We have same after last scan, plus ciphers and etc. vulnerabilities
Is there anyone who working on security side of this product?
--
*Best Regards,*
***Elsevar ***Sadigov**
On 3/3/2020 03:10, Laurence Rosen wrote:
Was just alerted to this by our security org. Are there any plans to
patch this?
My seniors are looking into replacing spacewalk with something else if
not.
As I'm not a programmer, I'm not sure how to apply the linked patch.
Does that patch need to be compiled into a new jar?
########
A flaw was found in Spacewalk up to version 2.9 where it was
vulnerable to XML internal entity attacks via the /rpc/api endpoint.
An unauthenticated remote attacker could use this flaw to retrieve the
content of certain files and trigger a denial of service, or in
certain circumstances, execute arbitrary code on the Spacewalk server.
This is a 9.8 Critical and needs to be fixed as soon as possible.
Please view the links below for information and steps for remediation:
https://nvd.nist.gov/vuln/detail/CVE-2020-1693
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1693
https://zeroauth.ltd/blog/2020/02/18/proof-of-concept-exploit-for-cve-2020-1693-spacewalk/
Upsteam Fix:
https://github.com/spacewalkproject/spacewalk/commit/74e28ec61d916c42061ef4347121650a1c962b0c
*******************************************************************************
This e-mail and any of its attachments may contain Interactions LLC
proprietary information, which is privileged, confidential, or subject
to copyright belonging to the Interactions LLC. This e-mail is
intended solely for the use of the individual or entity to which it is
addressed. If you are not the intended recipient of this e-mail, you
are hereby notified that any dissemination, distribution, copying, or
action taken in relation to the contents of and attachments to this
e-mail is strictly prohibited and may be unlawful. If you have
received this e-mail in error, please notify the sender immediately
and permanently delete the original and any copy of this e-mail and
any printout. Thank You.
*******************************************************************************
--
This email was Malware checked by Security Department
_______________________________________________
Spacewalk-list mailing list
Spacewalk-list@redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list
**
_______________________________________________
Spacewalk-list mailing list
Spacewalk-list@redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list
