{ "threat_severity" : "Important", "public_date" : "2019-06-11T10:41:00Z", "bugzilla" : { "description" : "jolokia: system-wide CSRF that could lead to Remote Code Execution", "id" : "1601037", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1601037" }, "cvss3" : { "cvss3_base_score" : "8.1", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-20", "details" : [ "A flaw was found in Jolokia versions from 1.2 to before 1.6.1. Affected versions are vulnerable to a system-wide CSRF. This holds true for properly configured instances with strict checking for origin and referrer headers. This could result in a Remote Code Execution attack.", "A flaw was found in Jolokia, versions 1.2 through 1.6.0, where Jolokia did not correctly handle checking for origin and referrer headers when strict checking was enabled. An attacker could use this vulnerability to conduct cross-site request forgery or further attacks." ], "statement" : "In Red Hat OpenStack Platform, jolokia is not enabled by default and, when enabled, the jolokia endpoints do not rely on CORS for security. Therefore, the impact has been reduced to Low and no updates will be provided at this time for the RHOSP jolokia package.", "acknowledgement" : "Red Hat would like to thank Martin Bajanik for reporting this issue.", "affected_release" : [ { "product_name" : "Red Hat Fuse 6.3", "release_date" : "2019-09-17T00:00:00Z", "advisory" : "RHSA-2019:2804", "cpe" : "cpe:/a:redhat:jboss_amq:6.3", "package" : "jolokia-core" }, { "product_name" : "Red Hat Fuse 6.3", "release_date" : "2019-09-17T00:00:00Z", "advisory" : "RHSA-2019:2804", "cpe" : "cpe:/a:redhat:jboss_fuse:6.3", "package" : "jolokia-core" }, { "product_name" : "Red Hat Fuse 7.4.0", "release_date" : "2019-08-08T00:00:00Z", "advisory" : "RHSA-2019:2413", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "jolokia-core" } ], "package_state" : [ { "product_name" : "JBoss Developer Studio 11", "fix_state" : "Out of support scope", "package_name" : "jolokia-core", "cpe" : "cpe:/a:redhat:jboss_dev_studio:11." }, { "product_name" : "Red Hat AMQ Broker 7", "fix_state" : "Affected", "package_name" : "jolokia-core", "cpe" : "cpe:/a:redhat:amq_broker:7" }, { "product_name" : "Red Hat Enterprise Linux OpenStack Platform 7 (Kilo)", "fix_state" : "Will not fix", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:7", "impact" : "low" }, { "product_name" : "Red Hat JBoss Data Virtualization 6", "fix_state" : "Not affected", "package_name" : "jolokia-core", "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6" }, { "product_name" : "Red Hat OpenStack Platform 10 (Newton)", "fix_state" : "Will not fix", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:10", "impact" : "low" }, { "product_name" : "Red Hat OpenStack Platform 12 (Pike)", "fix_state" : "Will not fix", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:12", "impact" : "low" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Fix deferred", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:13", "impact" : "low" }, { "product_name" : "Red Hat OpenStack Platform 8 (Liberty)", "fix_state" : "Will not fix", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:8", "impact" : "low" }, { "product_name" : "Red Hat OpenStack Platform 9 (Mitaka)", "fix_state" : "Will not fix", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:9", "impact" : "low" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2018-10899\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-10899\nhttps://jolokia.org/#Minor_updates_coming_with_1.6.1" ], "name" : "CVE-2018-10899", "csaw" : false }