CVE-2017-2589
It was discovered that the hawtio servlet uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies.
Find out more about CVE-2017-2589 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS v3 metrics
| CVSS3 Base Score | 8.7 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | Required |
| Scope | Changed |
| Confidentiality | High |
| Integrity Impact | High |
| Availability Impact | None |
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat JBoss A-MQ 6.3 | RHSA-2017:1832 | 2017-08-10 |
| Red Hat JBoss Fuse 6.3 | RHSA-2017:1832 | 2017-08-10 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat OpenShift Enterprise 2 | hawtio | Under investigation |