Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2021:5134: Red Hat Security Advisory: Red Hat Fuse 7.10.0 release and security update

A minor version update (from 7.9 to 7.10) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2019-10744: nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties
  • CVE-2019-12415: poi: a specially crafted Microsoft Excel document allows attacker to read files from the local filesystem
  • CVE-2020-2875: mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete
  • CVE-2020-2934: mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete
  • CVE-2020-9488: log4j: improper validation of certificate with host mismatch in SMTP appender
  • CVE-2020-11987: batik: SSRF due to improper input validation by the NodePickerPanel
  • CVE-2020-11988: xmlgraphics-commons: SSRF due to improper input validation by the XMPParser
  • CVE-2020-13943: tomcat: Apache Tomcat HTTP/2 Request mix-up
  • CVE-2020-13949: libthrift: potential DoS when processing untrusted payloads
  • CVE-2020-15522: bouncycastle: Timing issue within the EC math library
  • CVE-2020-17521: groovy: OS temporary directory leads to information disclosure
  • CVE-2020-17527: tomcat: HTTP/2 request header mix-up
  • CVE-2020-26217: XStream: remote code execution due to insecure XML deserialization when relying on blocklists
  • CVE-2020-26259: XStream: arbitrary file deletion on the local host when unmarshalling
  • CVE-2020-27218: jetty: buffer not correctly recycled in Gzip Request inflation
  • CVE-2020-27223: jetty: request containing multiple Accept headers with a large number of “quality” parameters may lead to DoS
  • CVE-2020-27782: undertow: special character in query results in server errors
  • CVE-2020-28491: jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception
  • CVE-2020-35510: jboss-remoting: Threads hold up forever in the EJB server by suppressing the ack from an EJB client
  • CVE-2021-3536: wildfly: XSS via admin console when creating roles in domain mode
  • CVE-2021-3597: undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS
  • CVE-2021-3629: undertow: potential security issue in flow control over HTTP/2 may lead to DOS
  • CVE-2021-3690: undertow: buffer leak on incoming websocket PONG message may lead to DoS
  • CVE-2021-20218: fabric8-kubernetes-client: vulnerable to a path traversal leading to integrity and availability compromise
  • CVE-2021-21290: netty: Information disclosure via the local system temporary directory
  • CVE-2021-21295: netty: possible request smuggling in HTTP/2 due missing validation
  • CVE-2021-21341: XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream
  • CVE-2021-21342: XStream: SSRF via crafted input stream
  • CVE-2021-21343: XStream: arbitrary file deletion on the local host via crafted input stream
  • CVE-2021-21344: XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet
  • CVE-2021-21345: XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry
  • CVE-2021-21346: XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue
  • CVE-2021-21347: XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator
  • CVE-2021-21348: XStream: ReDoS vulnerability
  • CVE-2021-21349: XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host
  • CVE-2021-21350: XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader
  • CVE-2021-21351: XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream
  • CVE-2021-21409: netty: Request smuggling via content-length header
  • CVE-2021-22118: spring-web: (re)creating the temporary storage directory could result in a privilege escalation within WebFlux application
  • CVE-2021-22696: cxf: OAuth 2 authorization service vulnerable to DDos attacks
  • CVE-2021-23926: xmlbeans: allowed malicious XML input may lead to XML Entity Expansion attack
  • CVE-2021-27568: json-smart: uncaught exception may lead to crash or information disclosure
  • CVE-2021-28163: jetty: Symlink directory exposes webapp directory contents
  • CVE-2021-28164: jetty: Ambiguous paths can access WEB-INF
  • CVE-2021-28169: jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory
  • CVE-2021-28170: jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate
  • CVE-2021-29425: apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6
  • CVE-2021-30129: mina-sshd-core: Memory leak denial of service in Apache Mina SSHD Server
  • CVE-2021-30468: CXF: Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter
  • CVE-2021-34428: jetty: SessionListener can prevent a session from being invalidated breaking logout
  • CVE-2021-37136: netty-codec: Bzip2Decoder doesn’t allow setting size restrictions for decompressed data
  • CVE-2021-37137: netty-codec: SnappyFrameDecoder doesn’t restrict chunk length and may buffer skippable chunks in an unnecessary way
  • CVE-2021-37714: jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck
  • CVE-2021-44228: log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value
Red Hat Security Data
Open in Source
#sql#xss#vulnerability#web#microsoft#red_hat#ddos#dos#apache#nodejs#js#java#kubernetes

Issued:

2021-12-14

Updated:

2021-12-14

RHSA-2021:5134 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Critical: Red Hat Fuse 7.10.0 release and security update

Type/Severity

Security Advisory: Critical

Topic

A minor version update (from 7.9 to 7.10) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

This release of Red Hat Fuse 7.10.0 serves as a replacement for Red Hat Fuse 7.9, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.

Security Fix(es):

  • log4j-core (CVE-2020-9488, CVE-2021-44228)
  • nodejs-lodash (CVE-2019-10744)
  • libthrift (CVE-2020-13949)
  • xstream (CVE-2020-26217, CVE-2020-26259, CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350, CVE-2021-21351)
  • undertow (CVE-2020-27782, CVE-2021-3597, CVE-2021-3629, CVE-2021-3690)
  • xmlbeans (CVE-2021-23926)
  • batik (CVE-2020-11987)
  • xmlgraphics-commons (CVE-2020-11988)
  • tomcat (CVE-2020-13943)
  • bouncycastle (CVE-2020-15522, CVE-2020-15522)
  • groovy (CVE-2020-17521)
  • tomcat (CVE-2020-17527)
  • jetty (CVE-2020-27218, CVE-2020-27223, CVE-2021-28163, CVE-2021-28164, CVE-2021-28169, CVE-2021-34428)
  • jackson-dataformat-cbor (CVE-2020-28491)
  • jboss-remoting (CVE-2020-35510)
  • kubernetes-client (CVE-2021-20218)
  • netty (CVE-2021-21290, CVE-2021-21295, CVE-2021-21409)
  • spring-web (CVE-2021-22118)
  • cxf-core (CVE-2021-22696)
  • json-smart (CVE-2021-27568)
  • jakarta.el (CVE-2021-28170)
  • commons-io (CVE-2021-29425)
  • sshd-core (CVE-2021-30129)
  • cxf-rt-rs-json-basic (CVE-2021-30468)
  • netty-codec (CVE-2021-37136, CVE-2021-37137)
  • jsoup (CVE-2021-37714)
  • poi (CVE-2019-12415)
  • mysql-connector-java (CVE-2020-2875, CVE-2020-2934)
  • wildfly (CVE-2021-3536)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Affected Products

  • Red Hat Fuse 1 x86_64

Fixes

  • BZ - 1739497 - CVE-2019-10744 nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties
  • BZ - 1802531 - CVE-2019-12415 poi: a specially crafted Microsoft Excel document allows attacker to read files from the local filesystem
  • BZ - 1831139 - CVE-2020-9488 log4j: improper validation of certificate with host mismatch in SMTP appender
  • BZ - 1851014 - CVE-2020-2934 mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete
  • BZ - 1851019 - CVE-2020-2875 mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete
  • BZ - 1887648 - CVE-2020-13943 tomcat: Apache Tomcat HTTP/2 Request mix-up
  • BZ - 1898907 - CVE-2020-26217 XStream: remote code execution due to insecure XML deserialization when relying on blocklists
  • BZ - 1901304 - CVE-2020-27782 undertow: special character in query results in server errors
  • BZ - 1902826 - CVE-2020-27218 jetty: buffer not correctly recycled in Gzip Request inflation
  • BZ - 1904221 - CVE-2020-17527 tomcat: HTTP/2 request header mix-up
  • BZ - 1905796 - CVE-2020-35510 jboss-remoting: Threads hold up forever in the EJB server by suppressing the ack from an EJB client
  • BZ - 1908837 - CVE-2020-26259 XStream: arbitrary file deletion on the local host when unmarshalling
  • BZ - 1922102 - CVE-2021-23926 xmlbeans: allowed malicious XML input may lead to XML Entity Expansion attack
  • BZ - 1922123 - CVE-2020-17521 groovy: OS temporary directory leads to information disclosure
  • BZ - 1923405 - CVE-2021-20218 fabric8-kubernetes-client: vulnerable to a path traversal leading to integrity and availability compromise
  • BZ - 1927028 - CVE-2021-21290 netty: Information disclosure via the local system temporary directory
  • BZ - 1928172 - CVE-2020-13949 libthrift: potential DoS when processing untrusted payloads
  • BZ - 1930423 - CVE-2020-28491 jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception
  • BZ - 1933808 - CVE-2020-11987 batik: SSRF due to improper input validation by the NodePickerPanel
  • BZ - 1933816 - CVE-2020-11988 xmlgraphics-commons: SSRF due to improper input validation by the XMPParser
  • BZ - 1934116 - CVE-2020-27223 jetty: request containing multiple Accept headers with a large number of “quality” parameters may lead to DoS
  • BZ - 1937364 - CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation
  • BZ - 1939839 - CVE-2021-27568 json-smart: uncaught exception may lead to crash or information disclosure
  • BZ - 1942539 - CVE-2021-21341 XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream
  • BZ - 1942545 - CVE-2021-21342 XStream: SSRF via crafted input stream
  • BZ - 1942550 - CVE-2021-21343 XStream: arbitrary file deletion on the local host via crafted input stream
  • BZ - 1942554 - CVE-2021-21344 XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet
  • BZ - 1942558 - CVE-2021-21345 XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry
  • BZ - 1942578 - CVE-2021-21346 XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue
  • BZ - 1942629 - CVE-2021-21347 XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator
  • BZ - 1942633 - CVE-2021-21348 XStream: ReDoS vulnerability
  • BZ - 1942635 - CVE-2021-21349 XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host
  • BZ - 1942637 - CVE-2021-21350 XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader
  • BZ - 1942642 - CVE-2021-21351 XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream
  • BZ - 1944888 - CVE-2021-21409 netty: Request smuggling via content-length header
  • BZ - 1945710 - CVE-2021-28163 jetty: Symlink directory exposes webapp directory contents
  • BZ - 1945712 - CVE-2021-28164 jetty: Ambiguous paths can access WEB-INF
  • BZ - 1946341 - CVE-2021-22696 cxf: OAuth 2 authorization service vulnerable to DDos attacks
  • BZ - 1948001 - CVE-2021-3536 wildfly: XSS via admin console when creating roles in domain mode
  • BZ - 1948752 - CVE-2021-29425 apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6
  • BZ - 1962879 - CVE-2020-15522 bouncycastle: Timing issue within the EC math library
  • BZ - 1965497 - CVE-2021-28170 jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate
  • BZ - 1970930 - CVE-2021-3597 undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS
  • BZ - 1971016 - CVE-2021-28169 jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory
  • BZ - 1973392 - CVE-2021-30468 CXF: Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter
  • BZ - 1974854 - CVE-2021-22118 spring-web: (re)creating the temporary storage directory could result in a privilege escalation within WebFlux application
  • BZ - 1974891 - CVE-2021-34428 jetty: SessionListener can prevent a session from being invalidated breaking logout
  • BZ - 1977362 - CVE-2021-3629 undertow: potential security issue in flow control over HTTP/2 may lead to DOS
  • BZ - 1981527 - CVE-2021-30129 mina-sshd-core: Memory leak denial of service in Apache Mina SSHD Server
  • BZ - 1991299 - CVE-2021-3690 undertow: buffer leak on incoming websocket PONG message may lead to DoS
  • BZ - 1995259 - CVE-2021-37714 jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck
  • BZ - 2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn’t allow setting size restrictions for decompressed data
  • BZ - 2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn’t restrict chunk length and may buffer skippable chunks in an unnecessary way
  • BZ - 2030932 - CVE-2021-44228 log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value

CVEs

  • CVE-2019-10744
  • CVE-2019-12415
  • CVE-2020-2875
  • CVE-2020-2934
  • CVE-2020-9488
  • CVE-2020-11987
  • CVE-2020-11988
  • CVE-2020-13943
  • CVE-2020-13949
  • CVE-2020-15522
  • CVE-2020-17521
  • CVE-2020-17527
  • CVE-2020-26217
  • CVE-2020-26259
  • CVE-2020-27218
  • CVE-2020-27223
  • CVE-2020-27782
  • CVE-2020-28491
  • CVE-2020-35510
  • CVE-2021-3536
  • CVE-2021-3597
  • CVE-2021-3629
  • CVE-2021-3690
  • CVE-2021-20218
  • CVE-2021-21290
  • CVE-2021-21295
  • CVE-2021-21341
  • CVE-2021-21342
  • CVE-2021-21343
  • CVE-2021-21344
  • CVE-2021-21345
  • CVE-2021-21346
  • CVE-2021-21347
  • CVE-2021-21348
  • CVE-2021-21349
  • CVE-2021-21350
  • CVE-2021-21351
  • CVE-2021-21409
  • CVE-2021-22118
  • CVE-2021-22696
  • CVE-2021-23926
  • CVE-2021-27568
  • CVE-2021-28163
  • CVE-2021-28164
  • CVE-2021-28169
  • CVE-2021-28170
  • CVE-2021-29425
  • CVE-2021-30129
  • CVE-2021-30468
  • CVE-2021-34428
  • CVE-2021-37136
  • CVE-2021-37137
  • CVE-2021-37714
  • CVE-2021-44228

References

  • https://access.redhat.com/security/updates/classification/#critical
  • https://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/
  • https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.fuse&version=7.10.0
  • https://access.redhat.com/security/vulnerabilities/RHSB-2021-009

Red Hat Fuse 1

SRPM

x86_64

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat Security Data: Latest News

RHSA-2023:5627: Red Hat Security Advisory: kernel security, bug fix, and enhancement update
Red Hat Security Data