Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 1591072 - (CVE-2018-12537) CVE-2018-12537 vertx: Improper neutralization of CRLF sequences allows remote attackers to inject arbitrary HTTP response headers
CVE-2018-12537 vertx: Improper neutralization of CRLF sequences allows remote...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20180613,repor...
: Security
Depends On:
Blocks: 1591073
  Show dependency treegraph
 
Reported: 2018-06-13 22:12 EDT by Sam Fowler
Modified: 2018-10-08 17:25 EDT (History)
12 users (show)

See Also:
Fixed In Version: vertx 3.5.2
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2371 None None None 2018-08-09 10:39 EDT

  None (edit)
Description Sam Fowler 2018-06-13 22:12:43 EDT
Eclipse Vert.x before version 3.5.2 does not properly neutralize CR and LF characters in HTTP request before return responses. A remote attacker could exploit this to inject abritrary HTTP response headers to potentially mount cross-site scripting and cache poisoning attacks.


External Reference:

https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2018-021_vertx.txt


Upstream Issue:

https://github.com/eclipse/vert.x/issues/2470


Upstream Patch:

https://github.com/eclipse/vert.x/commit/1bb6445226c39a95e7d07ce3caaf56828e8aab72
Comment 1 Andrej Nemec 2018-06-19 05:17:28 EDT
References:

https://bugs.eclipse.org/bugs/show_bug.cgi?id=536038
Comment 2 Hooman Broujerdi 2018-06-21 23:09:15 EDT
Statement: 

While the affected artifact is being shipped in Fuse 6.3 via camel-vertx component, the vulnerable code is not being used, therefore Fuse 6.3 is not affected.
Comment 5 errata-xmlrpc 2018-08-09 10:39:37 EDT
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes (text-only advisories)

Via RHSA-2018:2371 https://access.redhat.com/errata/RHSA-2018:2371

Note You need to log in before you can comment on or make changes to this bug.