Bug 1413905 (CVE-2017-2589)

Summary: CVE-2017-2589 hawtio: Proxy is sharing cookies among all the clients
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abhgupta, aileenc, chazlett, security-response-team, tiwillia
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the hawtio servlet uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1413652, 1426003    

Description Adam Mariš 2017-01-17 10:00:07 UTC
It was that hawtio servlet uses a single HttpClient instance to proxy requests, with a persistent cookie store, i.e. cookies are stored locally and are not passed between the client and the end URL, which means all clients using that proxy are sharing the same cookies.

Comment 1 Adam Mariš 2017-01-17 10:01:40 UTC
Acknowledgments:

Name: Adam Willard (Blue Canopy), Dennis Reed (Red Hat)

Comment 4 errata-xmlrpc 2017-08-10 23:03:29 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Fuse

Via RHSA-2017:1832 https://access.redhat.com/errata/RHSA-2017:1832