Headline
Red Hat Security Advisory 2023-0661-01
Red Hat Security Advisory 2023-0661-01 - A security update for Fuse 7.11.1 is now available for Red Hat Fuse on EAP.
-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256==================================================================== Red Hat Security AdvisorySynopsis: Critical: Red Hat Fuse 7.11.1.P1 security update for Fuse on EAPAdvisory ID: RHSA-2023:0661-01Product: Red Hat JBoss FuseAdvisory URL: https://access.redhat.com/errata/RHSA-2023:0661Issue date: 2023-02-08CVE Names: CVE-2022-36437====================================================================1. Summary:A security update for Fuse 7.11.1 is now available for Red Hat Fuse on EAP.The purpose of this text-only errata is to inform you about the securityissues fixed in this release.Red Hat Product Security has rated this update as having a security impactof Critical. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.2. Description:This asynchronous update (7.11.1.P1) patches Red Hat Fuse 7.11.1 on EAP andincludes the following security fix, which is documented in the ReleaseNotes document linked to in the References.Security Fix(es):* hazelcast: Hazelcast connection caching (CVE-2022-36437)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVEpage(s) listed in the References section.3. Solution:Before applying the update, back up your existing installation, includingall applications, configuration files, databases and database settings, andso on.Installation instructions are available from the Fuse 7.11 productdocumentation page:https://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/4. Bugs fixed (https://bugzilla.redhat.com/):2162053 - CVE-2022-36437 hazelcast: Hazelcast connection caching5. References:https://access.redhat.com/security/cve/CVE-2022-36437https://access.redhat.com/security/updates/classification/#criticalhttps://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=7.11.16. Contact:The Red Hat security contact is <[email protected]>. More contactdetails at https://access.redhat.com/security/team/contact/Copyright 2023 Red Hat, Inc.-----BEGIN PGP SIGNATURE-----Version: GnuPG v1iQIVAwUBY+O+/dzjgjWX9erEAQgtcQ//SiI89gOaG72bRPqAmOdBWIZbUDWkjTwJF6It/M3Auoalql1/0n8Ym46iWjIF9F9g9QJfK2MHRoaRD1awXmSRt+0b+GzRmxHlXgOZxBAwuJTTG6V6vvbCrscKbOJ7R4lv0c/gpWsROh/VNpKonyzbiJ7Ot+3onJd+mDK+FtEeFgskZa8zU2A5BNllrq13tcKPMR7pN1+ZoUe4hH4RnWa0zJIXW8ui3udZvZZy2TItOyiYcWlZ/Khl4/IOgdUl6MYq6Eax2yo4uaLtdd/0xC3evhgzFTZRQbzX8NYNyGmZukqmlBYUrYIDxiIZdDlkMWC+fvQd1ySazL1DsXGL3EWYy1JjUZ+S+mJ7MXzSuEKf5ecHMqyQ3HsAFJefPTuTi2EeaPjdK44O+Pfe9xBOHdQfu8lIuROKeaC32at86zq+nX3bPHKX2xw+TD0d7fRdjhlbgc681fCTON8eD8gelxgX/j17JauAsbMpsnHBSJEvX0NYz1BVUUvci3GHauhJKiK/iLsKtfO3zoIF8Upff8TgqSTayL+xJ+/ibMlFbkkvjjy+O/7CFo3mKLVCfYtXNPk4+6DrqnLdbZ7/u9YjiJlUpxjdL87ipS+JW0QQry2x5cHnpIQIazIBv9cj/07UpyeRHq30YnYhtg0CNo7z6FAIA6qv+dYxQgYRekR4f1l3FpgÔTr-----END PGP SIGNATURE-------RHSA-announce mailing [email protected]://listman.redhat.com/mailman/listinfo/rhsa-announceRelated news
Red Hat Security Advisory 2023-3954-01 - This release of Red Hat Fuse 7.12 serves as a replacement for Red Hat Fuse 7.11 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. Issues addressed include bypass, code execution, denial of service, information leakage, resource exhaustion, server-side request forgery, and traversal vulnerabilities.
A minor version update (from 7.11 to 7.12) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2012-5783: It was found that Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or su...
A security update for Fuse 7.11.1 is now available for Red Hat Fuse on EAP. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-36437: A flaw was found in Hazelcast and Hazelcast Jet. This flaw may allow an attacker unauthenticated access to manipulate data in the cluster.
Red Hat Security Advisory 2023-0483-01 - This asynchronous update patches Red Hat Fuse 7.11.1 on Karaf and Red Hat Fuse 7.11.1 on Spring Boot and several includes security fixes, which are documented in the Release Notes document linked to in the References. Issues addressed include a server-side request forgery vulnerability.
A security update for Fuse 7.11.1 is now available for Red Hat Fuse on Karaf and Red Hat Fuse on Spring Boot. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-36437: hazelcast: Hazelcast connection caching * CVE-2022-46363: Apache CXF: directory listing / code exfiltration * CVE-2022-46364: Apache CXF: SSRF Vulnerability
The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3.
### Impact The Connection handler in Hazelcast and Hazelcast Jet allows an unauthenticated, remote attacker to access and manipulate data in the cluster with another authenticated connection's identity. The affected Hazelcast versions are through 3.12.12, 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3. ### Patches Hazelcast Jet (and Enterprise) 4.5.4. Hazelcast IMDG (and Enterprise)3.12.13 Hazelcast IMDG (and Enterprise) 4.1.10 Hazelcast IMDG (and Enterprise) 4.2.6 Hazelcast Platform (and Enterprise) 5.1.3 ### Workarounds There is no known workaround, but setups with TLS and mutual authentication enabled significantly lowers the exploitation risk. ### References https://support.hazelcast.com/s/article/Security-Advisory-for-CVE-2022-36437