{ "threat_severity" : "Moderate", "public_date" : "2020-05-13T00:00:00Z", "bugzilla" : { "description" : "ant: insecure temporary file vulnerability", "id" : "1837444", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1837444" }, "cvss3" : { "cvss3_base_score" : "6.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "status" : "verified" }, "cwe" : "CWE-377", "details" : [ "Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process." ], "statement" : "In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of ant package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated", "affected_release" : [ { "product_name" : "Red Hat AMQ Streams 1.5.0", "release_date" : "2020-06-19T00:00:00Z", "advisory" : "RHSA-2020:2618", "cpe" : "cpe:/a:redhat:amq_streams:1", "package" : "ant", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2021-03-03T00:00:00Z", "advisory" : "RHSA-2021:0637", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "jenkins-0:2.263.3.1612433584-1.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 4.5", "release_date" : "2021-03-03T00:00:00Z", "advisory" : "RHSA-2021:0429", "cpe" : "cpe:/a:redhat:openshift:4.5::el7", "package" : "conmon-2:2.0.21-1.rhaos4.5.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 4.5", "release_date" : "2021-03-03T00:00:00Z", "advisory" : "RHSA-2021:0429", "cpe" : "cpe:/a:redhat:openshift:4.5::el7", "package" : "jenkins-0:2.263.3.1612434332-1.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 4.5", "release_date" : "2021-03-03T00:00:00Z", "advisory" : "RHSA-2021:0429", "cpe" : "cpe:/a:redhat:openshift:4.5::el7", "package" : "machine-config-daemon-0:4.5.0-202102050524.p0.git.2594.ff3b8c0.el8" }, { "product_name" : "Red Hat OpenShift Container Platform 4.5", "release_date" : "2021-03-03T00:00:00Z", "advisory" : "RHSA-2021:0429", "cpe" : "cpe:/a:redhat:openshift:4.5::el7", "package" : "openshift-0:4.5.0-202102050524.p0.git.0.9229406.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 4.5", "release_date" : "2021-03-03T00:00:00Z", "advisory" : "RHSA-2021:0429", "cpe" : "cpe:/a:redhat:openshift:4.5::el7", "package" : "openshift-ansible-0:4.5.0-202102031005.p0.git.0.c6839a2.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 4.5", "release_date" : "2021-03-03T00:00:00Z", "advisory" : "RHSA-2021:0429", "cpe" : "cpe:/a:redhat:openshift:4.5::el7", "package" : "openshift-clients-0:4.5.0-202102051529.p0.git.3612.61b096a.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 4.5", "release_date" : "2021-03-03T00:00:00Z", "advisory" : "RHSA-2021:0429", "cpe" : "cpe:/a:redhat:openshift:4.5::el7", "package" : "runc-0:1.0.0-72.rhaos4.5.giteadfc6b.el8" }, { "product_name" : "Red Hat OpenShift Container Platform 4.6", "release_date" : "2021-02-17T00:00:00Z", "advisory" : "RHSA-2021:0423", "cpe" : "cpe:/a:redhat:openshift:4.6::el8", "package" : "jenkins-0:2.263.3.1612434510-1.el8" }, { "product_name" : "RHDM 7.9.0", "release_date" : "2020-11-05T00:00:00Z", "advisory" : "RHSA-2020:4960", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7.9", "package" : "ant" }, { "product_name" : "RHPAM 7.9.0", "release_date" : "2020-11-05T00:00:00Z", "advisory" : "RHSA-2020:4961", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.9", "package" : "ant" } ], "package_state" : [ { "product_name" : "Red Hat BPM Suite 6", "fix_state" : "Out of support scope", "package_name" : "ant", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform" }, { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Out of support scope", "package_name" : "ant", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "ant", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Will not fix", "package_name" : "ant", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "ant", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "ant:1.10/ant", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat JBoss BRMS 5", "fix_state" : "Out of support scope", "package_name" : "ant", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:5" }, { "product_name" : "Red Hat JBoss Data Virtualization 6", "fix_state" : "Out of support scope", "package_name" : "ant", "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 5", "fix_state" : "Out of support scope", "package_name" : "ant", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Not affected", "package_name" : "ant", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Out of support scope", "package_name" : "ant", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat JBoss Operations Network 3", "fix_state" : "Out of support scope", "package_name" : "ant", "cpe" : "cpe:/a:redhat:jboss_operations_network:3" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "jenkins-2-plugins", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "jenkins-2-plugins", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/ose-metering-hive", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Not affected", "package_name" : "rh-sso7-keycloak", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-1945\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-1945" ], "name" : "CVE-2020-1945", "mitigation" : { "value" : "For versions 1.1 to 1.9.14 and 1.10.0 to 1.10.7, set the java.io.tmpdir system property to a private directory-- only readable and writable by the current user-- before running Ant.\nFor versions 1.9.15 and 1.10.8, use the Ant property ant.tmpfile instead. Ant 1.10.8 protects the temporary files if the underlying filesystem allows it, but using a private temporary directory is still recommended.", "lang" : "en:us" }, "csaw" : false }