CVE-2014-0225
It was found that the Spring Framework did not, by default, disable the resolution of URI references in a DTD declaration when processing user-provided XML documents. By observing differences in response times, an attacker could identify valid IP addresses on the internal network with functioning web servers.
Find out more about CVE-2014-0225 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
Red Hat OpenShift Enterprise 1.2 is now in Production 1 Phase of the support
and maintenance life cycle. This has been rated as having Moderate security
impact and is not currently planned to be addressed in future updates. For
additional information, refer to the Red Hat OpenShift Enterprise Life Cycle:
https://access.redhat.com/site/support/policy/updates/openshift.
CVSS v2 metrics
| Base Score | 5 |
|---|---|
| Base Metrics | AV:N/AC:L/Au:N/C:P/I:N/A:N |
| Access Vector | Network |
| Access Complexity | Low |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | None |
| Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat JBoss Fuse 6.1 | RHSA-2014:1351 | 2014-10-01 |
| Red Hat JBoss A-MQ 6.1 | RHSA-2014:1351 | 2014-10-01 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat OpenShift Enterprise 2 | activemq | Will not fix |
| Red Hat OpenShift Enterprise 1 | activemq | Will not fix |
| Red Hat JBoss Portal 5 | spring | Will not fix |
| Red Hat JBoss Fuse Service Works 6 | spring | Not affected |
| Red Hat JBoss Enterprise SOA Platform 5 | spring | Will not fix |
| Red Hat JBoss EAP 5 | spring | Will not fix |
| Red Hat JBoss BRMS 6 | spring | Not affected |
| Red Hat JBoss BPMS 6 | spring | Not affected |
| RHEV Manager 3 | jasperreports-server-pro | Will not fix |