[Spacewalk-list] CVE-2020-1693
Elsever Sadigov
e.sadigov at millikart.az
Tue Mar 3 12:54:58 UTC 2020
We have same after last scan, plus ciphers and etc. vulnerabilities
Is there anyone who working on security side of this product?
--
*Best Regards,*
***Elsevar ***Sadigov**
On 3/3/2020 03:10, Laurence Rosen wrote:
>
> Was just alerted to this by our security org. Are there any plans to
> patch this?
> My seniors are looking into replacing spacewalk with something else if
> not.
> As I'm not a programmer, I'm not sure how to apply the linked patch.
> Does that patch need to be compiled into a new jar?
>
> ########
> A flaw was found in Spacewalk up to version 2.9 where it was
> vulnerable to XML internal entity attacks via the /rpc/api endpoint.
> An unauthenticated remote attacker could use this flaw to retrieve the
> content of certain files and trigger a denial of service, or in
> certain circumstances, execute arbitrary code on the Spacewalk server.
>
> This is a 9.8 Critical and needs to be fixed as soon as possible.
>
> Please view the links below for information and steps for remediation:
>
> https://nvd.nist.gov/vuln/detail/CVE-2020-1693
>
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1693
>
> https://zeroauth.ltd/blog/2020/02/18/proof-of-concept-exploit-for-cve-2020-1693-spacewalk/
>
> Upsteam Fix:
> https://github.com/spacewalkproject/spacewalk/commit/74e28ec61d916c42061ef4347121650a1c962b0c
>
>
> *******************************************************************************
>
> This e-mail and any of its attachments may contain Interactions LLC
> proprietary information, which is privileged, confidential, or subject
> to copyright belonging to the Interactions LLC. This e-mail is
> intended solely for the use of the individual or entity to which it is
> addressed. If you are not the intended recipient of this e-mail, you
> are hereby notified that any dissemination, distribution, copying, or
> action taken in relation to the contents of and attachments to this
> e-mail is strictly prohibited and may be unlawful. If you have
> received this e-mail in error, please notify the sender immediately
> and permanently delete the original and any copy of this e-mail and
> any printout. Thank You.
>
> *******************************************************************************
>
> --
> This email was Malware checked by Security Department
>
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
**
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20200303/8c712e41/attachment.htm>
More information about the Spacewalk-list
mailing list