Kaazing Gateway vulnerabilities Original release date: April 04, 2017 Last revised: April 06, 2017 Source: Kaazing Corporation Systems Affected Kaazing Gateway, prior to 4.5.3 hotfix-1 Kaazing Gateway - JMS Edition, prior to 4.5.3 hotfix-1 Kaazing Gateway Community Edition and Enterprise Edition, prior to 5.6.0 The following components are affected: * Kaazing Gateway server, HTTP and WebSocket engine Description The Kaazing Gateway components listed above contain a potential vulnerability in the handling of HTTP requests which may result
in unauthorized access. Kaazing has released updated versions of the affected software
products which addresses this issue. Kaazing strongly
recommends sites running the affected components install the
applicable update as described below. Impact The impact of this vulnerability is information disclosure. CVSS v3 Vector: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C Solution We have determined that this potential vulnerability can be
resolved via configuration if you have: 1. Followed the steps documented in "Checklist: Configure
Authentication and Authorization": https://kaazing.com/doc/jms/4.0/security/o_aaa_config_authentication.html 2. Implemented your custom login modules conforming to
guidelines in the "Java Authentication and Authorization
Service (JAAS): LoginModule Developer's Guide": http://docs.oracle.com/javase/8/docs/technotes/guides/security/jaas/JAASLMDevGuide.html We recommend updating to the corresponding hotfix or software versions: Kaazing Gateway - JMS Edition 4.0.5 hotfix-15, or higher Kaazing Gateway - JMS Edition 4.0.6 hotfix-4, or higher Kaazing Gateway - JMS Edition 4.0.9 hotfix-19, or higher Kaazing Gateway - JMS Edition 4.4.2 hotfix-1, or higher Kaazing Gateway - JMS Edition 4.5.3 hotfix-1, or higher Kaazing Gateway Community Edition and Enterprise Edition 5.6.0 or higher If you have any questions, please contact Kaazing Global
Support and quote CVE-2017-6910 or kaazing/tickets#1019. References https://support.kaazing.com/hc/en-us/articles/115004752368 CVE: CVE-2017-6910
Comments