RHSA-2017:1712 - Security Advisory

Topic

A security update for Red Hat 3scale API Management Platform 2.0.0 is now available from the Red Hat Container Catalog.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat 3scale API Management Platform 2.0 is a platform for the management of access and traffic for web-based APIs across a variety of deployment options.

Security Fix(es):

• It was found that RH-3scale AMP would permit creation of an access token without a client secret. An attacker could use this flaw to circumvent authentication controls and gain access to restricted APIs. (CVE-2017-7512)

The underlying container image was also rebuilt to resolve other security issues. These were addressed via the following errata:

• https://access.redhat.com/errata/RHSA-2017:1365
• https://access.redhat.com/errata/RHSA-2017:1481
• https://access.redhat.com/errata/RHSA-2017:1484

Red Hat would like to thank Ryan Nauman (TruCode) for reporting the CVE-2017-7512 issue.

Solution

To apply this security fix, use the updated docker images.

Affected Products

• Red Hat 3scale API Management Platform 2.0 x86_64

Fixes

• BZ - 1457997 - CVE-2017-7512 3scale AMP: validation bypass in oauth

CVEs

• CVE-2017-1000364
• CVE-2017-1000366
• CVE-2017-7502
• CVE-2017-7512

References

• https://access.redhat.com/security/updates/classification/#important