Bug 1709860 (CVE-2019-5427)
Summary: | CVE-2019-5427 c3p0: loading XML configuration leads to denial of service | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | msiddiqu |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | aileenc, akoufoud, alazarot, almorale, anstephe, avibelli, bbuckingham, bcourt, bgeorges, bkearney, btotty, cbyrne, chazlett, cmacedo, csutherl, decathorpe, dffrench, dingyichen, drusso, etirelli, gvarsami, gzaronik, hhudgeon, ibek, janstey, java-sig-commits, jbalunas, jclere, jcoleman, jmadigan, jochrist, jpallich, jshepherd, kconner, krathod, kverlaen, ldimaggi, lef, lgao, lthon, lzap, mbabacek, mhulan, mmccune, mnovotny, mszynkie, myarboro, ngough, nwallace, paradhya, pgallagh, pwright, rchan, rjerrido, rrajasek, rruss, rsynek, rwagner, sdaley, sisharma, stewardship-sig, tcunning, tkirby, tlestach, trepel, twalsh, vbellur, weli |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | c3p0 0.9.5.4 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-03-26 16:32:11 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1709862, 1709861 | ||
Bug Blocks: | 1709863 |
Description
msiddiqu
2019-05-14 12:36:22 UTC
Created c3p0 tracking bugs for this issue: Affects: epel-7 [bug 1709862] Affects: fedora-all [bug 1709861] This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse 6 * Red Hat JBoss SOA Platform 5 * Red Hat JBoss BPM Suite 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. In Satellite 5 context : setting severity to Low, because the attack requires c3p0 to be provided with a specially crafted XML configuration file. This should not happen unless the Satellite is already severely compromised. Statement: Red Hat Satellite 6 is not vulnerable to this issue, because the candlepin component who uses the c3p0 jar never passes a XML configuration file to c3p0, even though it includes a vulnerable version of the latter. Since this issue requires a XML files to be loaded by c3p0, an exploitation path doesn't exist. This vulnerability is out of security support scope for the following product: * Red Hat Mobile Application Platform Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details This vulnerability is out of security support scope for the following product: * Red Hat JBoss Enterprise Web Server 2 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. This issue has been addressed in the following products: Red Hat Fuse 7.6.0 Via RHSA-2020:0983 https://access.redhat.com/errata/RHSA-2020:0983 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-5427 |