First published: Tue Jan 17 2017(Updated: )
It was discovered that the hawtio servlet 1.4 uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies.
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Red Hat Hawtio | =1.4.0 | |
Red Hat JBoss Fuse | =6.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2017-2589 has been designated a moderate severity vulnerability.
To fix CVE-2017-2589, update to Hawtio version 1.4.1 or later and ensure proper configuration of cookie handling.
CVE-2017-2589 affects Hawtio version 1.4.0 and Red Hat JBoss Fuse version 6.3.
CVE-2017-2589 is a vulnerability related to improper cookie management in a shared proxy setup.
Yes, CVE-2017-2589 can lead to potential security risks by exposing shared session information among users.