Bug 1714359 (CVE-2019-10158)

Summary: CVE-2019-10158 infinispan: Session fixation protection broken for Spring Session integration
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, akoufoud, alazarot, almorale, anstephe, asoldano, avibelli, bbaranow, bgeorges, bmaxwell, brian.stansberry, cdewolf, chazlett, darran.lofthouse, dbecker, dosoudil, drieden, etirelli, gvarsami, ibek, iweiss, janstey, jawilson, jbalunas, jcoleman, jjoyce, jochrist, jolee, jpallich, jperkins, jschatte, jschluet, jstastny, kbasil, kconner, krathod, kverlaen, kwills, ldimaggi, lef, lgao, lhh, loleary, lpeer, lpetrovi, lthon, mburns, mnovotny, mprpic, msochure, msvehla, mszynkie, nwallace, paradhya, pdrozd, pgallagh, pmackay, psotirop, puntogil, rguimara, ricardo.arguello, rrajasek, rruss, rsvoboda, rsynek, rwagner, sclewis, sdaley, slinaber, smaestri, spinder, sthorger, tcunning, theute, tkirby, tom.jenkinson, trogers, twalsh, vhalbert
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Infinispan through version 9.4.14.Final. An improper implementation of the session fixation protection in the Spring Session integration can result in incorrect session handling.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-09-03 11:27:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1714360    
Bug Blocks: 1714361    

Description Laura Pardo 2019-05-27 20:40:26 UTC 
A vulnerability was found in Infinispan up to version 9.4.14.Final. An improper implementation of the session fixation protection in the Spring Session integration may result in an incorrect session handling


Referrences:
https://issues.jboss.org/browse/ISPN-10224

Upstream Patch:
https://github.com/infinispan/infinispan/pull/6960
Comment 1 Laura Pardo 2019-05-27 20:40:52 UTC 
Created infinispan tracking bugs for this issue:

Affects: fedora-all [bug 1714360]
Comment 2 Joshua Padman 2019-05-31 04:45:51 UTC 
Red Hat OpenStack - OpenDaylight
This vulnerability is within org.infinispan.spring.common.session which is not included in OpenDaylight.
Comment 3 Joshua Padman 2019-06-03 22:25:13 UTC 
The following products are marked as notaffected because they do not contain the vulnerable library.
 * Enterprise Application Platform
 * JBoss Fuse Service Works
 * JBoss Fuse
 * JBoss Data Virtualization & Services
 * JBoss Operations Network
 * OpenShift Application Runtimes
 * Process Automation Manager
 * Single Sign-On (RH-SSO)
Comment 9 errata-xmlrpc 2019-12-02 16:26:57 UTC 
This issue has been addressed in the following products:

  Red Hat Data Grid

Via RHSA-2019:4037 https://access.redhat.com/errata/RHSA-2019:4037