Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack.
External References: https://pivotal.io/security/cve-2018-15756
Created springframework tracking bugs for this issue: Affects: fedora-all [bug 1643044]
Statement: The package rhvm-dependencies does not include the vulnerable spring-webmvc component.
Spring Framework, as used in Open Daylight, as part of RHOSP, does not ship or use an affected version of Spring Framework.
This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse 6 * Red Hat JBoss Fuse Service Works 6 * Red Hat JBoss BRMS 5 * Red Hat JBoss Data Virtualization & Services 6 * Red Hat JBoss SOA Platform 5 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This issue has been addressed in the following products: Red Hat Fuse 7.6.0 Via RHSA-2020:0983 https://access.redhat.com/errata/RHSA-2020:0983
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-15756
This issue has been addressed in the following products: Red Hat AMQ Via RHSA-2020:3133 https://access.redhat.com/errata/RHSA-2020:3133