[Spacewalk-list] CVE-2020-1693
Laurence Rosen
lrosen at interactions.com
Mon Mar 2 23:10:29 UTC 2020
Was just alerted to this by our security org. Are there any plans to patch
this?
My seniors are looking into replacing spacewalk with something else if not.
As I'm not a programmer, I'm not sure how to apply the linked patch. Does
that patch need to be compiled into a new jar?
########
A flaw was found in Spacewalk up to version 2.9 where it was vulnerable to
XML internal entity attacks via the /rpc/api endpoint. An unauthenticated
remote attacker could use this flaw to retrieve the content of certain
files and trigger a denial of service, or in certain circumstances, execute
arbitrary code on the Spacewalk server.
This is a 9.8 Critical and needs to be fixed as soon as possible.
Please view the links below for information and steps for remediation:
https://nvd.nist.gov/vuln/detail/CVE-2020-1693
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1693
https://zeroauth.ltd/blog/2020/02/18/proof-of-concept-exploit-for-cve-2020-1693-spacewalk/
Upsteam Fix:
https://github.com/spacewalkproject/spacewalk/commit/74e28ec61d916c42061ef4347121650a1c962b0c
--
*******************************************************************************
This e-mail and any of its attachments may contain
Interactions LLC
proprietary information, which is privileged,
confidential, or subject to
copyright belonging to the Interactions
LLC. This e-mail is intended solely
for the use of the individual or
entity to which it is addressed. If you
are not the intended recipient of this
e-mail, you are hereby notified that
any dissemination, distribution, copying,
or action taken in relation to
the contents of and attachments to this e-mail
is strictly prohibited and
may be unlawful. If you have received this e-mail in
error, please notify
the sender immediately and permanently delete the original
and any copy of
this e-mail and any printout. Thank You.
*******************************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20200302/5644c48f/attachment.htm>
More information about the Spacewalk-list
mailing list