Red Hat Satellite is a systems management tool for Linux-based
infrastructures. It allows for provisioning, monitoring, and remote
management of multiple Linux deployments with a single, centralized tool.
The spacewalk-java packages contain the code for the Java version of the
Spacewalk Web site.
A stored cross-site scripting (XSS) flaw was found in the way
spacewalk-java displayed log files. By sending a specially crafted request
to Satellite, a remote attacker could embed HTML content into the log file,
allowing them to inject malicious content into the web page that is used to
view that log file. (CVE-2014-3595)
Red Hat would like to thank Ron Bowes of Google for reporting this issue.
All spacewalk-java users are advised to upgrade to these updated packages,
which contain a backported patch to correct this issue.