(RHSA-2016:0590) Moderate: spacewalk-java security update

Red Hat Satellite is a system management tool for Linux-based infrastructures. It allows for provisioning, monitoring, and the remote management of multiple Linux deployments with a single, centralized tool.

Security Fix(es):

• A cross-site scripting (XSS) flaw was found in how XML data was handled in Red Hat Satellite. A user able to use the XMLRPC API could exploit this flaw to perform XSS attacks against other Satellite users. (CVE-2015-0284)

• Multiple cross-site scripting (XSS) flaws were found in the way certain form data was handled in Red Hat Satellite. A user able to enter form data could use these flaws to perform XSS attacks against other Satellite users. (CVE-2016-2103, CVE-2016-3079)

• Multiple cross-site scripting (XSS) flaws were found in the way HTTP GET parameter data was handled in Red Hat Satellite. A user able to provide malicious links to a Satellite user could use these flaws to perform XSS attacks against other Satellite users. (CVE-2016-2104)

Red Hat would like to thank Adam Willard (Raytheon Foreground Security) for reporting CVE-2016-2104. The CVE-2015-0284 and CVE-2016-3079 issues were discovered by Jan Hutař (Red Hat).