Headline
RHSA-2020:3192: Red Hat Security Advisory: Red Hat Fuse 7.7.0 release and security update
A minor version update (from 7.6 to 7.7) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This release of Red Hat Fuse 7.7.0 serves as a replacement for Red Hat Fuse 7.6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es):
- netty (CVE-2016-4970 CVE-2020-7238 CVE-2019-20444 CVE-2019-20445)
- dom4j (CVE-2018-1000632)
- elasticsearch (CVE-2018-3831)
- pdfbox (CVE-2018-11797)
- vertx (CVE-2018-12541)
- spring-data-jpa (CVE-2019-3797)
- mina-core (CVE-2019-0231)
- jackson-databind (CVE-2019-12086 CVE-2019-16335 CVE-2019-14540 CVE-2019-17267 CVE-2019-14892 CVE-2019-14893 CVE-2019-16942 CVE-2019-16943 CVE-2019-17531 CVE-2019-20330 CVE-2020-10673 CVE-2020-10672 CVE-2020-8840 CVE-2020-9546 CVE-2020-9547 CVE-2020-9548 CVE-2020-10968 CVE-2020-10969 CVE-2020-11111 CVE-2020-11112 CVE-2020-11113 CVE-2020-11620 CVE-2020-11619 CVE-2020-14195 CVE-2020-14060 CVE-2020-14061 CVE-2020-14062)
- jackson-mapper-asl (CVE-2019-10172)
- hawtio (CVE-2019-9827)
- undertow (CVE-2019-9511 CVE-2020-1757 CVE-2019-14888 CVE-2020-1745)
- santuario (CVE-2019-12400)
- apache-commons-beanutils (CVE-2019-10086)
- cxf (CVE-2019-17573)
- apache-commons-configuration (CVE-2020-1953) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Related CVEs:
- CVE-2016-4970: netty: Infinite loop vulnerability when handling renegotiation using SslProvider.OpenSsl
- CVE-2018-3831: elasticsearch: Information exposure via _cluster/settings API
- CVE-2018-11797: pdfbox: unbounded computation in parser resulting in a denial of service
- CVE-2018-12541: vertx: WebSocket HTTP upgrade implementation holds the entire http request in memory before the handshake
- CVE-2018-1000632: dom4j: XML Injection in Class: Element. Methods: addElement, addAttribute which can impact the integrity of XML documents
- CVE-2019-0231: mina-core: Retaining an open socket in close_notify SSL-TLS leading to Information disclosure.
- CVE-2019-3797: spring-data-jpa: Additional information exposure with Spring Data JPA derived queries
- CVE-2019-9511: HTTP/2: large amount of data requests leads to denial of service
- CVE-2019-9827: hawtio: server side request forgery via initial /proxy/ substring of a URI
- CVE-2019-10086: apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default
- CVE-2019-10172: jackson-mapper-asl: XML external entity similar to CVE-2016-3720
- CVE-2019-12086: jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server.
- CVE-2019-12400: xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source
- CVE-2019-12419: cxf: OpenId Connect token service does not properly validate the clientId
- CVE-2019-14540: jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig
- CVE-2019-14888: undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS
- CVE-2019-14892: jackson-databind: Serialization gadgets in classes of the commons-configuration package
- CVE-2019-14893: jackson-databind: Serialization gadgets in classes of the xalan package
- CVE-2019-16335: jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource
- CVE-2019-16942: jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.*
- CVE-2019-16943: jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource
- CVE-2019-17267: jackson-databind: Serialization gadgets in classes of the ehcache package
- CVE-2019-17531: jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.*
- CVE-2019-17573: cxf: reflected XSS in the services listing page
- CVE-2019-20330: jackson-databind: lacks certain net.sf.ehcache blocking
- CVE-2019-20444: netty: HTTP request smuggling
- CVE-2019-20445: netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header
- CVE-2020-1745: undertow: AJP File Read/Inclusion Vulnerability
- CVE-2020-1757: undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass
- CVE-2020-1953: apache-commons-configuration: uncontrolled class instantiation when loading YAML files
- CVE-2020-7238: netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling
- CVE-2020-8840: jackson-databind: Lacks certain xbean-reflect/JNDI blocking
- CVE-2020-9546: jackson-databind: Serialization gadgets in shaded-hikari-config
- CVE-2020-9547: jackson-databind: Serialization gadgets in ibatis-sqlmap
- CVE-2020-9548: jackson-databind: Serialization gadgets in anteros-core
- CVE-2020-10672: jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution
- CVE-2020-10673: jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution
- CVE-2020-10687: Undertow: Incomplete fix for CVE-2017-2666 due to permitting invalid characters in HTTP requests
- CVE-2020-10968: jackson-databind: Serialization gadgets in org.aoju.bus.proxy.provider.*.RmiProvider
- CVE-2020-10969: jackson-databind: Serialization gadgets in javax.swing.JEditorPane
- CVE-2020-11111: jackson-databind: Serialization gadgets in org.apache.activemq.jms.pool.XaPooledConnectionFactory
- CVE-2020-11112: jackson-databind: Serialization gadgets in org.apache.commons.proxy.provider.remoting.RmiProvider
- CVE-2020-11113: jackson-databind: Serialization gadgets in org.apache.openjpa.ee.WASRegistryManagedRuntime
- CVE-2020-11619: jackson-databind: Serialization gadgets in org.springframework:spring-aop
- CVE-2020-11620: jackson-databind: Serialization gadgets in commons-jelly:commons-jelly
- CVE-2020-14060: jackson-databind: serialization in oadd.org.apache.xalan.lib.sql.JNDIConnectionPool
- CVE-2020-14061: jackson-databind: serialization in weblogic/oracle-aqjms
- CVE-2020-14062: jackson-databind: serialization in com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool
- CVE-2020-14195: jackson-databind: serialization in org.jsecurity.realm.jndi.JndiRealmFactory