Bug 1540030 (CVE-2018-1199)
Summary: | CVE-2018-1199 spring-framework: Improper URL path validation allows for bypassing of security checks on static resources | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | ahardin, aileenc, alazarot, anstephe, apevec, bleanhar, bmaxwell, ccoleman, cdewolf, chazlett, chrisw, csutherl, darran.lofthouse, dedgar, dffrench, dimitris, dosoudil, drieden, drusso, etirelli, gvarsami, gzaronik, ibek, java-maint, java-sig-commits, jawilson, jclere, jcoleman, jgoulding, jjoyce, jmadigan, jokerman, jolee, jondruse, jschatte, jschluet, jshepherd, jstastny, kverlaen, ldimaggi, lef, lgao, lgriffin, lhh, lpeer, markmc, mbabacek, mburns, mchappel, mkolesni, myarboro, ngough, nwallace, ppalaga, pslavice, psotirop, puntogil, pwright, rbryant, rnetuka, rrajasek, rstancel, rsvoboda, rsynek, rwagner, rzhang, sclewis, sdaley, sisharma, slinaber, tcunning, tdecacqu, tkirby, trepel, twalsh, vtunka, weli |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | springframework 5.0.3, springframework 4.3.14, springframework-security 5.0.1, springframework-security 4.2.4, springframework-security 4.1.5 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-10-21 19:54:02 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1540032, 1540033, 1571049 | ||
Bug Blocks: | 1540036 |
Description
Sam Fowler
2018-01-30 06:32:18 UTC
Created springframework tracking bugs for this issue: Affects: fedora-all [bug 1540033] Created springframework-security tracking bugs for this issue: Affects: fedora-all [bug 1540032] Jetty container in JBoss Fuse complies with servlet specification and does not return path parameters which is a root cause of this flaw, so JBoss Fuse is not affected. *** Bug 1541996 has been marked as a duplicate of this bug. *** For RH OpenStack Platform: Although the spring code contains the flaw, OpenDaylight uses Tomcat which is not vulnerable. "Tomcat follows the guidance previously provided by the Servlet Expert group and strips path parameters from the value returned by getContextPath(), getServletPath() and getPathInfo() [1]." [1] https://www.securityfocus.com/archive/1/archive/1/514517/100/0/threaded <-- 2010. catalina-7.0.27.1 used in ODL is from 2012 after the fixes. Should be ok. Fixed upstream in Spring-security 5.0.1, 4.2.4, 4.1.5 via following commits: https://github.com/spring-projects/spring-security/commit/0eef5b4b425ab42b9fa0fde1a3f36a37b92558f2 https://github.com/spring-projects/spring-security/commit/cb8041ba67635edafcc934498ef82707157fd22a https://github.com/spring-projects/spring-security/commit/65da28e4bf62f58fb130ba727cbbd621b44a36d1 Spring Security is not used in Millicore component of RHMAP. This issue has been addressed in the following products: Red Hat Fuse Intergration Services 2.0 based on Fuse 6.3 R7 Via RHSA-2018:2405 https://access.redhat.com/errata/RHSA-2018:2405 |