Kaazing Support

Follow

Advisory for kaazing/tickets#1019

Kaazing Gateway vulnerabilities

   Original release date: April 04, 2017
   Last revised: April 06, 2017
   Source: Kaazing Corporation


Systems Affected

   Kaazing Gateway, prior to 4.5.3 hotfix-1
   Kaazing Gateway - JMS Edition, prior to 4.5.3 hotfix-1
   Kaazing Gateway Community Edition and Enterprise Edition, prior to 5.6.0

   The following components are affected:

     * Kaazing Gateway server, HTTP and WebSocket engine


Description

   The Kaazing Gateway components listed above contain a potential
   vulnerability in the handling of HTTP requests which may result 
in unauthorized access. Kaazing has released updated versions of the affected software
products which addresses this issue. Kaazing strongly
recommends sites running the affected components install the
applicable update as described below. Impact The impact of this vulnerability is information disclosure. CVSS v3 Vector: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C Solution We have determined that this potential vulnerability can be
resolved via configuration if you have: 1. Followed the steps documented in "Checklist: Configure
Authentication and Authorization": https://kaazing.com/doc/jms/4.0/security/o_aaa_config_authentication.html 2. Implemented your custom login modules conforming to
guidelines in the "Java Authentication and Authorization
Service (JAAS): LoginModule Developer's Guide": http://docs.oracle.com/javase/8/docs/technotes/guides/security/jaas/JAASLMDevGuide.html We recommend updating to the corresponding hotfix or software versions: Kaazing Gateway - JMS Edition 4.0.5 hotfix-15, or higher Kaazing Gateway - JMS Edition 4.0.6 hotfix-4, or higher Kaazing Gateway - JMS Edition 4.0.9 hotfix-19, or higher Kaazing Gateway - JMS Edition 4.4.2 hotfix-1, or higher Kaazing Gateway - JMS Edition 4.5.3 hotfix-1, or higher Kaazing Gateway Community Edition and Enterprise Edition 5.6.0 or higher If you have any questions, please contact Kaazing Global
Support and quote CVE-2017-6910 or kaazing/tickets#1019. References https://support.kaazing.com/hc/en-us/articles/115004752368 CVE: CVE-2017-6910

Comments