Bug 1532497 (CVE-2017-1000487)

Summary: CVE-2017-1000487 plexus-utils: Mishandled strings in Commandline class allow for command injection
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, alazarot, anstephe, apevec, bcourt, bdawidow, bkearney, chazlett, chrisw, drieden, etirelli, fnasser, fweimer, gvarsami, hghasemb, hhorak, ibek, java-maint, java-sig-commits, jcoleman, jjoyce, jmatthew, jolee, jorton, jschluet, jstastny, kbasil, kconner, kseifried, kverlaen, ldimaggi, lhh, lpeer, lpetrovi, markmc, mburns, mizdebsk, mkolesni, mmccune, mrike, msimacek, nwallace, nyechiel, ohadlevy, paradhya, pdrozd, pszubiak, rbryant, rchan, rrajasek, rsynek, rwagner, rzhang, sclewis, sdaley, slinaber, sthorger, tcunning, tdecacqu, tjay, tkirby, tsanders, vhalbert
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: plexus-utils 3.0.16 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-07 20:13:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 958733, 1009412    
Bug Blocks: 1532498    

Description Sam Fowler 2018-01-09 06:37:19 UTC 
The Commandline class in plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.

References:
https://nvd.nist.gov/vuln/detail/CVE-2017-1000487
https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41
https://snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31522
Comment 1 Joshua Padman 2018-01-09 23:36:20 UTC 
OpenDaylight in Red Hat OpenStack 8 & 9 is released as a technical preview and is unsupported.
Comment 6 Kurt Seifried 2018-03-02 21:10:28 UTC 
Updated statement and status of Satellite 6
Comment 7 Kurt Seifried 2018-03-02 21:11:09 UTC 
Statement:

This issue affects the versions of plexus-utils as shipped with Red Hat Enterprise Linux 7 as well as Red Hat Satellite 6.0 and 6.1. Red Hat Satellite 6.2 and later do not ship plexus-utils, as such they are not affected by this vulnerability. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 9 errata-xmlrpc 2018-05-03 19:05:15 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse

Via RHSA-2018:1322 https://access.redhat.com/errata/RHSA-2018:1322