The Commandline class in plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings. References: https://nvd.nist.gov/vuln/detail/CVE-2017-1000487 https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41 https://snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31522
OpenDaylight in Red Hat OpenStack 8 & 9 is released as a technical preview and is unsupported.
Updated statement and status of Satellite 6
Statement: This issue affects the versions of plexus-utils as shipped with Red Hat Enterprise Linux 7 as well as Red Hat Satellite 6.0 and 6.1. Red Hat Satellite 6.2 and later do not ship plexus-utils, as such they are not affected by this vulnerability. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
This issue has been addressed in the following products: Red Hat JBoss Fuse Via RHSA-2018:1322 https://access.redhat.com/errata/RHSA-2018:1322