Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2020:3192: Red Hat Security Advisory: Red Hat Fuse 7.7.0 release and security update

A minor version update (from 7.6 to 7.7) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This release of Red Hat Fuse 7.7.0 serves as a replacement for Red Hat Fuse 7.6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es):

  • netty (CVE-2016-4970 CVE-2020-7238 CVE-2019-20444 CVE-2019-20445)
  • dom4j (CVE-2018-1000632)
  • elasticsearch (CVE-2018-3831)
  • pdfbox (CVE-2018-11797)
  • vertx (CVE-2018-12541)
  • spring-data-jpa (CVE-2019-3797)
  • mina-core (CVE-2019-0231)
  • jackson-databind (CVE-2019-12086 CVE-2019-16335 CVE-2019-14540 CVE-2019-17267 CVE-2019-14892 CVE-2019-14893 CVE-2019-16942 CVE-2019-16943 CVE-2019-17531 CVE-2019-20330 CVE-2020-10673 CVE-2020-10672 CVE-2020-8840 CVE-2020-9546 CVE-2020-9547 CVE-2020-9548 CVE-2020-10968 CVE-2020-10969 CVE-2020-11111 CVE-2020-11112 CVE-2020-11113 CVE-2020-11620 CVE-2020-11619 CVE-2020-14195 CVE-2020-14060 CVE-2020-14061 CVE-2020-14062)
  • jackson-mapper-asl (CVE-2019-10172)
  • hawtio (CVE-2019-9827)
  • undertow (CVE-2019-9511 CVE-2020-1757 CVE-2019-14888 CVE-2020-1745)
  • santuario (CVE-2019-12400)
  • apache-commons-beanutils (CVE-2019-10086)
  • cxf (CVE-2019-17573)
  • apache-commons-configuration (CVE-2020-1953) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Related CVEs:
  • CVE-2016-4970: netty: Infinite loop vulnerability when handling renegotiation using SslProvider.OpenSsl
  • CVE-2018-3831: elasticsearch: Information exposure via _cluster/settings API
  • CVE-2018-11797: pdfbox: unbounded computation in parser resulting in a denial of service
  • CVE-2018-12541: vertx: WebSocket HTTP upgrade implementation holds the entire http request in memory before the handshake
  • CVE-2018-1000632: dom4j: XML Injection in Class: Element. Methods: addElement, addAttribute which can impact the integrity of XML documents
  • CVE-2019-0231: mina-core: Retaining an open socket in close_notify SSL-TLS leading to Information disclosure.
  • CVE-2019-3797: spring-data-jpa: Additional information exposure with Spring Data JPA derived queries
  • CVE-2019-9511: HTTP/2: large amount of data requests leads to denial of service
  • CVE-2019-9827: hawtio: server side request forgery via initial /proxy/ substring of a URI
  • CVE-2019-10086: apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default
  • CVE-2019-10172: jackson-mapper-asl: XML external entity similar to CVE-2016-3720
  • CVE-2019-12086: jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server.
  • CVE-2019-12400: xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source
  • CVE-2019-12419: cxf: OpenId Connect token service does not properly validate the clientId
  • CVE-2019-14540: jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig
  • CVE-2019-14888: undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS
  • CVE-2019-14892: jackson-databind: Serialization gadgets in classes of the commons-configuration package
  • CVE-2019-14893: jackson-databind: Serialization gadgets in classes of the xalan package
  • CVE-2019-16335: jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource
  • CVE-2019-16942: jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.*
  • CVE-2019-16943: jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource
  • CVE-2019-17267: jackson-databind: Serialization gadgets in classes of the ehcache package
  • CVE-2019-17531: jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.*
  • CVE-2019-17573: cxf: reflected XSS in the services listing page
  • CVE-2019-20330: jackson-databind: lacks certain net.sf.ehcache blocking
  • CVE-2019-20444: netty: HTTP request smuggling
  • CVE-2019-20445: netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header
  • CVE-2020-1745: undertow: AJP File Read/Inclusion Vulnerability
  • CVE-2020-1757: undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass
  • CVE-2020-1953: apache-commons-configuration: uncontrolled class instantiation when loading YAML files
  • CVE-2020-7238: netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling
  • CVE-2020-8840: jackson-databind: Lacks certain xbean-reflect/JNDI blocking
  • CVE-2020-9546: jackson-databind: Serialization gadgets in shaded-hikari-config
  • CVE-2020-9547: jackson-databind: Serialization gadgets in ibatis-sqlmap
  • CVE-2020-9548: jackson-databind: Serialization gadgets in anteros-core
  • CVE-2020-10672: jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution
  • CVE-2020-10673: jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution
  • CVE-2020-10687: Undertow: Incomplete fix for CVE-2017-2666 due to permitting invalid characters in HTTP requests
  • CVE-2020-10968: jackson-databind: Serialization gadgets in org.aoju.bus.proxy.provider.*.RmiProvider
  • CVE-2020-10969: jackson-databind: Serialization gadgets in javax.swing.JEditorPane
  • CVE-2020-11111: jackson-databind: Serialization gadgets in org.apache.activemq.jms.pool.XaPooledConnectionFactory
  • CVE-2020-11112: jackson-databind: Serialization gadgets in org.apache.commons.proxy.provider.remoting.RmiProvider
  • CVE-2020-11113: jackson-databind: Serialization gadgets in org.apache.openjpa.ee.WASRegistryManagedRuntime
  • CVE-2020-11619: jackson-databind: Serialization gadgets in org.springframework:spring-aop
  • CVE-2020-11620: jackson-databind: Serialization gadgets in commons-jelly:commons-jelly
  • CVE-2020-14060: jackson-databind: serialization in oadd.org.apache.xalan.lib.sql.JNDIConnectionPool
  • CVE-2020-14061: jackson-databind: serialization in weblogic/oracle-aqjms
  • CVE-2020-14062: jackson-databind: serialization in com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool
  • CVE-2020-14195: jackson-databind: serialization in org.jsecurity.realm.jndi.JndiRealmFactory
Red Hat Security Data
#sql#xss#vulnerability#web#red_hat#dos#apache#js#java#oracle#oracle

Red Hat Security Data: Latest News

RHSA-2023:5627: Red Hat Security Advisory: kernel security, bug fix, and enhancement update