—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat Fuse 7.2 security update
Advisory ID: RHSA-2018:3768-01
Product: Red Hat JBoss Fuse
Advisory URL: https://access.redhat.com/errata/RHSA-2018:3768
Issue date: 2018-12-04
CVE Names: CVE-2016-5002 CVE-2016-5003 CVE-2017-12196
CVE-2018-1257 CVE-2018-1259 CVE-2018-1288
CVE-2018-1336 CVE-2018-8014 CVE-2018-8018
CVE-2018-8039 CVE-2018-8041 CVE-2018-12537
=====================================================================
1. Summary:
An update is now available for Red Hat Fuse.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Description:
Red Hat Fuse enables integration experts, application developers, and
business users to collaborate and independently develop connected
solutions.
Fuse is part of an agile integration solution. Its distributed approach
allows teams to deploy integrated services where required. The API-centric,
container-based architecture decouples services so they can be created,
extended, and deployed independently.
This release of Red Hat Fuse 7.2 serves as a replacement for Red Hat Fuse
7.1, and includes bug fixes and enhancements, which are documented in the
Release Notes document linked to in the References.
Security Fix(es):
* xmlrpc: Deserialization of untrusted Java object through
<ex:serializable> tag (CVE-2016-5003)
* tomcat: A bug in the UTF-8 decoder can lead to DoS (CVE-2018-1336)
* ignite: Improper deserialization allows for code execution via
GridClientJdkMarshaller endpoint (CVE-2018-8018)
* apache-cxf: TLS hostname verification does not work correctly with
com.sun.net.ssl.* (CVE-2018-8039)
* xmlrpc: XML external entity vulnerability SSRF via a crafted DTD
(CVE-2016-5002)
* undertow: Client can use bogus uri in Digest authentication
(CVE-2017-12196)
* spring-data-commons: XXE with Spring Data’s XMLBeam integration
(CVE-2018-1259)
* kafka: Users can perform Broker actions via crafted fetch requests,
interfering with data replication and causing data lass (CVE-2018-1288)
* tomcat: Insecure defaults in CORS filter enable ‘supportsCredentials’ for
all origins (CVE-2018-8014)
* camel-mail: path traversal vulnerability (CVE-2018-8041)
* vertx: Improper neutralization of CRLF sequences allows remote attackers
to inject arbitrary HTTP response headers (CVE-2018-12537)
* spring-framework: ReDoS Attack with spring-messaging (CVE-2018-1257)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
Red Hat would like to thank Eedo Shapira (GE Digital) for reporting
CVE-2018-8041. The CVE-2017-12196 issue was discovered by Jan Stourac (Red
Hat).
3. Solution:
Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.
Installation instructions are located in the download section of the
customer portal.
The References section of this erratum contains a download link (you must
log in to download the update).
4. Bugs fixed (https://bugzilla.redhat.com/):
1503055 – CVE-2017-12196 undertow: Client can use bogus uri in Digest authentication
1508110 – CVE-2016-5002 xmlrpc: XML external entity vulnerability SSRF via a crafted DTD
1508123 – CVE-2016-5003 xmlrpc: Deserialization of untrusted Java object through <ex:serializable> tag
1578578 – CVE-2018-1257 spring-framework: ReDoS Attack with spring-messaging
1578902 – CVE-2018-1259 spring-data-commons: XXE with Spring Data’s XMLBeam integration
1579611 – CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable ‘supportsCredentials’ for all origins
1591072 – CVE-2018-12537 vertx: Improper neutralization of CRLF sequences allows remote attackers to inject arbitrary HTTP response headers
1595332 – CVE-2018-8039 apache-cxf: TLS hostname verification does not work correctly with com.sun.net.ssl.*
1607591 – CVE-2018-1336 tomcat: A bug in the UTF-8 decoder can lead to DoS
1607731 – CVE-2018-8018 ignite: Improper deserialization allows for code execution via GridClientJdkMarshaller endpoint
1611059 – CVE-2018-1288 kafka: Users can perform Broker actions via crafted fetch requests, interfering with data replication and causing data lass
1612644 – CVE-2018-8041 camel-mail: path traversal vulnerability
5. References:
https://access.redhat.com/security/cve/CVE-2016-5002
https://access.redhat.com/security/cve/CVE-2016-5003
https://access.redhat.com/security/cve/CVE-2017-12196
https://access.redhat.com/security/cve/CVE-2018-1257
https://access.redhat.com/security/cve/CVE-2018-1259
https://access.redhat.com/security/cve/CVE-2018-1288
https://access.redhat.com/security/cve/CVE-2018-1336
https://access.redhat.com/security/cve/CVE-2018-8014
https://access.redhat.com/security/cve/CVE-2018-8018
https://access.redhat.com/security/cve/CVE-2018-8039
https://access.redhat.com/security/cve/CVE-2018-8041
https://access.redhat.com/security/cve/CVE-2018-12537
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=7.2.0
https://access.redhat.com/documentation/en-us/red_hat_fuse/7.2/
https://access.redhat.com/articles/2939351
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2018 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1
iQIVAwUBXAakytzjgjWX9erEAQgDkw//Wb1MeuX1VOUq4u9qkgtp3ECPTAR3GE8B
RWHYBguzM+WJrDPTtgH1sy1BstIEPgVooQLTKWhZYtJpR64S5T6YAv+aFh1vA7qI
87GDERqiATIm3l8qKBBOF02FukP9ywkaH5hR+pT7tM2OuN8iZ4dvKl0Rdzs6vnhF
Ea+qVCKeQlyn88HUUqYw51nBX7tbK0H1RuG7DxlU93LBYqymMIZ90KhcGeuvNPu/
BVk7xMDtbdPSagSBy5WFpTvZ/ozeYBmO7u8p9l67SiD3obR6Rtn83B3DKvL/AFP4
ahKlIrK62hk2qgXrpLQ9aVUwBMZ1Lqu99LelF20hRt38L7qy/EXtD+Xdt0H9Xl/H
bcLyRvjq8pOjdrdqAvnfI5HBDdSZrxujYX9t6egoQg3wFuS9h0DbKFMXSKMSaW2S
WlP4L5zbCTvhPy3mIPOECKDxP8Xa2g2HnqCal2PpHIXGVBvD0CTuxI0b7a6WKKYf
dbhm5uIEhdoS/vSuHntq+o+3IzlhRNHKx2Uh+03arWYyj4N26bbKFB+v+7gjL2e9
1ITf4HXEUphym5PY0R1GGc2Xr5Xc8BjV8xX3pgvI8FcRov4XGsS37TYpvNxPmTCA
e4VB2C4WS+AFhk1QJR7cNuACwUxjarIoKUp1CX5gvqu35pVgxR97KxoblGdMtR9g
UOgTm4iHIhQ=
=RCpd
—–END PGP SIGNATURE—–
—
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce