afectados dependiendo en si el manejo de los par\u00e1metros ha sido modificado. Se sabe que los Usuarios de IBM WebSphere Application Server 8.5.x est\u00e1n afectados. Usuarios de otros contenedores que implementan la especificaci\u00f3n Servlet podr\u00edan estar afectados.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:P/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-417\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_security:3.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EFD426B7-885E-4C37-BA39-9877BB10685F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_security:3.2.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D32668E1-4839-474C-A97D-0A485BF3CE04\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_security:3.2.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CF0DADB2-8D42-4592-9433-2941E3D57F95\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_security:3.2.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C97588A1-B874-41F2-871E-BD3D5057FAC0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_security:3.2.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"00D3C6A3-4C51-4B2D-867A-A17B3AA39A19\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_security:3.2.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B2D23169-794F-42BB-A03A-D6451756445B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_security:3.2.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AE534FC0-0589-4DDA-9B5F-9ECD0BE5BE5C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_security:3.2.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D9E33A46-01D0-4EA0-997F-6EAE4342C422\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_security:3.2.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F9A0E838-84BB-4AE8-A673-CF6F18239B36\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_security:3.2.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9FAD6EE1-7E45-46A9-8B08-D08800E57980\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_security:4.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D4DC74CB-3FE2-436C-8F3B-6C607B1C868F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_security:4.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"605DF913-AB13-40BC-B03B-8663BB96BD44\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_security:4.1.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"55C17CD1-C6BC-4625-839E-55EEAFEB06D7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_security:4.1.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"614C55BF-7851-46B7-9D04-88D6354B48C8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_security:4.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7F34640C-5004-4E2D-8F2E-BC214F750688\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:websphere_application_server:8.5.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1FD8F9CE-4E98-4187-B84A-429FA1C65E2D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:websphere_application_server:8.5.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FC1D7570-4AB4-44B0-B5ED-D103F0946F63\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:websphere_application_server:8.5.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9E709E36-B5D0-42E5-A305-AF385FD7F347\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:websphere_application_server:8.5.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"49506702-1B31-4421-8DEE-5B789272EC6E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:websphere_application_server:8.5.5.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"158777FD-83D1-44B9-83B4-A3F490CA76F4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:websphere_application_server:8.5.5.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EDA2FE6B-6E42-4E97-B803-DAB671D30FF5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:websphere_application_server:8.5.5.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"72F5A562-5B2E-4BC7-8A81-EFE5ED265803\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:websphere_application_server:8.5.5.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"168E2F18-56C6-4789-BBAC-C99D4792046F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:websphere_application_server:8.5.5.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B53EBD40-8E1A-4516-927D-ED1CF212B211\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:websphere_application_server:8.5.5.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1A4E88BA-F637-4400-A64F-E6516AE8917C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:websphere_application_server:8.5.5.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"32C745A6-FDE7-4236-BA1D-8BB22D184AA2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:websphere_application_server:8.5.5.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0C8EE753-8773-4DFF-90A7-35CE45C7EC30\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ibm:websphere_application_server:8.5.5.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F4B0179F-C523-4835-BDF2-E7C2166B4B8A\"}]}]}],\"references\":[{\"url\":\"http://www.securityfocus.com/bid/95142\",\"source\":\"security_alert@emc.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:1832\",\"source\":\"security_alert@emc.com\"},{\"url\":\"https://pivotal.io/security/cve-2016-9879\",\"source\":\"security_alert@emc.com\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/95142\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:1832\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://pivotal.io/security/cve-2016-9879\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]}]}}"
}
}
cve-2016-9879
Vulnerability from fkie_nvd
Published
2017-01-06 22:59
Modified
2024-11-21 03:01
Severity ?
Summary
An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded "/" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. The unexpected presence of path parameters can cause a constraint to be bypassed. Users of Apache Tomcat (all current versions) are not affected by this vulnerability since Tomcat follows the guidance previously provided by the Servlet Expert group and strips path parameters from the value returned by getContextPath(), getServletPath(), and getPathInfo(). Users of other Servlet containers based on Apache Tomcat may or may not be affected depending on whether or not the handling of path parameters has been modified. Users of IBM WebSphere Application Server 8.5.x are known to be affected. Users of other containers that implement the Servlet specification may be affected.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vmware | spring_security | 3.2.0 | |
| vmware | spring_security | 3.2.1 | |
| vmware | spring_security | 3.2.2 | |
| vmware | spring_security | 3.2.3 | |
| vmware | spring_security | 3.2.4 | |
| vmware | spring_security | 3.2.5 | |
| vmware | spring_security | 3.2.6 | |
| vmware | spring_security | 3.2.7 | |
| vmware | spring_security | 3.2.8 | |
| vmware | spring_security | 3.2.9 | |
| vmware | spring_security | 4.1.0 | |
| vmware | spring_security | 4.1.1 | |
| vmware | spring_security | 4.1.2 | |
| vmware | spring_security | 4.1.3 | |
| vmware | spring_security | 4.2.0 | |
| ibm | websphere_application_server | 8.5.0.0 | |
| ibm | websphere_application_server | 8.5.0.1 | |
| ibm | websphere_application_server | 8.5.0.2 | |
| ibm | websphere_application_server | 8.5.5.0 | |
| ibm | websphere_application_server | 8.5.5.1 | |
| ibm | websphere_application_server | 8.5.5.2 | |
| ibm | websphere_application_server | 8.5.5.3 | |
| ibm | websphere_application_server | 8.5.5.4 | |
| ibm | websphere_application_server | 8.5.5.5 | |
| ibm | websphere_application_server | 8.5.5.6 | |
| ibm | websphere_application_server | 8.5.5.7 | |
| ibm | websphere_application_server | 8.5.5.8 | |
| ibm | websphere_application_server | 8.5.5.9 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vmware:spring_security:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EFD426B7-885E-4C37-BA39-9877BB10685F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_security:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D32668E1-4839-474C-A97D-0A485BF3CE04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_security:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CF0DADB2-8D42-4592-9433-2941E3D57F95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_security:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C97588A1-B874-41F2-871E-BD3D5057FAC0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_security:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "00D3C6A3-4C51-4B2D-867A-A17B3AA39A19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_security:3.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "B2D23169-794F-42BB-A03A-D6451756445B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_security:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "AE534FC0-0589-4DDA-9B5F-9ECD0BE5BE5C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_security:3.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "D9E33A46-01D0-4EA0-997F-6EAE4342C422",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_security:3.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "F9A0E838-84BB-4AE8-A673-CF6F18239B36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_security:3.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "9FAD6EE1-7E45-46A9-8B08-D08800E57980",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_security:4.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D4DC74CB-3FE2-436C-8F3B-6C607B1C868F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_security:4.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "605DF913-AB13-40BC-B03B-8663BB96BD44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_security:4.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "55C17CD1-C6BC-4625-839E-55EEAFEB06D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_security:4.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "614C55BF-7851-46B7-9D04-88D6354B48C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_security:4.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7F34640C-5004-4E2D-8F2E-BC214F750688",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ibm:websphere_application_server:8.5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1FD8F9CE-4E98-4187-B84A-429FA1C65E2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:websphere_application_server:8.5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FC1D7570-4AB4-44B0-B5ED-D103F0946F63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:websphere_application_server:8.5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9E709E36-B5D0-42E5-A305-AF385FD7F347",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:websphere_application_server:8.5.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "49506702-1B31-4421-8DEE-5B789272EC6E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:websphere_application_server:8.5.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "158777FD-83D1-44B9-83B4-A3F490CA76F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:websphere_application_server:8.5.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EDA2FE6B-6E42-4E97-B803-DAB671D30FF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:websphere_application_server:8.5.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "72F5A562-5B2E-4BC7-8A81-EFE5ED265803",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:websphere_application_server:8.5.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "168E2F18-56C6-4789-BBAC-C99D4792046F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:websphere_application_server:8.5.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "B53EBD40-8E1A-4516-927D-ED1CF212B211",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:websphere_application_server:8.5.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "1A4E88BA-F637-4400-A64F-E6516AE8917C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:websphere_application_server:8.5.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "32C745A6-FDE7-4236-BA1D-8BB22D184AA2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:websphere_application_server:8.5.5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "0C8EE753-8773-4DFF-90A7-35CE45C7EC30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ibm:websphere_application_server:8.5.5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "F4B0179F-C523-4835-BDF2-E7C2166B4B8A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded \"/\" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. The unexpected presence of path parameters can cause a constraint to be bypassed. Users of Apache Tomcat (all current versions) are not affected by this vulnerability since Tomcat follows the guidance previously provided by the Servlet Expert group and strips path parameters from the value returned by getContextPath(), getServletPath(), and getPathInfo(). Users of other Servlet containers based on Apache Tomcat may or may not be affected depending on whether or not the handling of path parameters has been modified. Users of IBM WebSphere Application Server 8.5.x are known to be affected. Users of other containers that implement the Servlet specification may be affected."
},
{
"lang": "es",
"value": "Se descubri\u00f3 un problema en Pivotal Spring Security en versiones anteriores a 3.2.10, 4.1.x en versiones anteriores a 4.1.4 y 4.2.x en versiones anteriores a 4.2.1. Spring Security no considera par\u00e1metros de ruta URL cuando procesa restricciones de seguridad. A\u00f1adiendo un par\u00e1metro de ruta URL con con un \"/\" codificado a una petici\u00f3n, un atacante podr\u00eda ser capaz de eludir una restricci\u00f3n de seguridad. La causa principal de este problema es la falta de claridad en lo que se refiere al manejo de los par\u00e1metros de ruta en las Servlet Specification. Algunos contenedores Servlet incluyen par\u00e1metros de ruta en el valor devuelto para getPathInfo() y otros no. Spring Security utiliza el valor devuelto por getPathInfo() como parte del proceso de mapeo de peticiones a las restricciones de seguridad. La presencia inesperada de par\u00e1metros de ruta puede provocar que una restricci\u00f3n sea eludida. Los usuarios de Apache Tomcat (todas las versiones actuales) no est\u00e1n afectados por esta vulnerabilidad ya que Tomcat sigue la gu\u00eda proporcionada previamente por el grupo Servlet Expert y elimina los par\u00e1metros de ruta del valor devuelto por getContextPath(), getServletPath() y getPathInfo(). Usuarios de otros contenedores Servlet basados en Apache Tomcat podr\u00edan o no estar afectados dependiendo en si el manejo de los par\u00e1metros ha sido modificado. Se sabe que los Usuarios de IBM WebSphere Application Server 8.5.x est\u00e1n afectados. Usuarios de otros contenedores que implementan la especificaci\u00f3n Servlet podr\u00edan estar afectados."
}
],
"id": "CVE-2016-9879",
"lastModified": "2024-11-21T03:01:56.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-01-06T22:59:00.360",
"references": [
{
"source": "security_alert@emc.com",
"url": "http://www.securityfocus.com/bid/95142"
},
{
"source": "security_alert@emc.com",
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
},
{
"source": "security_alert@emc.com",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2016-9879"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/95142"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2016-9879"
}
],
"sourceIdentifier": "security_alert@emc.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-417"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
RHSA-2017:1832
Vulnerability from csaf_redhat
Published
2017-08-10 23:03
Modified
2024-11-22 11:10
Summary
Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.3 R4 security and bug fix update
Notes
Topic
An update is now available for Red Hat JBoss Fuse and Red Hat JBoss A-MQ.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications.
This patch is an update to Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3. It includes bug fixes and enhancements, which are documented in the readme.txt file included with the patch files.
Security Fix(es):
* It was discovered that the hawtio servlet uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies. (CVE-2017-2589)
* It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information. (CVE-2015-6644)
* It was found that Apache Camel's camel-jackson and camel-jacksonxml components are vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues. (CVE-2016-8749)
* It was found that Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded / to a request an attacker may be able to bypass a security constraint. (CVE-2016-9879)
* It was found that a path traversal vulnerability in hawtio leads to a NullPointerException with a full stacktrace. An attacker could use this flaw to gather undisclosed information from within hawtio's root. (CVE-2017-2594)
* It was found that Apache CXF OAuth2 Hawk and JOSE MAC Validation code is not using a constant time MAC signature comparison algorithm which may be exploited by some sophisticated timing attacks. It may only affect OAuth2 Hawk, JWT access tokens, or JOSE JWS/JWE interceptors which depend on HMAC secret key algorithms. (CVE-2017-3156)
* It was found that Apache Camel's validation component evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. Remote attackers can use this feature to make Server-Side Request Forgery (SSRF) attacks by sending XML documents with remote DTDs URLs or XML External Entities (XXE). (CVE-2017-5643)
* It was found that a flaw exists in JAX-RS clients using the streaming approach for XML signatures and encryption, where it does not enforce the message to be signed/encrypted. This could allow an attacker to subvert the integrity of the message. (CVE-2017-5653)
* It was found that the token cacher in Apache cxf uses a flawed way of caching tokens that are associated with the delegation token received from Security Token Service (STS). This vulnerability could allow an attacker to craft a token which could return an identifier corresponding to a cached token for another user. (CVE-2017-5656)
* It was found that logback is vulnerable to a deserialization issue. Logback can be configured to allow remote logging through SocketServer/ServerSocketReceiver interfaces that can accept untrusted serialized data. Authenticated attackers on the adjacent network can leverage this vulnerability to execute arbitrary code through deserialization of custom gadget chains. (CVE-2017-5929)
* It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system. (CVE-2017-7957)
The CVE-2017-2589 issue was discovered by Adam Willard (Blue Canopy) and Dennis Reed (Red Hat) and the CVE-2017-2594 issue was discovered by Hooman Broujerdi (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat JBoss Fuse and Red Hat JBoss A-MQ.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications.\n\nThis patch is an update to Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3. It includes bug fixes and enhancements, which are documented in the readme.txt file included with the patch files.\n\nSecurity Fix(es):\n\n* It was discovered that the hawtio servlet uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies. (CVE-2017-2589)\n\n* It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user\u0027s private information. (CVE-2015-6644)\n\n* It was found that Apache Camel\u0027s camel-jackson and camel-jacksonxml components are vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues. (CVE-2016-8749)\n\n* It was found that Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded / to a request an attacker may be able to bypass a security constraint. (CVE-2016-9879)\n\n* It was found that a path traversal vulnerability in hawtio leads to a NullPointerException with a full stacktrace. An attacker could use this flaw to gather undisclosed information from within hawtio\u0027s root. (CVE-2017-2594)\n\n* It was found that Apache CXF OAuth2 Hawk and JOSE MAC Validation code is not using a constant time MAC signature comparison algorithm which may be exploited by some sophisticated timing attacks. It may only affect OAuth2 Hawk, JWT access tokens, or JOSE JWS/JWE interceptors which depend on HMAC secret key algorithms. (CVE-2017-3156)\n\n* It was found that Apache Camel\u0027s validation component evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. Remote attackers can use this feature to make Server-Side Request Forgery (SSRF) attacks by sending XML documents with remote DTDs URLs or XML External Entities (XXE). (CVE-2017-5643)\n\n* It was found that a flaw exists in JAX-RS clients using the streaming approach for XML signatures and encryption, where it does not enforce the message to be signed/encrypted. This could allow an attacker to subvert the integrity of the message. (CVE-2017-5653)\n\n* It was found that the token cacher in Apache cxf uses a flawed way of caching tokens that are associated with the delegation token received from Security Token Service (STS). This vulnerability could allow an attacker to craft a token which could return an identifier corresponding to a cached token for another user. (CVE-2017-5656)\n\n* It was found that logback is vulnerable to a deserialization issue. Logback can be configured to allow remote logging through SocketServer/ServerSocketReceiver interfaces that can accept untrusted serialized data. Authenticated attackers on the adjacent network can leverage this vulnerability to execute arbitrary code through deserialization of custom gadget chains. (CVE-2017-5929)\n\n* It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type \u0027void\u0027. An attacker could use this flaw to create a denial of service on the target system. (CVE-2017-7957)\n\nThe CVE-2017-2589 issue was discovered by Adam Willard (Blue Canopy) and Dennis Reed (Red Hat) and the CVE-2017-2594 issue was discovered by Hooman Broujerdi (Red Hat).",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:1832",
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse\u0026downloadType=securityPatches\u0026version=6.3",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse\u0026downloadType=securityPatches\u0026version=6.3"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.amq\u0026version=6.3.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.amq\u0026version=6.3.0"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en/red-hat-jboss-fuse/",
"url": "https://access.redhat.com/documentation/en/red-hat-jboss-fuse/"
},
{
"category": "external",
"summary": "1409838",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1409838"
},
{
"category": "external",
"summary": "1413905",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1413905"
},
{
"category": "external",
"summary": "1415543",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1415543"
},
{
"category": "external",
"summary": "1420832",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1420832"
},
{
"category": "external",
"summary": "1425455",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1425455"
},
{
"category": "external",
"summary": "1432858",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1432858"
},
{
"category": "external",
"summary": "1433374",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1433374"
},
{
"category": "external",
"summary": "1441538",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1441538"
},
{
"category": "external",
"summary": "1444015",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1444015"
},
{
"category": "external",
"summary": "1445327",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1445327"
},
{
"category": "external",
"summary": "1445329",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1445329"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_1832.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.3 R4 security and bug fix update",
"tracking": {
"current_release_date": "2024-11-22T11:10:23+00:00",
"generator": {
"date": "2024-11-22T11:10:23+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2017:1832",
"initial_release_date": "2017-08-10T23:03:00+00:00",
"revision_history": [
{
"date": "2017-08-10T23:03:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2017-08-15T01:47:49+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T11:10:23+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss A-MQ 6.3",
"product": {
"name": "Red Hat JBoss A-MQ 6.3",
"product_id": "Red Hat JBoss A-MQ 6.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_amq:6.3"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Fuse 6.3",
"product": {
"name": "Red Hat JBoss Fuse 6.3",
"product_id": "Red Hat JBoss Fuse 6.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_fuse:6.3"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Fuse"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-6644",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2017-04-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1444015"
}
],
"notes": [
{
"category": "description",
"text": "It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user\u0027s private information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bouncycastle: Information disclosure in GCMBlockCipher",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-6644"
},
{
"category": "external",
"summary": "RHBZ#1444015",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1444015"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-6644",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-6644"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-6644",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-6644"
}
],
"release_date": "2016-01-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-10T23:03:00+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bouncycastle: Information disclosure in GCMBlockCipher"
},
{
"cve": "CVE-2016-8749",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2017-02-08T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1420832"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Apache Camel\u0027s camel-jackson and camel-jacksonxml components are vulnerable to Java object de-serialisation vulnerability. Camel allows such a type through the \u0027CamelJacksonUnmarshalType\u0027 property. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "camel-jacksonxml: Unmarshalling operation are vulnerable to RCE",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-8749"
},
{
"category": "external",
"summary": "RHBZ#1420832",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1420832"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-8749",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-8749"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-8749",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8749"
},
{
"category": "external",
"summary": "http://camel.apache.org/security-advisories.data/CVE-2016-8749.txt.asc",
"url": "http://camel.apache.org/security-advisories.data/CVE-2016-8749.txt.asc"
}
],
"release_date": "2016-12-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-10T23:03:00+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "camel-jacksonxml: Unmarshalling operation are vulnerable to RCE"
},
{
"cve": "CVE-2016-9879",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2016-12-29T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1409838"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded / to a request an attacker may be able to bypass a security constraint.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Security: Improper handling of path parameters allows bypassing the security constraint",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-9879"
},
{
"category": "external",
"summary": "RHBZ#1409838",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1409838"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-9879",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-9879"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-9879",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9879"
},
{
"category": "external",
"summary": "https://pivotal.io/security/cve-2016-9879",
"url": "https://pivotal.io/security/cve-2016-9879"
}
],
"release_date": "2016-12-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-10T23:03:00+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
},
{
"category": "workaround",
"details": "Use a Servlet container known not to include path parameters in the return values for getServletPath() and getPathInfo()",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Security: Improper handling of path parameters allows bypassing the security constraint"
},
{
"acknowledgments": [
{
"names": [
"Adam Willard"
],
"organization": "Blue Canopy"
},
{
"names": [
"Dennis Reed"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2017-2589",
"cwe": {
"id": "CWE-285",
"name": "Improper Authorization"
},
"discovery_date": "2017-01-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1413905"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that the hawtio servlet uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "hawtio: Proxy is sharing cookies among all the clients",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-2589"
},
{
"category": "external",
"summary": "RHBZ#1413905",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1413905"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-2589",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-2589"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-2589",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2589"
}
],
"release_date": "2017-07-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-10T23:03:00+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "hawtio: Proxy is sharing cookies among all the clients"
},
{
"acknowledgments": [
{
"names": [
"Hooman Broujerdi"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2017-2594",
"cwe": {
"id": "CWE-209",
"name": "Generation of Error Message Containing Sensitive Information"
},
"discovery_date": "2017-01-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1415543"
}
],
"notes": [
{
"category": "description",
"text": "It was found that a path traversal vulnerability in hawtio leads to a NullPointerException with a full stacktrace. An attacker could use this flaw to gather undisclosed information from within hawtio\u0027s root.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "hawtio: information Disclosure flaws due to unsafe path traversal",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-2594"
},
{
"category": "external",
"summary": "RHBZ#1415543",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1415543"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-2594",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-2594"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-2594",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2594"
}
],
"release_date": "2017-01-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-10T23:03:00+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "hawtio: information Disclosure flaws due to unsafe path traversal"
},
{
"cve": "CVE-2017-3156",
"cwe": {
"id": "CWE-385",
"name": "Covert Timing Channel"
},
"discovery_date": "2017-02-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1425455"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Apache CXF OAuth2 Hawk and JOSE MAC Validation code is not using a constant time MAC signature comparison algorithm which may be exploited by some sophisticated timing attacks. It may only affect OAuth2 Hawk or JWT access tokens or JOSE JWS/JWE interceptors which depend on HMAC secret key algorithms.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cxf: CXF OAuth2 Hawk and JOSE MAC Validation code are vulnerable to timing attacks",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-3156"
},
{
"category": "external",
"summary": "RHBZ#1425455",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1425455"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-3156",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-3156"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-3156",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3156"
},
{
"category": "external",
"summary": "https://cxf.apache.org/security-advisories.data/CVE-2017-3156.txt.asc",
"url": "https://cxf.apache.org/security-advisories.data/CVE-2017-3156.txt.asc"
}
],
"release_date": "2017-02-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-10T23:03:00+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "cxf: CXF OAuth2 Hawk and JOSE MAC Validation code are vulnerable to timing attacks"
},
{
"cve": "CVE-2017-5643",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2017-03-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1433374"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Apache Camel\u0027s validation component evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. Remote attackers can use this feature to make Server-Side Request Forgery (SSRF) attacks by sending XML documents with remote DTDs URLs or XML External Entities (XXE). The vulnerability is not given for SAX or StAX sources.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "camel-core: Validation component vulnerable to SSRF via remote DTDs and XXE",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-5643"
},
{
"category": "external",
"summary": "RHBZ#1433374",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1433374"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-5643",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-5643"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-5643",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5643"
},
{
"category": "external",
"summary": "https://camel.apache.org/security-advisories.data/CVE-2017-5643.txt",
"url": "https://camel.apache.org/security-advisories.data/CVE-2017-5643.txt"
}
],
"release_date": "2017-02-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-10T23:03:00+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "camel-core: Validation component vulnerable to SSRF via remote DTDs and XXE"
},
{
"cve": "CVE-2017-5653",
"discovery_date": "2017-04-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1445327"
}
],
"notes": [
{
"category": "description",
"text": "It was found that a flaw exists in JAX-RS clients using the streaming approach for XML signatures and encryption, where it does not enforce the message to be signed/encrypted. This could allow an attacker to subvert the integrity of the message.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cxf: CXF JAX-RS XML Security streaming clients do not validate that the service response was signed or encrypted",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-5653"
},
{
"category": "external",
"summary": "RHBZ#1445327",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1445327"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-5653",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-5653"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-5653",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5653"
},
{
"category": "external",
"summary": "http://cxf.apache.org/security-advisories.data/CVE-2017-5653.txt.asc",
"url": "http://cxf.apache.org/security-advisories.data/CVE-2017-5653.txt.asc"
}
],
"release_date": "2017-03-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-10T23:03:00+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "cxf: CXF JAX-RS XML Security streaming clients do not validate that the service response was signed or encrypted"
},
{
"cve": "CVE-2017-5656",
"discovery_date": "2017-04-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1445329"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the token cacher in Apache cxf uses a flawed way of caching tokens that are associated with the delegation token received from Security Token Service (STS). This vulnerability could allow an attacker to craft a token which could return an identifier corresponding to a cached token for another user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cxf: CXF\u0027s STSClient uses a flawed way of caching tokens that are associated with delegation tokens",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-5656"
},
{
"category": "external",
"summary": "RHBZ#1445329",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1445329"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-5656",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-5656"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-5656",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5656"
},
{
"category": "external",
"summary": "http://cxf.apache.org/security-advisories.data/CVE-2017-5656.txt.asc",
"url": "http://cxf.apache.org/security-advisories.data/CVE-2017-5656.txt.asc"
}
],
"release_date": "2017-04-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-10T23:03:00+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "cxf: CXF\u0027s STSClient uses a flawed way of caching tokens that are associated with delegation tokens"
},
{
"cve": "CVE-2017-5929",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2017-03-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1432858"
}
],
"notes": [
{
"category": "description",
"text": "It was found that logback is vulnerable to a deserialization issue. Logback can be configured to allow remote logging through SocketServer/ServerSocketReceiver interfaces that can accept untrusted serialized data. Authenticated attackers on the adjacent network can leverage this vulnerability to execute arbitrary code through deserialization of custom gadget chains.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "logback: Serialization vulnerability in SocketServer and ServerSocketReceiver",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-5929"
},
{
"category": "external",
"summary": "RHBZ#1432858",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1432858"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-5929",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-5929"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-5929",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5929"
}
],
"release_date": "2017-02-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-10T23:03:00+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "logback: Serialization vulnerability in SocketServer and ServerSocketReceiver"
},
{
"cve": "CVE-2017-7957",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2017-04-03T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1441538"
}
],
"notes": [
{
"category": "description",
"text": "It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type \u0027void\u0027. An attacker could use this flaw to create a denial of service on the target system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "XStream: DoS when unmarshalling void type",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-7957"
},
{
"category": "external",
"summary": "RHBZ#1441538",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1441538"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-7957",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-7957"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-7957",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7957"
},
{
"category": "external",
"summary": "http://x-stream.github.io/CVE-2017-7957.html",
"url": "http://x-stream.github.io/CVE-2017-7957.html"
}
],
"release_date": "2017-04-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-10T23:03:00+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "XStream: DoS when unmarshalling void type"
}
]
}
rhsa-2017_1832
Vulnerability from csaf_redhat
Published
2017-08-10 23:03
Modified
2024-11-22 11:10
Summary
Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.3 R4 security and bug fix update
Notes
Topic
An update is now available for Red Hat JBoss Fuse and Red Hat JBoss A-MQ.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications.
This patch is an update to Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3. It includes bug fixes and enhancements, which are documented in the readme.txt file included with the patch files.
Security Fix(es):
* It was discovered that the hawtio servlet uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies. (CVE-2017-2589)
* It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information. (CVE-2015-6644)
* It was found that Apache Camel's camel-jackson and camel-jacksonxml components are vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues. (CVE-2016-8749)
* It was found that Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded / to a request an attacker may be able to bypass a security constraint. (CVE-2016-9879)
* It was found that a path traversal vulnerability in hawtio leads to a NullPointerException with a full stacktrace. An attacker could use this flaw to gather undisclosed information from within hawtio's root. (CVE-2017-2594)
* It was found that Apache CXF OAuth2 Hawk and JOSE MAC Validation code is not using a constant time MAC signature comparison algorithm which may be exploited by some sophisticated timing attacks. It may only affect OAuth2 Hawk, JWT access tokens, or JOSE JWS/JWE interceptors which depend on HMAC secret key algorithms. (CVE-2017-3156)
* It was found that Apache Camel's validation component evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. Remote attackers can use this feature to make Server-Side Request Forgery (SSRF) attacks by sending XML documents with remote DTDs URLs or XML External Entities (XXE). (CVE-2017-5643)
* It was found that a flaw exists in JAX-RS clients using the streaming approach for XML signatures and encryption, where it does not enforce the message to be signed/encrypted. This could allow an attacker to subvert the integrity of the message. (CVE-2017-5653)
* It was found that the token cacher in Apache cxf uses a flawed way of caching tokens that are associated with the delegation token received from Security Token Service (STS). This vulnerability could allow an attacker to craft a token which could return an identifier corresponding to a cached token for another user. (CVE-2017-5656)
* It was found that logback is vulnerable to a deserialization issue. Logback can be configured to allow remote logging through SocketServer/ServerSocketReceiver interfaces that can accept untrusted serialized data. Authenticated attackers on the adjacent network can leverage this vulnerability to execute arbitrary code through deserialization of custom gadget chains. (CVE-2017-5929)
* It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system. (CVE-2017-7957)
The CVE-2017-2589 issue was discovered by Adam Willard (Blue Canopy) and Dennis Reed (Red Hat) and the CVE-2017-2594 issue was discovered by Hooman Broujerdi (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat JBoss Fuse and Red Hat JBoss A-MQ.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications.\n\nThis patch is an update to Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3. It includes bug fixes and enhancements, which are documented in the readme.txt file included with the patch files.\n\nSecurity Fix(es):\n\n* It was discovered that the hawtio servlet uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies. (CVE-2017-2589)\n\n* It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user\u0027s private information. (CVE-2015-6644)\n\n* It was found that Apache Camel\u0027s camel-jackson and camel-jacksonxml components are vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues. (CVE-2016-8749)\n\n* It was found that Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded / to a request an attacker may be able to bypass a security constraint. (CVE-2016-9879)\n\n* It was found that a path traversal vulnerability in hawtio leads to a NullPointerException with a full stacktrace. An attacker could use this flaw to gather undisclosed information from within hawtio\u0027s root. (CVE-2017-2594)\n\n* It was found that Apache CXF OAuth2 Hawk and JOSE MAC Validation code is not using a constant time MAC signature comparison algorithm which may be exploited by some sophisticated timing attacks. It may only affect OAuth2 Hawk, JWT access tokens, or JOSE JWS/JWE interceptors which depend on HMAC secret key algorithms. (CVE-2017-3156)\n\n* It was found that Apache Camel\u0027s validation component evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. Remote attackers can use this feature to make Server-Side Request Forgery (SSRF) attacks by sending XML documents with remote DTDs URLs or XML External Entities (XXE). (CVE-2017-5643)\n\n* It was found that a flaw exists in JAX-RS clients using the streaming approach for XML signatures and encryption, where it does not enforce the message to be signed/encrypted. This could allow an attacker to subvert the integrity of the message. (CVE-2017-5653)\n\n* It was found that the token cacher in Apache cxf uses a flawed way of caching tokens that are associated with the delegation token received from Security Token Service (STS). This vulnerability could allow an attacker to craft a token which could return an identifier corresponding to a cached token for another user. (CVE-2017-5656)\n\n* It was found that logback is vulnerable to a deserialization issue. Logback can be configured to allow remote logging through SocketServer/ServerSocketReceiver interfaces that can accept untrusted serialized data. Authenticated attackers on the adjacent network can leverage this vulnerability to execute arbitrary code through deserialization of custom gadget chains. (CVE-2017-5929)\n\n* It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type \u0027void\u0027. An attacker could use this flaw to create a denial of service on the target system. (CVE-2017-7957)\n\nThe CVE-2017-2589 issue was discovered by Adam Willard (Blue Canopy) and Dennis Reed (Red Hat) and the CVE-2017-2594 issue was discovered by Hooman Broujerdi (Red Hat).",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:1832",
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse\u0026downloadType=securityPatches\u0026version=6.3",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse\u0026downloadType=securityPatches\u0026version=6.3"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.amq\u0026version=6.3.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.amq\u0026version=6.3.0"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en/red-hat-jboss-fuse/",
"url": "https://access.redhat.com/documentation/en/red-hat-jboss-fuse/"
},
{
"category": "external",
"summary": "1409838",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1409838"
},
{
"category": "external",
"summary": "1413905",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1413905"
},
{
"category": "external",
"summary": "1415543",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1415543"
},
{
"category": "external",
"summary": "1420832",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1420832"
},
{
"category": "external",
"summary": "1425455",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1425455"
},
{
"category": "external",
"summary": "1432858",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1432858"
},
{
"category": "external",
"summary": "1433374",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1433374"
},
{
"category": "external",
"summary": "1441538",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1441538"
},
{
"category": "external",
"summary": "1444015",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1444015"
},
{
"category": "external",
"summary": "1445327",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1445327"
},
{
"category": "external",
"summary": "1445329",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1445329"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_1832.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.3 R4 security and bug fix update",
"tracking": {
"current_release_date": "2024-11-22T11:10:23+00:00",
"generator": {
"date": "2024-11-22T11:10:23+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2017:1832",
"initial_release_date": "2017-08-10T23:03:00+00:00",
"revision_history": [
{
"date": "2017-08-10T23:03:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2017-08-15T01:47:49+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T11:10:23+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss A-MQ 6.3",
"product": {
"name": "Red Hat JBoss A-MQ 6.3",
"product_id": "Red Hat JBoss A-MQ 6.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_amq:6.3"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Fuse 6.3",
"product": {
"name": "Red Hat JBoss Fuse 6.3",
"product_id": "Red Hat JBoss Fuse 6.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_fuse:6.3"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Fuse"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-6644",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2017-04-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1444015"
}
],
"notes": [
{
"category": "description",
"text": "It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user\u0027s private information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bouncycastle: Information disclosure in GCMBlockCipher",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-6644"
},
{
"category": "external",
"summary": "RHBZ#1444015",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1444015"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-6644",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-6644"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-6644",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-6644"
}
],
"release_date": "2016-01-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-10T23:03:00+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bouncycastle: Information disclosure in GCMBlockCipher"
},
{
"cve": "CVE-2016-8749",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2017-02-08T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1420832"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Apache Camel\u0027s camel-jackson and camel-jacksonxml components are vulnerable to Java object de-serialisation vulnerability. Camel allows such a type through the \u0027CamelJacksonUnmarshalType\u0027 property. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "camel-jacksonxml: Unmarshalling operation are vulnerable to RCE",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-8749"
},
{
"category": "external",
"summary": "RHBZ#1420832",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1420832"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-8749",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-8749"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-8749",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8749"
},
{
"category": "external",
"summary": "http://camel.apache.org/security-advisories.data/CVE-2016-8749.txt.asc",
"url": "http://camel.apache.org/security-advisories.data/CVE-2016-8749.txt.asc"
}
],
"release_date": "2016-12-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-10T23:03:00+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "camel-jacksonxml: Unmarshalling operation are vulnerable to RCE"
},
{
"cve": "CVE-2016-9879",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2016-12-29T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1409838"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded / to a request an attacker may be able to bypass a security constraint.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Security: Improper handling of path parameters allows bypassing the security constraint",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-9879"
},
{
"category": "external",
"summary": "RHBZ#1409838",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1409838"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-9879",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-9879"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-9879",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9879"
},
{
"category": "external",
"summary": "https://pivotal.io/security/cve-2016-9879",
"url": "https://pivotal.io/security/cve-2016-9879"
}
],
"release_date": "2016-12-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-10T23:03:00+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
},
{
"category": "workaround",
"details": "Use a Servlet container known not to include path parameters in the return values for getServletPath() and getPathInfo()",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Security: Improper handling of path parameters allows bypassing the security constraint"
},
{
"acknowledgments": [
{
"names": [
"Adam Willard"
],
"organization": "Blue Canopy"
},
{
"names": [
"Dennis Reed"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2017-2589",
"cwe": {
"id": "CWE-285",
"name": "Improper Authorization"
},
"discovery_date": "2017-01-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1413905"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that the hawtio servlet uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "hawtio: Proxy is sharing cookies among all the clients",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-2589"
},
{
"category": "external",
"summary": "RHBZ#1413905",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1413905"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-2589",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-2589"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-2589",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2589"
}
],
"release_date": "2017-07-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-10T23:03:00+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "hawtio: Proxy is sharing cookies among all the clients"
},
{
"acknowledgments": [
{
"names": [
"Hooman Broujerdi"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2017-2594",
"cwe": {
"id": "CWE-209",
"name": "Generation of Error Message Containing Sensitive Information"
},
"discovery_date": "2017-01-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1415543"
}
],
"notes": [
{
"category": "description",
"text": "It was found that a path traversal vulnerability in hawtio leads to a NullPointerException with a full stacktrace. An attacker could use this flaw to gather undisclosed information from within hawtio\u0027s root.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "hawtio: information Disclosure flaws due to unsafe path traversal",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-2594"
},
{
"category": "external",
"summary": "RHBZ#1415543",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1415543"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-2594",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-2594"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-2594",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2594"
}
],
"release_date": "2017-01-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-10T23:03:00+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "hawtio: information Disclosure flaws due to unsafe path traversal"
},
{
"cve": "CVE-2017-3156",
"cwe": {
"id": "CWE-385",
"name": "Covert Timing Channel"
},
"discovery_date": "2017-02-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1425455"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Apache CXF OAuth2 Hawk and JOSE MAC Validation code is not using a constant time MAC signature comparison algorithm which may be exploited by some sophisticated timing attacks. It may only affect OAuth2 Hawk or JWT access tokens or JOSE JWS/JWE interceptors which depend on HMAC secret key algorithms.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cxf: CXF OAuth2 Hawk and JOSE MAC Validation code are vulnerable to timing attacks",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-3156"
},
{
"category": "external",
"summary": "RHBZ#1425455",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1425455"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-3156",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-3156"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-3156",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3156"
},
{
"category": "external",
"summary": "https://cxf.apache.org/security-advisories.data/CVE-2017-3156.txt.asc",
"url": "https://cxf.apache.org/security-advisories.data/CVE-2017-3156.txt.asc"
}
],
"release_date": "2017-02-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-10T23:03:00+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "cxf: CXF OAuth2 Hawk and JOSE MAC Validation code are vulnerable to timing attacks"
},
{
"cve": "CVE-2017-5643",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2017-03-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1433374"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Apache Camel\u0027s validation component evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. Remote attackers can use this feature to make Server-Side Request Forgery (SSRF) attacks by sending XML documents with remote DTDs URLs or XML External Entities (XXE). The vulnerability is not given for SAX or StAX sources.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "camel-core: Validation component vulnerable to SSRF via remote DTDs and XXE",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-5643"
},
{
"category": "external",
"summary": "RHBZ#1433374",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1433374"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-5643",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-5643"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-5643",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5643"
},
{
"category": "external",
"summary": "https://camel.apache.org/security-advisories.data/CVE-2017-5643.txt",
"url": "https://camel.apache.org/security-advisories.data/CVE-2017-5643.txt"
}
],
"release_date": "2017-02-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-10T23:03:00+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "camel-core: Validation component vulnerable to SSRF via remote DTDs and XXE"
},
{
"cve": "CVE-2017-5653",
"discovery_date": "2017-04-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1445327"
}
],
"notes": [
{
"category": "description",
"text": "It was found that a flaw exists in JAX-RS clients using the streaming approach for XML signatures and encryption, where it does not enforce the message to be signed/encrypted. This could allow an attacker to subvert the integrity of the message.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cxf: CXF JAX-RS XML Security streaming clients do not validate that the service response was signed or encrypted",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-5653"
},
{
"category": "external",
"summary": "RHBZ#1445327",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1445327"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-5653",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-5653"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-5653",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5653"
},
{
"category": "external",
"summary": "http://cxf.apache.org/security-advisories.data/CVE-2017-5653.txt.asc",
"url": "http://cxf.apache.org/security-advisories.data/CVE-2017-5653.txt.asc"
}
],
"release_date": "2017-03-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-10T23:03:00+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "cxf: CXF JAX-RS XML Security streaming clients do not validate that the service response was signed or encrypted"
},
{
"cve": "CVE-2017-5656",
"discovery_date": "2017-04-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1445329"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the token cacher in Apache cxf uses a flawed way of caching tokens that are associated with the delegation token received from Security Token Service (STS). This vulnerability could allow an attacker to craft a token which could return an identifier corresponding to a cached token for another user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cxf: CXF\u0027s STSClient uses a flawed way of caching tokens that are associated with delegation tokens",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-5656"
},
{
"category": "external",
"summary": "RHBZ#1445329",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1445329"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-5656",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-5656"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-5656",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5656"
},
{
"category": "external",
"summary": "http://cxf.apache.org/security-advisories.data/CVE-2017-5656.txt.asc",
"url": "http://cxf.apache.org/security-advisories.data/CVE-2017-5656.txt.asc"
}
],
"release_date": "2017-04-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-10T23:03:00+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "cxf: CXF\u0027s STSClient uses a flawed way of caching tokens that are associated with delegation tokens"
},
{
"cve": "CVE-2017-5929",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2017-03-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1432858"
}
],
"notes": [
{
"category": "description",
"text": "It was found that logback is vulnerable to a deserialization issue. Logback can be configured to allow remote logging through SocketServer/ServerSocketReceiver interfaces that can accept untrusted serialized data. Authenticated attackers on the adjacent network can leverage this vulnerability to execute arbitrary code through deserialization of custom gadget chains.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "logback: Serialization vulnerability in SocketServer and ServerSocketReceiver",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-5929"
},
{
"category": "external",
"summary": "RHBZ#1432858",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1432858"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-5929",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-5929"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-5929",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5929"
}
],
"release_date": "2017-02-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-10T23:03:00+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "logback: Serialization vulnerability in SocketServer and ServerSocketReceiver"
},
{
"cve": "CVE-2017-7957",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2017-04-03T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1441538"
}
],
"notes": [
{
"category": "description",
"text": "It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type \u0027void\u0027. An attacker could use this flaw to create a denial of service on the target system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "XStream: DoS when unmarshalling void type",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-7957"
},
{
"category": "external",
"summary": "RHBZ#1441538",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1441538"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-7957",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-7957"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-7957",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7957"
},
{
"category": "external",
"summary": "http://x-stream.github.io/CVE-2017-7957.html",
"url": "http://x-stream.github.io/CVE-2017-7957.html"
}
],
"release_date": "2017-04-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-10T23:03:00+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "XStream: DoS when unmarshalling void type"
}
]
}
rhsa-2017:1832
Vulnerability from csaf_redhat
Published
2017-08-10 23:03
Modified
2024-11-22 11:10
Summary
Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.3 R4 security and bug fix update
Notes
Topic
An update is now available for Red Hat JBoss Fuse and Red Hat JBoss A-MQ.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications.
This patch is an update to Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3. It includes bug fixes and enhancements, which are documented in the readme.txt file included with the patch files.
Security Fix(es):
* It was discovered that the hawtio servlet uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies. (CVE-2017-2589)
* It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information. (CVE-2015-6644)
* It was found that Apache Camel's camel-jackson and camel-jacksonxml components are vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues. (CVE-2016-8749)
* It was found that Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded / to a request an attacker may be able to bypass a security constraint. (CVE-2016-9879)
* It was found that a path traversal vulnerability in hawtio leads to a NullPointerException with a full stacktrace. An attacker could use this flaw to gather undisclosed information from within hawtio's root. (CVE-2017-2594)
* It was found that Apache CXF OAuth2 Hawk and JOSE MAC Validation code is not using a constant time MAC signature comparison algorithm which may be exploited by some sophisticated timing attacks. It may only affect OAuth2 Hawk, JWT access tokens, or JOSE JWS/JWE interceptors which depend on HMAC secret key algorithms. (CVE-2017-3156)
* It was found that Apache Camel's validation component evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. Remote attackers can use this feature to make Server-Side Request Forgery (SSRF) attacks by sending XML documents with remote DTDs URLs or XML External Entities (XXE). (CVE-2017-5643)
* It was found that a flaw exists in JAX-RS clients using the streaming approach for XML signatures and encryption, where it does not enforce the message to be signed/encrypted. This could allow an attacker to subvert the integrity of the message. (CVE-2017-5653)
* It was found that the token cacher in Apache cxf uses a flawed way of caching tokens that are associated with the delegation token received from Security Token Service (STS). This vulnerability could allow an attacker to craft a token which could return an identifier corresponding to a cached token for another user. (CVE-2017-5656)
* It was found that logback is vulnerable to a deserialization issue. Logback can be configured to allow remote logging through SocketServer/ServerSocketReceiver interfaces that can accept untrusted serialized data. Authenticated attackers on the adjacent network can leverage this vulnerability to execute arbitrary code through deserialization of custom gadget chains. (CVE-2017-5929)
* It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system. (CVE-2017-7957)
The CVE-2017-2589 issue was discovered by Adam Willard (Blue Canopy) and Dennis Reed (Red Hat) and the CVE-2017-2594 issue was discovered by Hooman Broujerdi (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat JBoss Fuse and Red Hat JBoss A-MQ.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications.\n\nThis patch is an update to Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3. It includes bug fixes and enhancements, which are documented in the readme.txt file included with the patch files.\n\nSecurity Fix(es):\n\n* It was discovered that the hawtio servlet uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies. (CVE-2017-2589)\n\n* It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user\u0027s private information. (CVE-2015-6644)\n\n* It was found that Apache Camel\u0027s camel-jackson and camel-jacksonxml components are vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues. (CVE-2016-8749)\n\n* It was found that Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded / to a request an attacker may be able to bypass a security constraint. (CVE-2016-9879)\n\n* It was found that a path traversal vulnerability in hawtio leads to a NullPointerException with a full stacktrace. An attacker could use this flaw to gather undisclosed information from within hawtio\u0027s root. (CVE-2017-2594)\n\n* It was found that Apache CXF OAuth2 Hawk and JOSE MAC Validation code is not using a constant time MAC signature comparison algorithm which may be exploited by some sophisticated timing attacks. It may only affect OAuth2 Hawk, JWT access tokens, or JOSE JWS/JWE interceptors which depend on HMAC secret key algorithms. (CVE-2017-3156)\n\n* It was found that Apache Camel\u0027s validation component evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. Remote attackers can use this feature to make Server-Side Request Forgery (SSRF) attacks by sending XML documents with remote DTDs URLs or XML External Entities (XXE). (CVE-2017-5643)\n\n* It was found that a flaw exists in JAX-RS clients using the streaming approach for XML signatures and encryption, where it does not enforce the message to be signed/encrypted. This could allow an attacker to subvert the integrity of the message. (CVE-2017-5653)\n\n* It was found that the token cacher in Apache cxf uses a flawed way of caching tokens that are associated with the delegation token received from Security Token Service (STS). This vulnerability could allow an attacker to craft a token which could return an identifier corresponding to a cached token for another user. (CVE-2017-5656)\n\n* It was found that logback is vulnerable to a deserialization issue. Logback can be configured to allow remote logging through SocketServer/ServerSocketReceiver interfaces that can accept untrusted serialized data. Authenticated attackers on the adjacent network can leverage this vulnerability to execute arbitrary code through deserialization of custom gadget chains. (CVE-2017-5929)\n\n* It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type \u0027void\u0027. An attacker could use this flaw to create a denial of service on the target system. (CVE-2017-7957)\n\nThe CVE-2017-2589 issue was discovered by Adam Willard (Blue Canopy) and Dennis Reed (Red Hat) and the CVE-2017-2594 issue was discovered by Hooman Broujerdi (Red Hat).",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:1832",
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse\u0026downloadType=securityPatches\u0026version=6.3",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse\u0026downloadType=securityPatches\u0026version=6.3"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.amq\u0026version=6.3.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.amq\u0026version=6.3.0"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en/red-hat-jboss-fuse/",
"url": "https://access.redhat.com/documentation/en/red-hat-jboss-fuse/"
},
{
"category": "external",
"summary": "1409838",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1409838"
},
{
"category": "external",
"summary": "1413905",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1413905"
},
{
"category": "external",
"summary": "1415543",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1415543"
},
{
"category": "external",
"summary": "1420832",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1420832"
},
{
"category": "external",
"summary": "1425455",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1425455"
},
{
"category": "external",
"summary": "1432858",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1432858"
},
{
"category": "external",
"summary": "1433374",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1433374"
},
{
"category": "external",
"summary": "1441538",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1441538"
},
{
"category": "external",
"summary": "1444015",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1444015"
},
{
"category": "external",
"summary": "1445327",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1445327"
},
{
"category": "external",
"summary": "1445329",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1445329"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_1832.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.3 R4 security and bug fix update",
"tracking": {
"current_release_date": "2024-11-22T11:10:23+00:00",
"generator": {
"date": "2024-11-22T11:10:23+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2017:1832",
"initial_release_date": "2017-08-10T23:03:00+00:00",
"revision_history": [
{
"date": "2017-08-10T23:03:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2017-08-15T01:47:49+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T11:10:23+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss A-MQ 6.3",
"product": {
"name": "Red Hat JBoss A-MQ 6.3",
"product_id": "Red Hat JBoss A-MQ 6.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_amq:6.3"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Fuse 6.3",
"product": {
"name": "Red Hat JBoss Fuse 6.3",
"product_id": "Red Hat JBoss Fuse 6.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_fuse:6.3"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Fuse"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-6644",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2017-04-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1444015"
}
],
"notes": [
{
"category": "description",
"text": "It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user\u0027s private information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bouncycastle: Information disclosure in GCMBlockCipher",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-6644"
},
{
"category": "external",
"summary": "RHBZ#1444015",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1444015"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-6644",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-6644"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-6644",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-6644"
}
],
"release_date": "2016-01-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-10T23:03:00+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bouncycastle: Information disclosure in GCMBlockCipher"
},
{
"cve": "CVE-2016-8749",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2017-02-08T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1420832"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Apache Camel\u0027s camel-jackson and camel-jacksonxml components are vulnerable to Java object de-serialisation vulnerability. Camel allows such a type through the \u0027CamelJacksonUnmarshalType\u0027 property. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "camel-jacksonxml: Unmarshalling operation are vulnerable to RCE",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-8749"
},
{
"category": "external",
"summary": "RHBZ#1420832",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1420832"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-8749",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-8749"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-8749",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8749"
},
{
"category": "external",
"summary": "http://camel.apache.org/security-advisories.data/CVE-2016-8749.txt.asc",
"url": "http://camel.apache.org/security-advisories.data/CVE-2016-8749.txt.asc"
}
],
"release_date": "2016-12-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-10T23:03:00+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "camel-jacksonxml: Unmarshalling operation are vulnerable to RCE"
},
{
"cve": "CVE-2016-9879",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2016-12-29T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1409838"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded / to a request an attacker may be able to bypass a security constraint.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Security: Improper handling of path parameters allows bypassing the security constraint",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-9879"
},
{
"category": "external",
"summary": "RHBZ#1409838",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1409838"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-9879",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-9879"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-9879",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9879"
},
{
"category": "external",
"summary": "https://pivotal.io/security/cve-2016-9879",
"url": "https://pivotal.io/security/cve-2016-9879"
}
],
"release_date": "2016-12-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-10T23:03:00+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
},
{
"category": "workaround",
"details": "Use a Servlet container known not to include path parameters in the return values for getServletPath() and getPathInfo()",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Security: Improper handling of path parameters allows bypassing the security constraint"
},
{
"acknowledgments": [
{
"names": [
"Adam Willard"
],
"organization": "Blue Canopy"
},
{
"names": [
"Dennis Reed"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2017-2589",
"cwe": {
"id": "CWE-285",
"name": "Improper Authorization"
},
"discovery_date": "2017-01-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1413905"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that the hawtio servlet uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "hawtio: Proxy is sharing cookies among all the clients",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-2589"
},
{
"category": "external",
"summary": "RHBZ#1413905",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1413905"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-2589",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-2589"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-2589",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2589"
}
],
"release_date": "2017-07-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-10T23:03:00+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "hawtio: Proxy is sharing cookies among all the clients"
},
{
"acknowledgments": [
{
"names": [
"Hooman Broujerdi"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2017-2594",
"cwe": {
"id": "CWE-209",
"name": "Generation of Error Message Containing Sensitive Information"
},
"discovery_date": "2017-01-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1415543"
}
],
"notes": [
{
"category": "description",
"text": "It was found that a path traversal vulnerability in hawtio leads to a NullPointerException with a full stacktrace. An attacker could use this flaw to gather undisclosed information from within hawtio\u0027s root.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "hawtio: information Disclosure flaws due to unsafe path traversal",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-2594"
},
{
"category": "external",
"summary": "RHBZ#1415543",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1415543"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-2594",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-2594"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-2594",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2594"
}
],
"release_date": "2017-01-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-10T23:03:00+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "hawtio: information Disclosure flaws due to unsafe path traversal"
},
{
"cve": "CVE-2017-3156",
"cwe": {
"id": "CWE-385",
"name": "Covert Timing Channel"
},
"discovery_date": "2017-02-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1425455"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Apache CXF OAuth2 Hawk and JOSE MAC Validation code is not using a constant time MAC signature comparison algorithm which may be exploited by some sophisticated timing attacks. It may only affect OAuth2 Hawk or JWT access tokens or JOSE JWS/JWE interceptors which depend on HMAC secret key algorithms.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cxf: CXF OAuth2 Hawk and JOSE MAC Validation code are vulnerable to timing attacks",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-3156"
},
{
"category": "external",
"summary": "RHBZ#1425455",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1425455"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-3156",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-3156"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-3156",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3156"
},
{
"category": "external",
"summary": "https://cxf.apache.org/security-advisories.data/CVE-2017-3156.txt.asc",
"url": "https://cxf.apache.org/security-advisories.data/CVE-2017-3156.txt.asc"
}
],
"release_date": "2017-02-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-10T23:03:00+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "cxf: CXF OAuth2 Hawk and JOSE MAC Validation code are vulnerable to timing attacks"
},
{
"cve": "CVE-2017-5643",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2017-03-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1433374"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Apache Camel\u0027s validation component evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. Remote attackers can use this feature to make Server-Side Request Forgery (SSRF) attacks by sending XML documents with remote DTDs URLs or XML External Entities (XXE). The vulnerability is not given for SAX or StAX sources.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "camel-core: Validation component vulnerable to SSRF via remote DTDs and XXE",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-5643"
},
{
"category": "external",
"summary": "RHBZ#1433374",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1433374"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-5643",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-5643"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-5643",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5643"
},
{
"category": "external",
"summary": "https://camel.apache.org/security-advisories.data/CVE-2017-5643.txt",
"url": "https://camel.apache.org/security-advisories.data/CVE-2017-5643.txt"
}
],
"release_date": "2017-02-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-10T23:03:00+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "camel-core: Validation component vulnerable to SSRF via remote DTDs and XXE"
},
{
"cve": "CVE-2017-5653",
"discovery_date": "2017-04-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1445327"
}
],
"notes": [
{
"category": "description",
"text": "It was found that a flaw exists in JAX-RS clients using the streaming approach for XML signatures and encryption, where it does not enforce the message to be signed/encrypted. This could allow an attacker to subvert the integrity of the message.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cxf: CXF JAX-RS XML Security streaming clients do not validate that the service response was signed or encrypted",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-5653"
},
{
"category": "external",
"summary": "RHBZ#1445327",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1445327"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-5653",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-5653"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-5653",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5653"
},
{
"category": "external",
"summary": "http://cxf.apache.org/security-advisories.data/CVE-2017-5653.txt.asc",
"url": "http://cxf.apache.org/security-advisories.data/CVE-2017-5653.txt.asc"
}
],
"release_date": "2017-03-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-10T23:03:00+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "cxf: CXF JAX-RS XML Security streaming clients do not validate that the service response was signed or encrypted"
},
{
"cve": "CVE-2017-5656",
"discovery_date": "2017-04-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1445329"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the token cacher in Apache cxf uses a flawed way of caching tokens that are associated with the delegation token received from Security Token Service (STS). This vulnerability could allow an attacker to craft a token which could return an identifier corresponding to a cached token for another user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cxf: CXF\u0027s STSClient uses a flawed way of caching tokens that are associated with delegation tokens",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-5656"
},
{
"category": "external",
"summary": "RHBZ#1445329",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1445329"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-5656",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-5656"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-5656",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5656"
},
{
"category": "external",
"summary": "http://cxf.apache.org/security-advisories.data/CVE-2017-5656.txt.asc",
"url": "http://cxf.apache.org/security-advisories.data/CVE-2017-5656.txt.asc"
}
],
"release_date": "2017-04-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-10T23:03:00+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "cxf: CXF\u0027s STSClient uses a flawed way of caching tokens that are associated with delegation tokens"
},
{
"cve": "CVE-2017-5929",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2017-03-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1432858"
}
],
"notes": [
{
"category": "description",
"text": "It was found that logback is vulnerable to a deserialization issue. Logback can be configured to allow remote logging through SocketServer/ServerSocketReceiver interfaces that can accept untrusted serialized data. Authenticated attackers on the adjacent network can leverage this vulnerability to execute arbitrary code through deserialization of custom gadget chains.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "logback: Serialization vulnerability in SocketServer and ServerSocketReceiver",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-5929"
},
{
"category": "external",
"summary": "RHBZ#1432858",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1432858"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-5929",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-5929"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-5929",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5929"
}
],
"release_date": "2017-02-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-10T23:03:00+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "logback: Serialization vulnerability in SocketServer and ServerSocketReceiver"
},
{
"cve": "CVE-2017-7957",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2017-04-03T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1441538"
}
],
"notes": [
{
"category": "description",
"text": "It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type \u0027void\u0027. An attacker could use this flaw to create a denial of service on the target system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "XStream: DoS when unmarshalling void type",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-7957"
},
{
"category": "external",
"summary": "RHBZ#1441538",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1441538"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-7957",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-7957"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-7957",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7957"
},
{
"category": "external",
"summary": "http://x-stream.github.io/CVE-2017-7957.html",
"url": "http://x-stream.github.io/CVE-2017-7957.html"
}
],
"release_date": "2017-04-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-10T23:03:00+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nYou can find installation instructions in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "XStream: DoS when unmarshalling void type"
}
]
}
ghsa-v35c-49j6-q8hq
Vulnerability from github
Published
2020-09-15 20:30
Modified
2024-05-15 06:42
Severity ?
Summary
Security Constraint Bypass in Spring Security
Details
Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded "/" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification (see below). Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. The unexpected presence of path parameters can cause a constraint to be bypassed.
Users of Apache Tomcat (all current versions) are not affected by this vulnerability since Tomcat follows the guidance previously provided by the Servlet Expert group and strips path parameters from the value returned by getContextPath(), getServletPath() and getPathInfo() [1].
Users of other Servlet containers based on Apache Tomcat may or may not be affected depending on whether or not the handling of path parameters has been modified.
Users of IBM WebSphere Application Server 8.5.x are known to be affected.
Users of other containers that implement the Servlet specification may be affected.
[1] https://issues.apache.org/bugzilla/show_bug.cgi?id=25015
Affected Pivotal Products and Versions
Severity is high unless otherwise noted. - Spring Security 3.2.0 - 3.2.9 - Spring Security 4.0.x - 4.1.3 - Spring Security 4.2.0 - Older unsupported versions are also affected
Mitigation
Adopting one of the following mitigations will protect against this vulnerability.
- Use a Servlet container known not to include path parameters in the return values for getServletPath() and getPathInfo()
- Upgrading to Spring Security 3.2.10, 4.1.4 or 4.2.1 will reject the request with a RequestRejectedException if the presence of an encoded "/" is detected. Note: If you wish to disable this feature it can be disabled by setting the DefaultHttpFirewall.allowUrlEncodedSlash = true. However, disabling this feature will mean applications are vulnerable (in containers that return path parameters in getServletPath() or getPathInfo()).
Credit
The issue was identified by Shumpei Asahara & Yuji Ito from NTT DATA Corporation and responsibly reported to Pivotal.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.security:spring-security-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.2.10.RELEASE"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.security:spring-security-core"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0.RELEASE"
},
{
"fixed": "4.1.4.RELEASE"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.security:spring-security-core"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.0.RELEASE"
},
{
"fixed": "4.2.1.RELEASE"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2016-9879"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": true,
"github_reviewed_at": "2020-09-15T20:29:50Z",
"nvd_published_at": "2017-01-06T22:59:00Z",
"severity": "HIGH"
},
"details": "Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded \"/\" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification (see below). Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. The unexpected presence of path parameters can cause a constraint to be bypassed.\n\nUsers of Apache Tomcat (all current versions) are not affected by this vulnerability since Tomcat follows the guidance previously provided by the Servlet Expert group and strips path parameters from the value returned by getContextPath(), getServletPath() and getPathInfo() [1].\n\nUsers of other Servlet containers based on Apache Tomcat may or may not be affected depending on whether or not the handling of path parameters has been modified.\n\nUsers of IBM WebSphere Application Server 8.5.x are known to be affected.\n\nUsers of other containers that implement the Servlet specification may be affected.\n\n[1] https://issues.apache.org/bugzilla/show_bug.cgi?id=25015\n\n## Affected Pivotal Products and Versions\nSeverity is high unless otherwise noted.\n- Spring Security 3.2.0 - 3.2.9\n- Spring Security 4.0.x - 4.1.3\n- Spring Security 4.2.0\n- Older unsupported versions are also affected\n\n## Mitigation\nAdopting one of the following mitigations will protect against this vulnerability.\n\n- Use a Servlet container known not to include path parameters in the return values for getServletPath() and getPathInfo()\n- Upgrading to Spring Security 3.2.10, 4.1.4 or 4.2.1 will reject the request with a RequestRejectedException if the presence of an encoded \"/\" is detected. Note: If you wish to disable this feature it can be disabled by setting the DefaultHttpFirewall.allowUrlEncodedSlash = true. However, disabling this feature will mean applications are vulnerable (in containers that return path parameters in getServletPath() or getPathInfo()).\n\n## Credit\nThe issue was identified by Shumpei Asahara \u0026 Yuji Ito from NTT DATA Corporation and responsibly reported to Pivotal.",
"id": "GHSA-v35c-49j6-q8hq",
"modified": "2024-05-15T06:42:07Z",
"published": "2020-09-15T20:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9879"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
},
{
"type": "WEB",
"url": "https://pivotal.io/security/cve-2016-9879"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/95142"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Security Constraint Bypass in Spring Security"
}
gsd-2016-9879
Vulnerability from gsd
Modified
2023-12-13 01:21
Details
An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded "/" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. The unexpected presence of path parameters can cause a constraint to be bypassed. Users of Apache Tomcat (all current versions) are not affected by this vulnerability since Tomcat follows the guidance previously provided by the Servlet Expert group and strips path parameters from the value returned by getContextPath(), getServletPath(), and getPathInfo(). Users of other Servlet containers based on Apache Tomcat may or may not be affected depending on whether or not the handling of path parameters has been modified. Users of IBM WebSphere Application Server 8.5.x are known to be affected. Users of other containers that implement the Servlet specification may be affected.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2016-9879",
"description": "An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded \"/\" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. The unexpected presence of path parameters can cause a constraint to be bypassed. Users of Apache Tomcat (all current versions) are not affected by this vulnerability since Tomcat follows the guidance previously provided by the Servlet Expert group and strips path parameters from the value returned by getContextPath(), getServletPath(), and getPathInfo(). Users of other Servlet containers based on Apache Tomcat may or may not be affected depending on whether or not the handling of path parameters has been modified. Users of IBM WebSphere Application Server 8.5.x are known to be affected. Users of other containers that implement the Servlet specification may be affected.",
"id": "GSD-2016-9879",
"references": [
"https://access.redhat.com/errata/RHSA-2017:1832"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2016-9879"
],
"details": "An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded \"/\" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. The unexpected presence of path parameters can cause a constraint to be bypassed. Users of Apache Tomcat (all current versions) are not affected by this vulnerability since Tomcat follows the guidance previously provided by the Servlet Expert group and strips path parameters from the value returned by getContextPath(), getServletPath(), and getPathInfo(). Users of other Servlet containers based on Apache Tomcat may or may not be affected depending on whether or not the handling of path parameters has been modified. Users of IBM WebSphere Application Server 8.5.x are known to be affected. Users of other containers that implement the Servlet specification may be affected.",
"id": "GSD-2016-9879",
"modified": "2023-12-13T01:21:22.011057Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security_alert@emc.com",
"ID": "CVE-2016-9879",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1",
"version": {
"version_data": [
{
"version_value": "Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded \"/\" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. The unexpected presence of path parameters can cause a constraint to be bypassed. Users of Apache Tomcat (all current versions) are not affected by this vulnerability since Tomcat follows the guidance previously provided by the Servlet Expert group and strips path parameters from the value returned by getContextPath(), getServletPath(), and getPathInfo(). Users of other Servlet containers based on Apache Tomcat may or may not be affected depending on whether or not the handling of path parameters has been modified. Users of IBM WebSphere Application Server 8.5.x are known to be affected. Users of other containers that implement the Servlet specification may be affected."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Encoded \"/\" in path variables"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2017:1832",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
},
{
"name": "95142",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/95142"
},
{
"name": "https://pivotal.io/security/cve-2016-9879",
"refsource": "CONFIRM",
"url": "https://pivotal.io/security/cve-2016-9879"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "(,3.2.9.RELEASE],[4.1-alpha0,4.1.3.RELEASE],[4.2-alpha0,4.2.0.RELEASE]",
"affected_versions": "All versions up to 3.2.9.release, all versions starting from 4.1-alpha0 up to 4.1.3.release, all versions starting from 4.2-alpha0 up to 4.2.0.release",
"cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-417",
"CWE-937"
],
"date": "2018-01-04",
"description": "This package does not consider URL path parameters when processing security constraints.Users of IBM WebSphere Application Server `8.5.x` are known to be affected. Users of other containers that implement the Servlet specification may be affected.",
"fixed_versions": [
"3.2.10.RELEASE",
"4.1.4.RELEASE",
"4.2.1.RELEASE"
],
"identifier": "CVE-2016-9879",
"identifiers": [
"CVE-2016-9879"
],
"not_impacted": "All versions after 3.2.9.release before 4.1-alpha0, all versions after 4.1.3.release before 4.2-alpha0, all versions after 4.2.0.release",
"package_slug": "maven/org.springframework.security/spring-security-core",
"pubdate": "2017-01-06",
"solution": "Upgrade to versions 3.2.10.RELEASE, 4.1.4.RELEASE, 4.2.1.RELEASE or above.",
"title": "Encoded \"/\" in path variables",
"urls": [
"https://pivotal.io/security/cve-2016-9879"
],
"uuid": "f8712256-f133-4485-aff4-207e698e0007"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:vmware:spring_security:4.1.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vmware:spring_security:4.1.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vmware:spring_security:3.2.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vmware:spring_security:3.2.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vmware:spring_security:4.1.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vmware:spring_security:4.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vmware:spring_security:3.2.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vmware:spring_security:3.2.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vmware:spring_security:3.2.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vmware:spring_security:3.2.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vmware:spring_security:4.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vmware:spring_security:3.2.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vmware:spring_security:3.2.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vmware:spring_security:3.2.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:vmware:spring_security:3.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:ibm:websphere_application_server:8.5.5.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ibm:websphere_application_server:8.5.5.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ibm:websphere_application_server:8.5.5.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ibm:websphere_application_server:8.5.5.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ibm:websphere_application_server:8.5.5.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ibm:websphere_application_server:8.5.5.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ibm:websphere_application_server:8.5.5.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ibm:websphere_application_server:8.5.5.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ibm:websphere_application_server:8.5.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ibm:websphere_application_server:8.5.5.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ibm:websphere_application_server:8.5.5.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ibm:websphere_application_server:8.5.0.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ibm:websphere_application_server:8.5.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secure@dell.com",
"ID": "CVE-2016-9879"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded \"/\" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. The unexpected presence of path parameters can cause a constraint to be bypassed. Users of Apache Tomcat (all current versions) are not affected by this vulnerability since Tomcat follows the guidance previously provided by the Servlet Expert group and strips path parameters from the value returned by getContextPath(), getServletPath(), and getPathInfo(). Users of other Servlet containers based on Apache Tomcat may or may not be affected depending on whether or not the handling of path parameters has been modified. Users of IBM WebSphere Application Server 8.5.x are known to be affected. Users of other containers that implement the Servlet specification may be affected."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-417"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pivotal.io/security/cve-2016-9879",
"refsource": "CONFIRM",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://pivotal.io/security/cve-2016-9879"
},
{
"name": "95142",
"refsource": "BID",
"tags": [],
"url": "http://www.securityfocus.com/bid/95142"
},
{
"name": "RHSA-2017:1832",
"refsource": "REDHAT",
"tags": [],
"url": "https://access.redhat.com/errata/RHSA-2017:1832"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
},
"lastModifiedDate": "2021-06-08T18:22Z",
"publishedDate": "2017-01-06T22:59Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.