An update for spacewalk-java is now available for Red Hat Satellite 5.7.Red Hat Product Security has rated this update as having a security impact ofModerate.

A Common Vulnerability Scoring System (CVSS) base score, which gives adetailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
Red Hat Satellite is a system management tool for Linux-based infrastructures.It allows for provisioning, monitoring, and the remote management of multipleLinux deployments with a single, centralized tool.Security Fix(es):* A cross-site scripting (XSS) flaw was found in how XML data was handled in RedHat Satellite.

A user able to use the XMLRPC API could exploit this flaw toperform XSS attacks against other Satellite users. (CVE-2015-0284)* Multiple cross-site scripting (XSS) flaws were found in the way certain formdata was handled in Red Hat Satellite.

A user able to enter form data could usethese flaws to perform XSS attacks against other Satellite users.(CVE-2016-2103, CVE-2016-3079)* Multiple cross-site scripting (XSS) flaws were found in the way HTTP GETparameter data was handled in Red Hat Satellite.

A user able to providemalicious links to a Satellite user could use these flaws to perform XSS attacksagainst other Satellite users. (CVE-2016-2104)Red Hat would like to thank Adam Willard (Raytheon Foreground Security) forreporting CVE-2016-2104.

The CVE-2015-0284 and CVE-2016-3079 issues werediscovered by Jan Hutař (Red Hat).
Red Hat Satellite (v. 5.7 for RHEL 6)

SRPMS:
spacewalk-java-2.3.8-134.el6sat.src.rpm
    MD5: c1be0a8e5d39da697e13061779cfa1b7SHA-256: fce0773c22679baf2acb3cc0837191b1b333328ac533a52b76bf6d7f2f6add6d
 
s390x:
spacewalk-java-2.3.8-134.el6sat.noarch.rpm
    MD5: f6855073506b3f82e22ccee9d00781faSHA-256: 284168792bae913cfb1ff0db42d1ca94ae9ab0ce2c9f9627ef37bb8f8e14d96e
spacewalk-java-config-2.3.8-134.el6sat.noarch.rpm
    MD5: b4df4be840e38893ef2f318f74755669SHA-256: 41e8045858725b39a8c4fab63ce963e5d3194267824213b6a93485742a6d28b6
spacewalk-java-lib-2.3.8-134.el6sat.noarch.rpm
    MD5: e39fb83f3554c47add1b62dfa3a44f37SHA-256: 78613b229d1c185565cd77930759815409ff5019c96bf97b3e999dc97703704b
spacewalk-java-oracle-2.3.8-134.el6sat.noarch.rpm
    MD5: 8838f59d8220d863aabfbff1d306fb37SHA-256: d0f5ca7e363a92878207b7dbfc9490b2ca15224edbc7595fb9dea92cf95194f2
spacewalk-java-postgresql-2.3.8-134.el6sat.noarch.rpm
    MD5: a6c35304a531fb822dc79adb8d31e37aSHA-256: e62ad09b6cde3f8efc77ec247ef7e608dc6cd2887873ac48a8b84c9e4fa85b87
spacewalk-taskomatic-2.3.8-134.el6sat.noarch.rpm
    MD5: 73dc053a50bb84bde692f9e7a79c4f63SHA-256: eeee675d98a06d7489937672afb2da6f212ba55b753886b4d7d5458202009a08
 
x86_64:
spacewalk-java-2.3.8-134.el6sat.noarch.rpm
    MD5: f6855073506b3f82e22ccee9d00781faSHA-256: 284168792bae913cfb1ff0db42d1ca94ae9ab0ce2c9f9627ef37bb8f8e14d96e
spacewalk-java-config-2.3.8-134.el6sat.noarch.rpm
    MD5: b4df4be840e38893ef2f318f74755669SHA-256: 41e8045858725b39a8c4fab63ce963e5d3194267824213b6a93485742a6d28b6
spacewalk-java-lib-2.3.8-134.el6sat.noarch.rpm
    MD5: e39fb83f3554c47add1b62dfa3a44f37SHA-256: 78613b229d1c185565cd77930759815409ff5019c96bf97b3e999dc97703704b
spacewalk-java-oracle-2.3.8-134.el6sat.noarch.rpm
    MD5: 8838f59d8220d863aabfbff1d306fb37SHA-256: d0f5ca7e363a92878207b7dbfc9490b2ca15224edbc7595fb9dea92cf95194f2
spacewalk-java-postgresql-2.3.8-134.el6sat.noarch.rpm
    MD5: a6c35304a531fb822dc79adb8d31e37aSHA-256: e62ad09b6cde3f8efc77ec247ef7e608dc6cd2887873ac48a8b84c9e4fa85b87
spacewalk-taskomatic-2.3.8-134.el6sat.noarch.rpm
    MD5: 73dc053a50bb84bde692f9e7a79c4f63SHA-256: eeee675d98a06d7489937672afb2da6f212ba55b753886b4d7d5458202009a08
 
(The unlinked packages above are only available from the Red Hat Network)

1181152 – XSS when altering user details and going somewhere where you are choosing user1181472 – CVE-2015-0284 Red Hat Satellite: stored XSS in user details fields (incomplete fix for CVE-2014-7811)1305677 – CVE-2016-2104 Satellite 5: stored and reflected XSS vulnerabilities1305681 – CVE-2016-2103 Satellite 5: multiple stored XSS vulnerabilities1313515 – (CVE-2016-2104) Satellite 5: multiple XSS vulnerabilities1313517 – (CVE-2016-2103) Satellite 5: multiple XSS vulnerabilities1320444 – (CVE-2016-3079) XSS on pages for entitlements management1320452 – (CVE-2016-3079) two XSS issues due to element creation in SSM (Perl stack) and displaying outside of it1320940 – CVE-2016-3079 spacewalk-java: Multiple XSS issues in WebUI

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: