[Spacewalk-list] CVE-2020-1693
Michael Mraka
michael.mraka at redhat.com
Tue Mar 3 14:40:22 UTC 2020
Laurence Rosen:
> Was just alerted to this by our security org. Are there any plans to patch
> this?
> My seniors are looking into replacing spacewalk with something else if not.
> As I'm not a programmer, I'm not sure how to apply the linked patch. Does
> that patch need to be compiled into a new jar?
Hello,
the issue has been fixes 3 weeks ago in Spacewalk nigtly (and upcomming 2.10).
There's no plan to fix it in 2.9. You can update it manually by
downloading redstone-xmlrpc-1.1_20071120-21 from nightly repo.
> ########
> A flaw was found in Spacewalk up to version 2.9 where it was vulnerable to
> XML internal entity attacks via the /rpc/api endpoint. An unauthenticated
> remote attacker could use this flaw to retrieve the content of certain
> files and trigger a denial of service, or in certain circumstances, execute
> arbitrary code on the Spacewalk server.
>
> This is a 9.8 Critical and needs to be fixed as soon as possible.
>
> Please view the links below for information and steps for remediation:
>
> https://nvd.nist.gov/vuln/detail/CVE-2020-1693
>
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1693
>
> https://zeroauth.ltd/blog/2020/02/18/proof-of-concept-exploit-for-cve-2020-1693-spacewalk/
>
> Upsteam Fix:
> https://github.com/spacewalkproject/spacewalk/commit/74e28ec61d916c42061ef4347121650a1c962b0c
Regards,
--
Michael Mráka
System Management Engineering, Red Hat
More information about the Spacewalk-list
mailing list