Bug 1140859

Summary: Cross-site scripting security vulnerability related to viewing tomcat logs
Product: [Community] Spacewalk Reporter: Stephen Herr <sherr>
Component: ServerAssignee: Stephen Herr <sherr>
Status: CLOSED CURRENTRELEASE QA Contact: Red Hat Satellite QA List <satqe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 2.2   
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: spacewalk-java-2.2.124-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1140863 1141327 (view as bug list) Environment:
Last Closed: 2014-09-12 16:08:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1140863, 1141327, 1207293    

Description Stephen Herr 2014-09-11 21:16:07 UTC 
Description of problem:
CVE-2014-3595

An attacker could hit Spacewalk with a malformed url to make tomcat log malicious html. Then, if a Spacewalk admin looked at the tomcat logs in the webui through Admin -> Show Tomcat Logs the malicious html could cause an arbitrary script to run.
Comment 1 Stephen Herr 2014-09-11 21:22:55 UTC 
Committing to Spacewalk master:
64e887448ef01e956256a03cc71b71e0f086a1c5

Cherry-picking to Spacewalk master:
9707946c4ac17a1c1124e682f157fc2f69959f82
Comment 2 Stephen Herr 2014-09-11 21:26:35 UTC 
The second commit has in comment 1 should read "Cherry-picking to Spacewalk 2.2".
Comment 3 Stephen Herr 2014-09-12 16:08:22 UTC 
Updated spacewalk-java packages that fix this vulnerability are now available in Spacewalk 2.2.