Bug 1591929 (CVE-2018-11039)
| Summary: | CVE-2018-11039 springframework: Cross Site Tracing (XST) if vulnerable to XSS | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | aileenc, alazarot, anstephe, apevec, bmcclain, chazlett, chrisw, dblechte, dfediuck, drieden, eedri, etirelli, gvarsami, ibek, java-sig-commits, jcoleman, jjoyce, jolee, jschatte, jschluet, jstastny, kbasil, kconner, krathod, kverlaen, ldimaggi, lef, lhh, lpeer, lpetrovi, lsurette, markmc, mburns, mgoldboi, michal.skrivanek, mkolesni, nwallace, paradhya, puntogil, rbryant, Rhev-m-bugs, rrajasek, rsynek, rwagner, rzhang, sbonazzo, sclewis, sdaley, sherold, sisharma, slinaber, ssaha, tcunning, tdecacqu, tkirby, vbellur, vhalbert |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | springframework 5.0.7, springframework 4.3.18 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-07-12 13:05:37 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1591930, 1648710, 1648711, 1648713, 1648715, 1648717 | ||
| Bug Blocks: | 1639954 | ||
|
Description
Laura Pardo
2018-06-15 19:35:14 UTC
Created springframework tracking bugs for this issue: Affects: fedora-all [bug 1591930] Mitigation: According to the upstream advisory, this attack applies to applications that allow the application server to handle HTTP TRACE requests, and use the HiddenHttpMethodFilter. Note that in the HiddenHttpMethodFilter is enabled by default in Spring Boot. Whilst the shipped versions of Open Dayight ship artifacts which fall within the affected versions ("older unsupported versions"), this flaw only has impact in the presence of an existing XSS flaw. Given there are currently no XSS flaws in the shipped versions, and the libraries themselves are not used in a vulnerable way, no package update to mitigate this flaw for Open Daylight is required.
Statement:
From an OpenDaylight perspective, whilst the shipped versions of Open Dayight ship artifacts which fall within the affected versions ("older unsupported versions"), this flaw only has impact in the presence of an existing XSS flaw. Given there are currently no XSS flaws in the shipped versions, and the libraries themselves are not used in a vulnerable way, no package update to mitigate this flaw for Open Daylight is required.
The package rhevm-dependencies does not include the spring-webmvc component, where this vulnerability exists.
This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse Service Works 6 * Red Hat JBoss BRMS 5 * Red Hat JBoss Data Virtualization & Services 6 * Red Hat JBoss SOA Platform 5 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. The vulnerability exist in org.springframework.web which is not a dependency of Fuse 7. Marked as not affected. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-11039 |