A flaw was found in Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack. References: https://pivotal.io/security/cve-2018-1257
Created springframework tracking bugs for this issue: Affects: fedora-all [bug 1578579]
RHMAP doesn't make sure of websocket stomp as described in https://docs.spring.io/spring/docs/current/spring-framework-reference/web.html#websocket-stomp-enable Marking RHMAP as not affected.
ODL does not use WebSocket STOMP in any packaged components for any RHOSP release. Marked not affected.
Shouldn't this be marked as high as that's how it's marked by Pivotal on its CVE?
This issue has been addressed in the following products: Red Hat Openshift Application Runtimes (text-only advisories) Via RHSA-2018:1809 https://access.redhat.com/errata/RHSA-2018:1809
This issue has been addressed in the following products: Red Hat Fuse 7.2 Via RHSA-2018:3768 https://access.redhat.com/errata/RHSA-2018:3768
This vulnerability is out of security support scope for the following products: * Red Hat JBoss Data Virtualization & Services 6 * Red Hat JBoss SOA Platform 5 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.