1714359 – (CVE-2019-10158) CVE-2019-10158 infinispan: Session fixation protection broken for Spring Session integration

Bug 1714359 (CVE-2019-10158) - CVE-2019-10158 infinispan: Session fixation protection broken for Spring Session integration

Summary: CVE-2019-10158 infinispan: Session fixation protection broken for Spring Sess...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-10158
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1714360
Blocks:	1714361
TreeView+	depends on / blocked

Reported:	2019-05-27 20:40 UTC by Laura Pardo
Modified:	2020-12-15 15:46 UTC (History)
CC List:	79 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Infinispan through version 9.4.14.Final. An improper implementation of the session fixation protection in the Spring Session integration can result in incorrect session handling.
Clone Of:
Environment:
Last Closed:	2019-09-03 11:27:11 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2019:4037	0	None	None	None	2019-12-02 16:27:02 UTC

Description Laura Pardo 2019-05-27 20:40:26 UTC

A vulnerability was found in Infinispan up to version 9.4.14.Final. An improper implementation of the session fixation protection in the Spring Session integration may result in an incorrect session handling


Referrences:
https://issues.jboss.org/browse/ISPN-10224

Upstream Patch:
https://github.com/infinispan/infinispan/pull/6960

Comment 1 Laura Pardo 2019-05-27 20:40:52 UTC

Created infinispan tracking bugs for this issue:

Affects: fedora-all [bug 1714360]

Comment 2 Joshua Padman 2019-05-31 04:45:51 UTC

Red Hat OpenStack - OpenDaylight
This vulnerability is within org.infinispan.spring.common.session which is not included in OpenDaylight.

Comment 3 Joshua Padman 2019-06-03 22:25:13 UTC

The following products are marked as notaffected because they do not contain the vulnerable library.
 * Enterprise Application Platform
 * JBoss Fuse Service Works
 * JBoss Fuse
 * JBoss Data Virtualization & Services
 * JBoss Operations Network
 * OpenShift Application Runtimes
 * Process Automation Manager
 * Single Sign-On (RH-SSO)

Comment 9 errata-xmlrpc 2019-12-02 16:26:57 UTC

This issue has been addressed in the following products:

  Red Hat Data Grid

Via RHSA-2019:4037 https://access.redhat.com/errata/RHSA-2019:4037

Note You need to log in before you can comment on or make changes to this bug.

aileenc
akoufoud
alazarot
almorale
anstephe
asoldano
avibelli
bbaranow
bgeorges
bmaxwell
brian.stansberry
cdewolf
chazlett
darran.lofthouse
dbecker
dosoudil
drieden
etirelli
gvarsami
ibek
iweiss
janstey
jawilson
jbalunas
jcoleman
jjoyce
jochrist
jolee
jpallich
jperkins
jschatte
jschluet
jstastny
kbasil
kconner
krathod
kverlaen
kwills
ldimaggi
lef
lgao
lhh
loleary
lpeer
lpetrovi
lthon
mburns
mnovotny
mprpic
msochure
msvehla
mszynkie
nwallace
paradhya
pdrozd
pgallagh
pmackay
psotirop
puntogil
rguimara
ricardo.arguello
rrajasek
rruss
rsvoboda
rsynek
rwagner
sclewis
sdaley
slinaber
smaestri
spinder
sthorger
tcunning
theute
tkirby
tom.jenkinson
trogers
twalsh
vhalbert