Red Hat Bugzilla – Bug 1480060
CVE-2017-7556 Hawtio: CSRF flaw via jolokia
Last modified: 2018-05-10 14:22:23 EDT
It was found that hawtio contains a CSRF flaw that allows unrelated websites to perform actions as the authenticated in user. Attacker could use this vulnerability to trick the user to visit his website that contains a malicious script which can be submitted to hawtio server on behalf of the user.
Mitigation: the recommended mitigation to this problem is to manually setup <allow-origin> lists and <strict-checking /> in a custom jolokia-access.xml for production environment:
and add a new system property to include jolokia access configuration:
Hawtio is not included in OCP. Setting as notaffected.