Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1540030 - (CVE-2018-1199) CVE-2018-1199 spring-framework: Improper URL path validation allows for bypassing of security checks on static resources
CVE-2018-1199 spring-framework: Improper URL path validation allows for bypas...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20180129,repo...
: Security
: 1541996 (view as bug list)
Depends On: 1540032 1540033 1571049
Blocks: 1540036
  Show dependency treegraph
 
Reported: 2018-01-30 01:32 EST by Sam Fowler
Modified: 2018-10-19 17:46 EDT (History)
96 users (show)

See Also:
Fixed In Version: springframework 5.0.3, springframework 4.3.14, springframework-security 5.0.1, springframework-security 4.2.4, springframework-security 4.1.5
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2405 None None None 2018-08-14 15:51 EDT

  None (edit)
Description Sam Fowler 2018-01-30 01:32:18 EST 
Spring Framework and Spring Security do not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint and access Spring MVC static resource URLs.

Affected versions include:
    * Spring Security 4.1.0 - 4.1.4, 4.2.0 - 4.2.3 and 5.0
    * Spring Framework 4.3.0 - 4.3.14, and 5.0.0 - 5.0.2

Older unmaintained versions of Spring Security and Spring Framework may also be affected.


External References:

https://pivotal.io/security/cve-2018-1199

Mitigation:

As a general precaution, users are encouraged to separate public and private resources. For example, separating static resources and mapping them to /resources/public/** and /resources/private/** is preferred to having one common root with mixed public and private resource content underneath.
Comment 1 Sam Fowler 2018-01-30 01:32:58 EST 
Created springframework tracking bugs for this issue:

Affects: fedora-all [bug 1540033]


Created springframework-security tracking bugs for this issue:

Affects: fedora-all [bug 1540032]
Comment 2 Hooman Broujerdi 2018-02-12 23:32:34 EST 
Jetty container in JBoss Fuse complies with servlet specification and does not return path parameters which is a root cause of this flaw, so JBoss Fuse is not affected.
Comment 3 Tomas Hoger 2018-02-26 03:37:26 EST 
*** Bug 1541996 has been marked as a duplicate of this bug. ***
Comment 5 Summer Long 2018-03-08 17:03:20 EST 
For RH OpenStack Platform: Although the spring code contains the flaw, OpenDaylight uses Tomcat which is not vulnerable. "Tomcat follows the guidance previously provided by the Servlet Expert group and strips path parameters from the value returned by getContextPath(), getServletPath() and getPathInfo() [1]."
[1] https://www.securityfocus.com/archive/1/archive/1/514517/100/0/threaded <-- 2010.
catalina-7.0.27.1 used in ODL is from 2012 after the fixes. Should be ok.
Comment 12 Jason Shepherd 2018-06-14 00:32:16 EDT 
Spring Security is not used in Millicore component of RHMAP.
Comment 13 errata-xmlrpc 2018-08-14 15:51:12 EDT 
This issue has been addressed in the following products:

  Red Hat Fuse Intergration Services 2.0 based on Fuse 6.3 R7

Via RHSA-2018:2405 https://access.redhat.com/errata/RHSA-2018:2405
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.