Bug 1714359 (CVE-2019-10158)
Summary: | CVE-2019-10158 infinispan: Session fixation protection broken for Spring Session integration | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aileenc, akoufoud, alazarot, almorale, anstephe, asoldano, avibelli, bbaranow, bgeorges, bmaxwell, brian.stansberry, cdewolf, chazlett, darran.lofthouse, dbecker, dosoudil, drieden, etirelli, gvarsami, ibek, iweiss, janstey, jawilson, jbalunas, jcoleman, jjoyce, jochrist, jolee, jpallich, jperkins, jschatte, jschluet, jstastny, kbasil, kconner, krathod, kverlaen, kwills, ldimaggi, lef, lgao, lhh, loleary, lpeer, lpetrovi, lthon, mburns, mnovotny, mprpic, msochure, msvehla, mszynkie, nwallace, paradhya, pdrozd, pgallagh, pmackay, psotirop, puntogil, rguimara, ricardo.arguello, rrajasek, rruss, rsvoboda, rsynek, rwagner, sclewis, sdaley, slinaber, smaestri, spinder, sthorger, tcunning, theute, tkirby, tom.jenkinson, trogers, twalsh, vhalbert |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw was found in Infinispan through version 9.4.14.Final. An improper implementation of the session fixation protection in the Spring Session integration can result in incorrect session handling.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-09-03 11:27:11 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1714360 | ||
Bug Blocks: | 1714361 |
Description
Laura Pardo
2019-05-27 20:40:26 UTC
Created infinispan tracking bugs for this issue: Affects: fedora-all [bug 1714360] Red Hat OpenStack - OpenDaylight This vulnerability is within org.infinispan.spring.common.session which is not included in OpenDaylight. The following products are marked as notaffected because they do not contain the vulnerable library. * Enterprise Application Platform * JBoss Fuse Service Works * JBoss Fuse * JBoss Data Virtualization & Services * JBoss Operations Network * OpenShift Application Runtimes * Process Automation Manager * Single Sign-On (RH-SSO) This issue has been addressed in the following products: Red Hat Data Grid Via RHSA-2019:4037 https://access.redhat.com/errata/RHSA-2019:4037 |