Bug 1225252 (CVE-2015-3208)
Summary: | CVE-2015-3208 hornetq: XXE/SSRF in XPath selector | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Fabio Olive Leite <fleite> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aileenc, apintea, bcourt, bkearney, bkundal, bmaxwell, cbillett, cdewolf, chazlett, cpelland, cperry, csuconic, csutherl, dandread, darran.lofthouse, dimitris, dosoudil, ecottom, fgavrilo, fleite, hghasemb, jason.greene, jawilson, jmatthew, jondruse, jshepherd, kseifried, lgao, mmccune, mstead, myarboro, ohadlevy, pgier, pjurak, ppalaga, psakar, pslavice, rnetuka, rstancel, rsvoboda, security-response-team, sstavrev, tjay, tomckay, tsanders, twalsh, vtunka |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-06-16 04:50:53 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1478549, 1478550, 1478551, 1545359 | ||
Bug Blocks: | 1225253 |
Description
Fabio Olive Leite
2015-05-27 00:40:56 UTC
Acknowledgements: Red Hat would like to thank David Jorm of IIX Product Security for reporting this issue. This issue appears to have been fixed in the following commit: https://github.com/apache/activemq-artemis/commit/48d9951d879e0c8cbb59d4b64ab59d53ef88310d There is no release prior to that commit. Why is this being considered a CVE? There has never been a release of Artemis before that commit. is there any way to challenge the CVE? Hi Clebert, I have asked two Product Security engineers to review this flaw and update the metadata if it is indeed incorrect. In HornetQ.. maybe.. but never in Artemis. I'm not sure this was an issue with hornetq.. as maybe it wasn't released. Kurt, I don't think that that SAM, or Sat 6 could be affected here. The affected code never made it into an release AFAIK. Can you verifying and update the whiteboard on this? Created hornetq tracking bugs for this issue: Affects: fedora-all [bug 1478551] This issue has been addressed in the following products: Red Hat Satellite 6.4 for RHEL 7 Via RHSA-2018:2927 https://access.redhat.com/errata/RHSA-2018:2927 (In reply to Clebert Suconic from comment #7) > There has never been a release of Artemis before that commit. is there any > way to challenge the CVE? https://cve.mitre.org/cve/cna/rules.html#appendix_c_process_to_correct_assignment_issues_update_cve_entries https://cve.mitre.org/about/documents.html CNA Processes English: https://cve.mitre.org/cve/cna/CNA_Processes.pptx | https://youtu.be/yLqUMKD2Y9k Japanese: https://cve.mitre.org/cve/cna/CNA_Processes_ja.pptx |