JVN#55489964
Multiple vulnerabilities in Apache Brooklyn
Overview
Apache Brooklyn contains cross-site scripting vulnerabilities (CVE-2017-3165) and a cross-site request forgery vulnerability (CVE-2016-8737).
Products Affected
- Apache Brooklyn 0.9.0 and all prior versions
Description
Apache Brooklyn is a framework for modeling, monitoring, and managing applications. Apache Brooklyn contains the following vulnerabilities.
It is known that proof-of-concept code to exploit these vulnerabilties exist.
Cross-site Scripting Vulnerabilities (CWE-79) - CVE-2017-3165
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Base Score: 5.4 |
| CVSS v2 | AV:N/AC:M/Au:S/C:N/I:P/A:N | Base Score: 3.5 |
Cross-site Request Forgery Vulnerability (CWE-352) - CVE-2016-8737
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N | Base Score: 4.3 |
| CVSS v2 | AV:N/AC:H/Au:N/C:N/I:P/A:N | Base Score: 2.6 |
Impact
- An arbitrary script may be executed on the user's web browser (CVE-2017-3165).
- Unintended operations may be performed on Brooklyn server with the privilege of a user, when the user views a malicious page while logged in to the Brooklyn server (CVE-2016-8737).
Solution
Upgrade to Apache Brooklyn 0.10.0
According to the developer, Apache Brooklyn 0.10.0 includes the following commits.
- pull request #35: JS clean-up (CVE-2017-3165)
- pull request #430: Use CSRF headers and pull request #37: request and set the csrf header protection added to brooklyn server (CVE-2016-8737)
Vendor Status
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2017-3165 |
|
CVE-2016-8737 |
|
| JVN iPedia |
JVNDB-2017-000025 |
|
JVNDB-2017-000026 |