- Issued:
- 2017-07-06
- Updated:
- 2017-07-06
RHSA-2017:1712 - Security Advisory
Synopsis
Important: Red Hat 3scale API Management Platform 2.0.0 security update
Type/Severity
Security Advisory: Important
Topic
A security update for Red Hat 3scale API Management Platform 2.0.0 is now available from the Red Hat Container Catalog.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat 3scale API Management Platform 2.0 is a platform for the management of access and traffic for web-based APIs across a variety of deployment options.
Security Fix(es):
- It was found that RH-3scale AMP would permit creation of an access token without a client secret. An attacker could use this flaw to circumvent authentication controls and gain access to restricted APIs. (CVE-2017-7512)
The underlying container image was also rebuilt to resolve other security issues. These were addressed via the following errata:
- https://access.redhat.com/errata/RHSA-2017:1365
- https://access.redhat.com/errata/RHSA-2017:1481
- https://access.redhat.com/errata/RHSA-2017:1484
Red Hat would like to thank Ryan Nauman (TruCode) for reporting the CVE-2017-7512 issue.
Solution
To apply this security fix, use the updated docker images.
Affected Products
- Red Hat 3scale API Management Platform 2.0 x86_64
Fixes
- BZ - 1457997 - CVE-2017-7512 3scale AMP: validation bypass in oauth
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.