Bug 1578578 (CVE-2018-1257)
Summary: | CVE-2018-1257 spring-framework: ReDoS Attack with spring-messaging | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | aileenc, alazarot, anstephe, apevec, bmaxwell, cdewolf, chazlett, chrisw, claprun, csutherl, darran.lofthouse, dblechte, dfediuck, dffrench, dimitris, dosoudil, drieden, drusso, eedri, etirelli, gvarsami, ibek, java-sig-commits, jawilson, jcoleman, jjoyce, jmadigan, jolee, jschatte, jschluet, jshepherd, jstastny, kbasil, kconner, krathod, kverlaen, ldimaggi, lef, lgao, lgriffin, lhh, lpeer, lpetrovi, markmc, mburns, mgoldboi, michal.skrivanek, mkolesni, myarboro, ngough, nobody, nwallace, paradhya, pavelp, pgier, psakar, pslavice, puntogil, pwright, rbryant, rhel8-maint, rnetuka, rrajasek, rsvoboda, rsynek, rwagner, rzhang, sbonazzo, sclewis, sdaley, sherold, sisharma, slinaber, slukasik, ssaha, tcunning, tdecacqu, tkirby, trepel, twalsh, vbellur, vhalbert, vtunka, yturgema |
Target Milestone: | --- | Keywords: | Reopened, Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | spring-framework 5.0.6, spring-framework 4.3.17 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-10 10:22:59 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1578579, 1578580, 1578938 | ||
Bug Blocks: | 1578941 |
Description
Laura Pardo
2018-05-15 22:13:03 UTC
Created springframework tracking bugs for this issue: Affects: fedora-all [bug 1578579] RHMAP doesn't make sure of websocket stomp as described in https://docs.spring.io/spring/docs/current/spring-framework-reference/web.html#websocket-stomp-enable Marking RHMAP as not affected. ODL does not use WebSocket STOMP in any packaged components for any RHOSP release. Marked not affected. Shouldn't this be marked as high as that's how it's marked by Pivotal on its CVE? This issue has been addressed in the following products: Red Hat Openshift Application Runtimes (text-only advisories) Via RHSA-2018:1809 https://access.redhat.com/errata/RHSA-2018:1809 This issue has been addressed in the following products: Red Hat Fuse 7.2 Via RHSA-2018:3768 https://access.redhat.com/errata/RHSA-2018:3768 This vulnerability is out of security support scope for the following products: * Red Hat JBoss Data Virtualization & Services 6 * Red Hat JBoss SOA Platform 5 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. |