Bug 1553024 (CVE-2017-8046)

Summary: CVE-2017-8046 spring-boot: Malicious PATCH requests submitted to servers can use specially crafted JSON data to run arbitrary Java code
Product: [Other] Security Response Reporter: Jason Shepherd <jshepherd>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: avibelli, bgeorges, cmoulliard, jbalunas, jochrist, jpallich, jshepherd, lthon, mszynkie, pgallagh, rruss, trogers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-09 00:38:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1553020    

Description Jason Shepherd 2018-03-08 04:18:27 UTC 
Malicious PATCH requests submitted to servers using Spring Data REST backed HTTP resources can use specially crafted JSON data to run arbitrary Java code.
Comment 2 Jason Shepherd 2018-03-09 00:37:16 UTC 
Spring REST Data is not supported in RHOAR.

Please be sure to select a version of Spring REST Data which is not affected by this issue. 
Spring Data REST 2.6.9 (Ingalls SR9, Oct. 27th, 2017)
Spring Data REST 3.0.1 (Kay SR1, Oct. 27th 2017)
Comment 3 Jason Shepherd 2018-03-14 01:37:12 UTC 
Statement:

While there might be compatibility issues upgrading Spring REST Data independently of the Spring Boot version we recommend that customers make sure they are using a fixed version of Spring Data REST 2.6.9, or 3.0.1. RHOAR has now upgraded to version 1.5.10 of Spring Boot which is compatible with fixed versions of Spring DATA Rest.
Comment 4 errata-xmlrpc 2018-08-14 19:51:15 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse Intergration Services 2.0 based on Fuse 6.3 R7

Via RHSA-2018:2405 https://access.redhat.com/errata/RHSA-2018:2405