漏洞类别:RedHat
漏洞等级: 
漏洞信息
Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.
It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response. (CVE-2017-2582)
Affected Products:
JBoss Enterprise Application Platform 6.4 for RHEL 7 x86_64
JBoss Enterprise Application Platform 6.4 for RHEL 7 ppc64
JBoss Enterprise Application Platform 6 for RHEL 7 x86_64
JBoss Enterprise Application Platform 6 for RHEL 7 ppc64
漏洞危害
On successful exploitation it allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response. (CVE-2017-2582)
解决方案
Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.
Refer to Red Hat security advisory RHSA-2017:3218 to address this issue and obtain more information.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0daybank
文章评论