Headline
CVE-2014-3595: Red Hat Customer Portal - Access to 24x7 support and knowledge
Cross-site scripting (XSS) vulnerability in spacewalk-java 1.2.39, 1.7.54, and 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.4 through 5.6 allows remote attackers to inject arbitrary web script or HTML via a crafted request that is not properly handled when logging.
Synopsis
Important: spacewalk-java security update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
Updated spacewalk-java packages that fix one security issue are now
available for Red Hat Satellite 5.4, 5.5, and 5.6.
Red Hat Product Security has rated this update as having Important security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
Description
Red Hat Satellite is a systems management tool for Linux-based
infrastructures. It allows for provisioning, monitoring, and remote
management of multiple Linux deployments with a single, centralized tool.
The spacewalk-java packages contain the code for the Java version of the
Spacewalk Web site.
A stored cross-site scripting (XSS) flaw was found in the way
spacewalk-java displayed log files. By sending a specially crafted request
to Satellite, a remote attacker could embed HTML content into the log file,
allowing them to inject malicious content into the web page that is used to
view that log file. (CVE-2014-3595)
Red Hat would like to thank Ron Bowes of Google for reporting this issue.
All spacewalk-java users are advised to upgrade to these updated packages,
which contain a backported patch to correct this issue.
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
Affected Products
- Red Hat Satellite 5.6 for RHEL 6 x86_64
- Red Hat Satellite 5.6 for RHEL 6 s390x
- Red Hat Satellite 5.6 for RHEL 5 x86_64
- Red Hat Satellite 5.6 for RHEL 5 s390x
- Red Hat Satellite with Embedded Oracle 5.5 for RHEL 6 x86_64
- Red Hat Satellite with Embedded Oracle 5.5 for RHEL 6 s390x
- Red Hat Satellite with Embedded Oracle 5.5 for RHEL 5 x86_64
- Red Hat Satellite with Embedded Oracle 5.5 for RHEL 5 s390x
- Red Hat Satellite with Embedded Oracle 5.4 for RHEL 6 x86_64
- Red Hat Satellite with Embedded Oracle 5.4 for RHEL 6 s390x
- Red Hat Satellite with Embedded Oracle 5.4 for RHEL 5 x86_64
- Red Hat Satellite with Embedded Oracle 5.4 for RHEL 5 s390x
- Red Hat Satellite with Embedded Oracle 5.4 for RHEL 5 i386
Fixes
- BZ - 1129821 - CVE-2014-3595 Satellite: Spacewalk contains XSS in log file view
Red Hat Satellite 5.6 for RHEL 6
SRPM
spacewalk-java-2.0.2-85.el6sat.src.rpm
SHA-256: 5f221220b28759d884d82ec359024b962fb3154f4c76a01cef847f1bfe2b38d7
x86_64
spacewalk-java-2.0.2-85.el6sat.noarch.rpm
SHA-256: d849957023fa21fe34346ab13b480a4d025ec4c3f18e91ff02516654faa1e9ec
spacewalk-java-config-2.0.2-85.el6sat.noarch.rpm
SHA-256: 416b6de7042cb1651c42ce34400d6dc7899877a1c7011247289b9dd12fa8e5e2
spacewalk-java-lib-2.0.2-85.el6sat.noarch.rpm
SHA-256: 42bdfd29a5c67aefba0b3b21a5cb91d0a71e677a2f0d66cf86a61a40ec69d69b
spacewalk-java-oracle-2.0.2-85.el6sat.noarch.rpm
SHA-256: bd373d50c0009db6021fd403275b4dc9483c3ba6e6b72692d2670dd261d64696
spacewalk-java-postgresql-2.0.2-85.el6sat.noarch.rpm
SHA-256: 97b153595c287ad6d9bd4d65bd7e24992ed001487efc0a33fc906048bc8f58d0
spacewalk-taskomatic-2.0.2-85.el6sat.noarch.rpm
SHA-256: a5be749b75ac0e56f8584be3b24f17f92ec3675e5f8964b7f3093c0a8cce456d
s390x
spacewalk-java-2.0.2-85.el6sat.noarch.rpm
SHA-256: d849957023fa21fe34346ab13b480a4d025ec4c3f18e91ff02516654faa1e9ec
spacewalk-java-config-2.0.2-85.el6sat.noarch.rpm
SHA-256: 416b6de7042cb1651c42ce34400d6dc7899877a1c7011247289b9dd12fa8e5e2
spacewalk-java-lib-2.0.2-85.el6sat.noarch.rpm
SHA-256: 42bdfd29a5c67aefba0b3b21a5cb91d0a71e677a2f0d66cf86a61a40ec69d69b
spacewalk-java-oracle-2.0.2-85.el6sat.noarch.rpm
SHA-256: bd373d50c0009db6021fd403275b4dc9483c3ba6e6b72692d2670dd261d64696
spacewalk-java-postgresql-2.0.2-85.el6sat.noarch.rpm
SHA-256: 97b153595c287ad6d9bd4d65bd7e24992ed001487efc0a33fc906048bc8f58d0
spacewalk-taskomatic-2.0.2-85.el6sat.noarch.rpm
SHA-256: a5be749b75ac0e56f8584be3b24f17f92ec3675e5f8964b7f3093c0a8cce456d
Red Hat Satellite 5.6 for RHEL 5
SRPM
spacewalk-java-2.0.2-85.el5sat.src.rpm
SHA-256: 70bf5fe1bd4cc65ea5942881924386c08acd51000c0d496e4254c3620b53f998
x86_64
spacewalk-java-2.0.2-85.el5sat.noarch.rpm
SHA-256: fcd70ab35856f1135761139e8b50f5e25ca72440fd542f4056b3652962e0f86b
spacewalk-java-config-2.0.2-85.el5sat.noarch.rpm
SHA-256: 3e1a00e0a4dbbd07cb09d9aa16733e6659f2d6ed41fea8d122e0598ad7775518
spacewalk-java-lib-2.0.2-85.el5sat.noarch.rpm
SHA-256: a14c3d58dda5d10d0ae1a779d21826f18cd408f657edd29271b7e46798ebdfb7
spacewalk-java-oracle-2.0.2-85.el5sat.noarch.rpm
SHA-256: 03c54d8e008a7f3b6c386f818488f4cfeacde75998a336e4f1268cb4e2c89e63
spacewalk-java-postgresql-2.0.2-85.el5sat.noarch.rpm
SHA-256: 0056adfe07eba9645ec8924f326a97c203fa84849be58d59461b8e5d4c82d0e3
spacewalk-taskomatic-2.0.2-85.el5sat.noarch.rpm
SHA-256: 8d037bd04833457dddce48c62a8e8ba124abe566593a9d20255eecdb820c5de8
s390x
spacewalk-java-2.0.2-85.el5sat.noarch.rpm
SHA-256: fcd70ab35856f1135761139e8b50f5e25ca72440fd542f4056b3652962e0f86b
spacewalk-java-config-2.0.2-85.el5sat.noarch.rpm
SHA-256: 3e1a00e0a4dbbd07cb09d9aa16733e6659f2d6ed41fea8d122e0598ad7775518
spacewalk-java-lib-2.0.2-85.el5sat.noarch.rpm
SHA-256: a14c3d58dda5d10d0ae1a779d21826f18cd408f657edd29271b7e46798ebdfb7
spacewalk-java-oracle-2.0.2-85.el5sat.noarch.rpm
SHA-256: 03c54d8e008a7f3b6c386f818488f4cfeacde75998a336e4f1268cb4e2c89e63
spacewalk-java-postgresql-2.0.2-85.el5sat.noarch.rpm
SHA-256: 0056adfe07eba9645ec8924f326a97c203fa84849be58d59461b8e5d4c82d0e3
spacewalk-taskomatic-2.0.2-85.el5sat.noarch.rpm
SHA-256: 8d037bd04833457dddce48c62a8e8ba124abe566593a9d20255eecdb820c5de8
Red Hat Satellite with Embedded Oracle 5.5 for RHEL 6
SRPM
spacewalk-java-1.7.54-129.el6sat.src.rpm
SHA-256: 0c03d7140c9a0f2bf894b5be8e010603f5c12df29996b90e1fcee42cff275a70
x86_64
spacewalk-java-1.7.54-129.el6sat.noarch.rpm
SHA-256: 8a5aa14169d2b25538765da219921d7355b899b287091b68a0a0dfb40e282d16
spacewalk-java-config-1.7.54-129.el6sat.noarch.rpm
SHA-256: 997613b7e4bb7548c99bf61c190b9a131c89babf04e597faccf8c6a7f35d5a96
spacewalk-java-lib-1.7.54-129.el6sat.noarch.rpm
SHA-256: 368e4bb23fd9f8a2978a56543e5be0feb8b82bb5d18a20a181843131304039e2
spacewalk-java-oracle-1.7.54-129.el6sat.noarch.rpm
SHA-256: 088a01f6f5f78474fae05d822c5261f50344c435c49a7905cf92e1ee3a6467d7
spacewalk-taskomatic-1.7.54-129.el6sat.noarch.rpm
SHA-256: d1c9b39da3a4abc7f6d20a680542752e15fa808d038d4fcaeccbfb2ad3c11d85
s390x
spacewalk-java-1.7.54-129.el6sat.noarch.rpm
SHA-256: 8a5aa14169d2b25538765da219921d7355b899b287091b68a0a0dfb40e282d16
spacewalk-java-config-1.7.54-129.el6sat.noarch.rpm
SHA-256: 997613b7e4bb7548c99bf61c190b9a131c89babf04e597faccf8c6a7f35d5a96
spacewalk-java-lib-1.7.54-129.el6sat.noarch.rpm
SHA-256: 368e4bb23fd9f8a2978a56543e5be0feb8b82bb5d18a20a181843131304039e2
spacewalk-java-oracle-1.7.54-129.el6sat.noarch.rpm
SHA-256: 088a01f6f5f78474fae05d822c5261f50344c435c49a7905cf92e1ee3a6467d7
spacewalk-taskomatic-1.7.54-129.el6sat.noarch.rpm
SHA-256: d1c9b39da3a4abc7f6d20a680542752e15fa808d038d4fcaeccbfb2ad3c11d85
Red Hat Satellite with Embedded Oracle 5.5 for RHEL 5
SRPM
spacewalk-java-1.7.54-129.el5sat.src.rpm
SHA-256: 8d228e46b8263ecd88e521effb041be851ed217631069bfe2024e950f764102b
x86_64
spacewalk-java-1.7.54-129.el5sat.noarch.rpm
SHA-256: 6ce03f1e8124ee101d585c648ba1b8ceb06f2d1a624893027d84056c37a6b478
spacewalk-java-config-1.7.54-129.el5sat.noarch.rpm
SHA-256: 74846453183bc48d09535d7a98566dfa7a352a68086e69a951c61cc04361e56d
spacewalk-java-lib-1.7.54-129.el5sat.noarch.rpm
SHA-256: 2fb09f95c7fe4a08993d419678a06b88f8be024115e42b491d37a02b68cf545e
spacewalk-java-oracle-1.7.54-129.el5sat.noarch.rpm
SHA-256: 0d370ae0e72d188c0a05a3c8c12d4b3b56ad950e01478973770f2eba353c5b95
spacewalk-taskomatic-1.7.54-129.el5sat.noarch.rpm
SHA-256: 0898bb5e1500ae0e1ea595ddff59e5e6a9b4e2f68f5e47ac08fd4036a00d8833
s390x
spacewalk-java-1.7.54-129.el5sat.noarch.rpm
SHA-256: 6ce03f1e8124ee101d585c648ba1b8ceb06f2d1a624893027d84056c37a6b478
spacewalk-java-config-1.7.54-129.el5sat.noarch.rpm
SHA-256: 74846453183bc48d09535d7a98566dfa7a352a68086e69a951c61cc04361e56d
spacewalk-java-lib-1.7.54-129.el5sat.noarch.rpm
SHA-256: 2fb09f95c7fe4a08993d419678a06b88f8be024115e42b491d37a02b68cf545e
spacewalk-java-oracle-1.7.54-129.el5sat.noarch.rpm
SHA-256: 0d370ae0e72d188c0a05a3c8c12d4b3b56ad950e01478973770f2eba353c5b95
spacewalk-taskomatic-1.7.54-129.el5sat.noarch.rpm
SHA-256: 0898bb5e1500ae0e1ea595ddff59e5e6a9b4e2f68f5e47ac08fd4036a00d8833
Red Hat Satellite with Embedded Oracle 5.4 for RHEL 6
SRPM
spacewalk-java-1.2.39-137.el6sat.src.rpm
SHA-256: efee4c856e3dc9c60e8ecb652b680bf523266abeb3b050bd96909aeccad6e7c4
x86_64
spacewalk-java-1.2.39-137.el6sat.noarch.rpm
SHA-256: 1ffb14a0c2fd577be38ec6dd3e7079c64553638e786a3c9734b04b7728b35b30
spacewalk-java-config-1.2.39-137.el6sat.noarch.rpm
SHA-256: c5517d50f4e9a9b2f06d47bb9540f9c539e25d9a7272920f656689fd8db4804f
spacewalk-java-lib-1.2.39-137.el6sat.noarch.rpm
SHA-256: 1f096ac327cddb03e4bca07b4579a7beb765d1b664c567006c3a47ab6c683aee
spacewalk-java-oracle-1.2.39-137.el6sat.noarch.rpm
SHA-256: e304578e3b6e2bd74e2c8e24043b582b391b8502d2d717e8e9c4608dcc5b3a23
spacewalk-taskomatic-1.2.39-137.el6sat.noarch.rpm
SHA-256: 314d76897d42d3235470840abd763ef0463ced0f01ed8dac44d7042a7d8508ac
s390x
spacewalk-java-1.2.39-137.el6sat.noarch.rpm
SHA-256: 1ffb14a0c2fd577be38ec6dd3e7079c64553638e786a3c9734b04b7728b35b30
spacewalk-java-config-1.2.39-137.el6sat.noarch.rpm
SHA-256: c5517d50f4e9a9b2f06d47bb9540f9c539e25d9a7272920f656689fd8db4804f
spacewalk-java-lib-1.2.39-137.el6sat.noarch.rpm
SHA-256: 1f096ac327cddb03e4bca07b4579a7beb765d1b664c567006c3a47ab6c683aee
spacewalk-java-oracle-1.2.39-137.el6sat.noarch.rpm
SHA-256: e304578e3b6e2bd74e2c8e24043b582b391b8502d2d717e8e9c4608dcc5b3a23
spacewalk-taskomatic-1.2.39-137.el6sat.noarch.rpm
SHA-256: 314d76897d42d3235470840abd763ef0463ced0f01ed8dac44d7042a7d8508ac
Red Hat Satellite with Embedded Oracle 5.4 for RHEL 5
SRPM
spacewalk-java-1.2.39-137.el5sat.src.rpm
SHA-256: 0dce7cf421b100a009fff3ba25ef33ad50ee5b65258961d1d83d94b65739ea52
x86_64
spacewalk-java-1.2.39-137.el5sat.noarch.rpm
SHA-256: 4e6fe783326f79685ce7c96e151eb9f570a7848d4dc354f29055ec9529c9a880
spacewalk-java-config-1.2.39-137.el5sat.noarch.rpm
SHA-256: 72d7cb160874837e7825f99a2aecdb34dd75dbcbbea894b25fde77be4f298fa6
spacewalk-java-lib-1.2.39-137.el5sat.noarch.rpm
SHA-256: 977d0a46ada0f86c510d5d827e6ad0120e8fb6d843f445d34d987202c9504f60
spacewalk-java-oracle-1.2.39-137.el5sat.noarch.rpm
SHA-256: 1ab7531c6059d65fa77600cc682aced349b138d0f82f95efa6ecf5cdf449200e
spacewalk-taskomatic-1.2.39-137.el5sat.noarch.rpm
SHA-256: 57a9c50636ccbd4d2a8a1bf7e6a640532096459225559390b922b44fbe3f9de0
s390x
spacewalk-java-1.2.39-137.el5sat.noarch.rpm
SHA-256: 4e6fe783326f79685ce7c96e151eb9f570a7848d4dc354f29055ec9529c9a880
spacewalk-java-config-1.2.39-137.el5sat.noarch.rpm
SHA-256: 72d7cb160874837e7825f99a2aecdb34dd75dbcbbea894b25fde77be4f298fa6
spacewalk-java-lib-1.2.39-137.el5sat.noarch.rpm
SHA-256: 977d0a46ada0f86c510d5d827e6ad0120e8fb6d843f445d34d987202c9504f60
spacewalk-java-oracle-1.2.39-137.el5sat.noarch.rpm
SHA-256: 1ab7531c6059d65fa77600cc682aced349b138d0f82f95efa6ecf5cdf449200e
spacewalk-taskomatic-1.2.39-137.el5sat.noarch.rpm
SHA-256: 57a9c50636ccbd4d2a8a1bf7e6a640532096459225559390b922b44fbe3f9de0
i386
spacewalk-java-1.2.39-137.el5sat.noarch.rpm
SHA-256: 4e6fe783326f79685ce7c96e151eb9f570a7848d4dc354f29055ec9529c9a880
spacewalk-java-config-1.2.39-137.el5sat.noarch.rpm
SHA-256: 72d7cb160874837e7825f99a2aecdb34dd75dbcbbea894b25fde77be4f298fa6
spacewalk-java-lib-1.2.39-137.el5sat.noarch.rpm
SHA-256: 977d0a46ada0f86c510d5d827e6ad0120e8fb6d843f445d34d987202c9504f60
spacewalk-java-oracle-1.2.39-137.el5sat.noarch.rpm
SHA-256: 1ab7531c6059d65fa77600cc682aced349b138d0f82f95efa6ecf5cdf449200e
spacewalk-taskomatic-1.2.39-137.el5sat.noarch.rpm
SHA-256: 57a9c50636ccbd4d2a8a1bf7e6a640532096459225559390b922b44fbe3f9de0