Bug 1643043 (CVE-2018-15756)

Summary: CVE-2018-15756 springframework: DoS Attack via Range Requests
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aileenc, alazarot, anstephe, apevec, ataylor, bmcclain, chazlett, chrisw, dbecker, dblechte, dfediuck, dingyichen, drieden, eedri, etirelli, gvarsami, ibek, java-sig-commits, jcoleman, jjoyce, jochrist, jolee, jschatte, jschluet, jstastny, kbasil, kconner, krathod, kverlaen, ldimaggi, lef, lhh, lpeer, lsurette, markmc, mburns, mgoldboi, michal.skrivanek, nwallace, paradhya, pdrozd, puntogil, rbryant, Rhev-m-bugs, rrajasek, rsynek, rwagner, rzhang, sbonazzo, sclewis, sdaley, sherold, sisharma, slinaber, sthorger, tcunning, tdecacqu, tkirby, vbellur, vhalbert
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: springframework 5.0.10, springframework 4.3.20 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-26 16:32:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1643044    
Bug Blocks: 1643045    

Description Andrej Nemec 2018-10-25 12:22:07 UTC 
Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack.
Comment 1 Andrej Nemec 2018-10-25 12:22:45 UTC 
External References:

https://pivotal.io/security/cve-2018-15756
Comment 2 Andrej Nemec 2018-10-25 12:23:32 UTC 
Created springframework tracking bugs for this issue:

Affects: fedora-all [bug 1643044]
Comment 3 Doran Moppert 2018-11-19 00:27:54 UTC 
Statement:

The package rhvm-dependencies does not include the vulnerable spring-webmvc component.
Comment 4 James Hebden 2018-11-26 23:11:20 UTC 
Spring Framework, as used in Open Daylight, as part of RHOSP, does not ship or use an affected version of Spring Framework.
Comment 5 Joshua Padman 2019-05-15 22:13:53 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Fuse 6
 * Red Hat JBoss Fuse Service Works 6
 * Red Hat JBoss BRMS 5
 * Red Hat JBoss Data Virtualization & Services 6
 * Red Hat JBoss SOA Platform 5

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 11 errata-xmlrpc 2020-03-26 15:47:20 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.6.0

Via RHSA-2020:0983 https://access.redhat.com/errata/RHSA-2020:0983
Comment 12 Product Security DevOps Team 2020-03-26 16:32:05 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-15756
Comment 13 errata-xmlrpc 2020-07-23 15:10:21 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ

Via RHSA-2020:3133 https://access.redhat.com/errata/RHSA-2020:3133