exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Red Hat Security Advisory 2018-3768-01

Red Hat Security Advisory 2018-3768-01
Posted Dec 6, 2018
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2018-3768-01 - Red Hat Fuse enables integration experts, application developers, and business users to collaborate and independently develop connected solutions. Fuse is part of an agile integration solution. Its distributed approach allows teams to deploy integrated services where required. The API-centric, container-based architecture decouples services so they can be created, extended, and deployed independently. This release of Red Hat Fuse 7.2 serves as a replacement for Red Hat Fuse 7.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include code execution, denial of service, deserialization, and traversal vulnerabilities.

tags | advisory, denial of service, vulnerability, code execution
systems | linux, redhat
advisories | CVE-2016-5002, CVE-2016-5003, CVE-2017-12196, CVE-2018-12537, CVE-2018-1257, CVE-2018-1259, CVE-2018-1288, CVE-2018-1336, CVE-2018-8014, CVE-2018-8018, CVE-2018-8039, CVE-2018-8041
SHA-256 | c506280a0a265d8483cea4a2aa6dfd844cda7e1186db77546a2434f9dc9c79cb

Red Hat Security Advisory 2018-3768-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat Fuse 7.2 security update
Advisory ID: RHSA-2018:3768-01
Product: Red Hat JBoss Fuse
Advisory URL: https://access.redhat.com/errata/RHSA-2018:3768
Issue date: 2018-12-04
CVE Names: CVE-2016-5002 CVE-2016-5003 CVE-2017-12196
CVE-2018-1257 CVE-2018-1259 CVE-2018-1288
CVE-2018-1336 CVE-2018-8014 CVE-2018-8018
CVE-2018-8039 CVE-2018-8041 CVE-2018-12537
=====================================================================

1. Summary:

An update is now available for Red Hat Fuse.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat Fuse enables integration experts, application developers, and
business users to collaborate and independently develop connected
solutions.

Fuse is part of an agile integration solution. Its distributed approach
allows teams to deploy integrated services where required. The API-centric,
container-based architecture decouples services so they can be created,
extended, and deployed independently.

This release of Red Hat Fuse 7.2 serves as a replacement for Red Hat Fuse
7.1, and includes bug fixes and enhancements, which are documented in the
Release Notes document linked to in the References.

Security Fix(es):

* xmlrpc: Deserialization of untrusted Java object through
<ex:serializable> tag (CVE-2016-5003)

* tomcat: A bug in the UTF-8 decoder can lead to DoS (CVE-2018-1336)

* ignite: Improper deserialization allows for code execution via
GridClientJdkMarshaller endpoint (CVE-2018-8018)

* apache-cxf: TLS hostname verification does not work correctly with
com.sun.net.ssl.* (CVE-2018-8039)

* xmlrpc: XML external entity vulnerability SSRF via a crafted DTD
(CVE-2016-5002)

* undertow: Client can use bogus uri in Digest authentication
(CVE-2017-12196)

* spring-data-commons: XXE with Spring Dataas XMLBeam integration
(CVE-2018-1259)

* kafka: Users can perform Broker actions via crafted fetch requests,
interfering with data replication and causing data lass (CVE-2018-1288)

* tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for
all origins (CVE-2018-8014)

* camel-mail: path traversal vulnerability (CVE-2018-8041)

* vertx: Improper neutralization of CRLF sequences allows remote attackers
to inject arbitrary HTTP response headers (CVE-2018-12537)

* spring-framework: ReDoS Attack with spring-messaging (CVE-2018-1257)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Red Hat would like to thank Eedo Shapira (GE Digital) for reporting
CVE-2018-8041. The CVE-2017-12196 issue was discovered by Jan Stourac (Red
Hat).

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

Installation instructions are located in the download section of the
customer portal.

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

1503055 - CVE-2017-12196 undertow: Client can use bogus uri in Digest authentication
1508110 - CVE-2016-5002 xmlrpc: XML external entity vulnerability SSRF via a crafted DTD
1508123 - CVE-2016-5003 xmlrpc: Deserialization of untrusted Java object through <ex:serializable> tag
1578578 - CVE-2018-1257 spring-framework: ReDoS Attack with spring-messaging
1578902 - CVE-2018-1259 spring-data-commons: XXE with Spring Dataas XMLBeam integration
1579611 - CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins
1591072 - CVE-2018-12537 vertx: Improper neutralization of CRLF sequences allows remote attackers to inject arbitrary HTTP response headers
1595332 - CVE-2018-8039 apache-cxf: TLS hostname verification does not work correctly with com.sun.net.ssl.*
1607591 - CVE-2018-1336 tomcat: A bug in the UTF-8 decoder can lead to DoS
1607731 - CVE-2018-8018 ignite: Improper deserialization allows for code execution via GridClientJdkMarshaller endpoint
1611059 - CVE-2018-1288 kafka: Users can perform Broker actions via crafted fetch requests, interfering with data replication and causing data lass
1612644 - CVE-2018-8041 camel-mail: path traversal vulnerability

5. References:

https://access.redhat.com/security/cve/CVE-2016-5002
https://access.redhat.com/security/cve/CVE-2016-5003
https://access.redhat.com/security/cve/CVE-2017-12196
https://access.redhat.com/security/cve/CVE-2018-1257
https://access.redhat.com/security/cve/CVE-2018-1259
https://access.redhat.com/security/cve/CVE-2018-1288
https://access.redhat.com/security/cve/CVE-2018-1336
https://access.redhat.com/security/cve/CVE-2018-8014
https://access.redhat.com/security/cve/CVE-2018-8018
https://access.redhat.com/security/cve/CVE-2018-8039
https://access.redhat.com/security/cve/CVE-2018-8041
https://access.redhat.com/security/cve/CVE-2018-12537
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=7.2.0
https://access.redhat.com/documentation/en-us/red_hat_fuse/7.2/
https://access.redhat.com/articles/2939351

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXAakytzjgjWX9erEAQgDkw//Wb1MeuX1VOUq4u9qkgtp3ECPTAR3GE8B
RWHYBguzM+WJrDPTtgH1sy1BstIEPgVooQLTKWhZYtJpR64S5T6YAv+aFh1vA7qI
87GDERqiATIm3l8qKBBOF02FukP9ywkaH5hR+pT7tM2OuN8iZ4dvKl0Rdzs6vnhF
Ea+qVCKeQlyn88HUUqYw51nBX7tbK0H1RuG7DxlU93LBYqymMIZ90KhcGeuvNPu/
BVk7xMDtbdPSagSBy5WFpTvZ/ozeYBmO7u8p9l67SiD3obR6Rtn83B3DKvL/AFP4
ahKlIrK62hk2qgXrpLQ9aVUwBMZ1Lqu99LelF20hRt38L7qy/EXtD+Xdt0H9Xl/H
bcLyRvjq8pOjdrdqAvnfI5HBDdSZrxujYX9t6egoQg3wFuS9h0DbKFMXSKMSaW2S
WlP4L5zbCTvhPy3mIPOECKDxP8Xa2g2HnqCal2PpHIXGVBvD0CTuxI0b7a6WKKYf
dbhm5uIEhdoS/vSuHntq+o+3IzlhRNHKx2Uh+03arWYyj4N26bbKFB+v+7gjL2e9
1ITf4HXEUphym5PY0R1GGc2Xr5Xc8BjV8xX3pgvI8FcRov4XGsS37TYpvNxPmTCA
e4VB2C4WS+AFhk1QJR7cNuACwUxjarIoKUp1CX5gvqu35pVgxR97KxoblGdMtR9g
UOgTm4iHIhQ=
=RCpd
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close