Red Hat Satellite is a systems management tool for Linux-based infrastructures. It allows for provisioning, monitoring, and remote management of multiple Linux deployments with a single, centralized tool. The spacewalk-java packages contain the code for the Java version of the Spacewalk Web site.
A stored cross-site scripting (XSS) flaw was found in the way spacewalk-java displayed log files. By sending a specially crafted request to Satellite, a remote attacker could embed HTML content into the log file, allowing them to inject malicious content into the web page that is used to view that log file. (CVE-2014-3595)
Red Hat would like to thank Ron Bowes of Google for reporting this issue.
All spacewalk-java users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.