- Issued:
- 2016-04-04
- Updated:
- 2016-04-04
RHSA-2016:0590 - Security Advisory
Synopsis
Moderate: spacewalk-java security update
Type/Severity
Security Advisory: Moderate
Topic
An update for spacewalk-java is now available for Red Hat Satellite 5.7.
Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
Description
Red Hat Satellite is a system management tool for Linux-based infrastructures. It allows for provisioning, monitoring, and the remote management of multiple Linux deployments with a single, centralized tool.
Security Fix(es):
- A cross-site scripting (XSS) flaw was found in how XML data was handled in Red Hat Satellite. A user able to use the XMLRPC API could exploit this flaw to perform XSS attacks against other Satellite users. (CVE-2015-0284)
- Multiple cross-site scripting (XSS) flaws were found in the way certain form data was handled in Red Hat Satellite. A user able to enter form data could use these flaws to perform XSS attacks against other Satellite users. (CVE-2016-2103, CVE-2016-3079)
- Multiple cross-site scripting (XSS) flaws were found in the way HTTP GET parameter data was handled in Red Hat Satellite. A user able to provide malicious links to a Satellite user could use these flaws to perform XSS attacks against other Satellite users. (CVE-2016-2104)
Red Hat would like to thank Adam Willard (Raytheon Foreground Security) for reporting CVE-2016-2104. The CVE-2015-0284 and CVE-2016-3079 issues were discovered by Jan Hutař (Red Hat).
Solution
For details on how to apply this update, which includes the changes described in
this advisory, refer to:
https://access.redhat.com/articles/11258
Affected Products
- Red Hat Satellite 5.7 x86_64
- Red Hat Satellite 5.7 s390x
Fixes
- BZ - 1181152 - XSS when altering user details and going somewhere where you are choosing user
- BZ - 1181472 - CVE-2015-0284 Red Hat Satellite: stored XSS in user details fields (incomplete fix for CVE-2014-7811)
- BZ - 1305677 - CVE-2016-2104 Satellite 5: stored and reflected XSS vulnerabilities
- BZ - 1305681 - CVE-2016-2103 Satellite 5: multiple stored XSS vulnerabilities
- BZ - 1313515 - (CVE-2016-2104) Satellite 5: multiple XSS vulnerabilities
- BZ - 1313517 - (CVE-2016-2103) Satellite 5: multiple XSS vulnerabilities
- BZ - 1320444 - (CVE-2016-3079) XSS on pages for entitlements management
- BZ - 1320452 - (CVE-2016-3079) two XSS issues due to element creation in SSM (Perl stack) and displaying outside of it
- BZ - 1320940 - CVE-2016-3079 spacewalk-java: Multiple XSS issues in WebUI
CVEs
References
Red Hat Satellite 5.7
| SRPM | |
|---|---|
| spacewalk-java-2.3.8-134.el6sat.src.rpm | SHA-256: fce0773c22679baf2acb3cc0837191b1b333328ac533a52b76bf6d7f2f6add6d |
| x86_64 | |
| spacewalk-java-2.3.8-134.el6sat.noarch.rpm | SHA-256: 284168792bae913cfb1ff0db42d1ca94ae9ab0ce2c9f9627ef37bb8f8e14d96e |
| spacewalk-java-config-2.3.8-134.el6sat.noarch.rpm | SHA-256: 41e8045858725b39a8c4fab63ce963e5d3194267824213b6a93485742a6d28b6 |
| spacewalk-java-lib-2.3.8-134.el6sat.noarch.rpm | SHA-256: 78613b229d1c185565cd77930759815409ff5019c96bf97b3e999dc97703704b |
| spacewalk-java-oracle-2.3.8-134.el6sat.noarch.rpm | SHA-256: d0f5ca7e363a92878207b7dbfc9490b2ca15224edbc7595fb9dea92cf95194f2 |
| spacewalk-java-postgresql-2.3.8-134.el6sat.noarch.rpm | SHA-256: e62ad09b6cde3f8efc77ec247ef7e608dc6cd2887873ac48a8b84c9e4fa85b87 |
| spacewalk-taskomatic-2.3.8-134.el6sat.noarch.rpm | SHA-256: eeee675d98a06d7489937672afb2da6f212ba55b753886b4d7d5458202009a08 |
| s390x | |
| spacewalk-java-2.3.8-134.el6sat.noarch.rpm | SHA-256: 284168792bae913cfb1ff0db42d1ca94ae9ab0ce2c9f9627ef37bb8f8e14d96e |
| spacewalk-java-config-2.3.8-134.el6sat.noarch.rpm | SHA-256: 41e8045858725b39a8c4fab63ce963e5d3194267824213b6a93485742a6d28b6 |
| spacewalk-java-lib-2.3.8-134.el6sat.noarch.rpm | SHA-256: 78613b229d1c185565cd77930759815409ff5019c96bf97b3e999dc97703704b |
| spacewalk-java-oracle-2.3.8-134.el6sat.noarch.rpm | SHA-256: d0f5ca7e363a92878207b7dbfc9490b2ca15224edbc7595fb9dea92cf95194f2 |
| spacewalk-java-postgresql-2.3.8-134.el6sat.noarch.rpm | SHA-256: e62ad09b6cde3f8efc77ec247ef7e608dc6cd2887873ac48a8b84c9e4fa85b87 |
| spacewalk-taskomatic-2.3.8-134.el6sat.noarch.rpm | SHA-256: eeee675d98a06d7489937672afb2da6f212ba55b753886b4d7d5458202009a08 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.