Headline
RHSA-2020:5568: Red Hat Security Advisory: Red Hat Fuse 7.8.0 release and security update
A minor version update (from 7.7 to 7.8) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This release of Red Hat Fuse 7.8.0 serves as a replacement for Red Hat Fuse 7.7, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es):
- libquartz: XXE attacks via job description (CVE-2019-13990)
- jetty: double release of resource can lead to information disclosure (CVE-2019-17638)
- keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution (CVE-2020-1714)
- springframework: RFD attack via Content-Disposition Header sourced from request input by Spring MVC or Spring WebFlux Application (CVE-2020-5398)
- wildfly: unsafe deserialization in Wildfly Enterprise Java Beans (CVE-2020-10740)
- camel: RabbitMQ enables Java deserialization by default which could leed to remote code execution (CVE-2020-11972)
- camel: Netty enables Java deserialization by default which could leed to remote code execution (CVE-2020-11973)
- shiro: spring dynamic controllers, a specially crafted request may cause an authentication bypass (CVE-2020-11989)
- camel: server-side template injection and arbitrary file disclosure on templating components (CVE-2020-11994)
- postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692)
- shiro: specially crafted HTTP request may cause an authentication bypass (CVE-2020-13933)
- RESTEasy: Caching routes in RootNode may result in DoS (CVE-2020-14326)
- jackson-modules-java8: DoS due to an Improper Input Validation (CVE-2018-1000873)
- thrift: Endless loop when feed with specific input data (CVE-2019-0205)
- thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210)
- mysql-connector-java: privilege escalation in MySQL connector (CVE-2019-2692)
- spring-ws: XML External Entity Injection (XXE) when receiving XML data from untrusted sources (CVE-2019-3773)
- spring-batch: XML External Entity Injection (XXE) when receiving XML data from untrusted sources (CVE-2019-3774)
- codehaus: incomplete fix for unsafe deserialization in jackson-databind vulnerabilities (CVE-2019-10202)
- hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219)
- org.eclipse.paho.client.mqttv3: Improper hostname validation in the MQTT library (CVE-2019-11777)
- cxf: does not restrict the number of message attachments (CVE-2019-12406)
- cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12423)
- hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900)
- batik: SSRF via “xlink:href” (CVE-2019-17566)
- Undertow: Memory Leak in Undertow HttpOpenListener due to holding remoting connections indefinitely (CVE-2019-19343)
- Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain (CVE-2020-1719)
- apache-flink: JMX information disclosure vulnerability (CVE-2020-1960)
- cryptacular: excessive memory allocation during a decode operation (CVE-2020-7226)
- tika-core: Denial of Service Vulnerabilities in Some of Apache Tika’s Parsers (CVE-2020-9489)
- dom4j: XML External Entity vulnerability in default SAX parser (CVE-2020-10683)
- netty: compression/decompression codecs don’t enforce limits on buffer allocation sizes (CVE-2020-11612)
- camel: DNS Rebinding in JMX Connector could result in remote command execution (CVE-2020-11971)
- karaf: A remote client could create MBeans from arbitrary URLs (CVE-2020-11980)
- tika: excessive memory usage in PSDParser (CVE-2020-1950)
- log4j: improper validation of certificate with host mismatch in SMTP appender (CVE-2020-9488) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Related CVEs:
- CVE-2018-1000873: jackson-modules-java8: DoS due to an Improper Input Validation
- CVE-2019-0205: thrift: Endless loop when feed with specific input data
- CVE-2019-0210: thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol
- CVE-2019-2692: mysql-connector-java: privilege escalation in MySQL connector
- CVE-2019-3773: spring-ws: XML External Entity Injection (XXE) when receiving XML data from untrusted sources
- CVE-2019-3774: spring-batch: XML External Entity Injection (XXE) when receiving XML data from untrusted sources
- CVE-2019-10202: codehaus: incomplete fix for unsafe deserialization in jackson-databind vulnerabilities
- CVE-2019-10219: hibernate-validator: safeHTML validator allows XSS
- CVE-2019-10768: AngularJS: Prototype pollution in merge function could result in code injection
- CVE-2019-11777: org.eclipse.paho.client.mqttv3: Improper hostname validation in the MQTT library
- CVE-2019-12406: cxf: does not restrict the number of message attachments
- CVE-2019-12423: cxf: OpenId Connect token service does not properly validate the clientId
- CVE-2019-13990: libquartz: XXE attacks via job description
- CVE-2019-14900: hibernate: SQL injection issue in Hibernate ORM
- CVE-2019-17566: batik: SSRF via “xlink:href”
- CVE-2019-17638: jetty: double release of resource can lead to information disclosure
- CVE-2019-19343: Undertow: Memory Leak in Undertow HttpOpenListener due to holding remoting connections indefinitely
- CVE-2020-1714: keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution
- CVE-2020-1719: Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain
- CVE-2020-1950: tika: excessive memory usage in PSDParser
- CVE-2020-1960: apache-flink: JMX information disclosure vulnerability
- CVE-2020-5398: springframework: RFD attack via Content-Disposition Header sourced from request input by Spring MVC or Spring WebFlux Application
- CVE-2020-5410: spring-cloud-config-server: sending a request using a specially crafted URL can lead to a directory traversal attack
- CVE-2020-7226: cryptacular: excessive memory allocation during a decode operation
- CVE-2020-7676: nodejs-angular: XSS due to regex-based HTML replacement
- CVE-2020-9488: log4j: improper validation of certificate with host mismatch in SMTP appender
- CVE-2020-9489: tika-core: Denial of Service Vulnerabilities in Some of Apache Tika’s Parsers
- CVE-2020-10683: dom4j: XML External Entity vulnerability in default SAX parser
- CVE-2020-10740: wildfly: unsafe deserialization in Wildfly Enterprise Java Beans
- CVE-2020-11612: netty: compression/decompression codecs don’t enforce limits on buffer allocation sizes
- CVE-2020-11971: camel: DNS Rebinding in JMX Connector could result in remote command execution
- CVE-2020-11972: camel: RabbitMQ enables Java deserialization by default which could leed to remote code execution
- CVE-2020-11973: camel: Netty enables Java deserialization by default which could leed to remote code execution
- CVE-2020-11980: karaf: A remote client could create MBeans from arbitrary URLs
- CVE-2020-11989: shiro: spring dynamic controllers, a specially crafted request may cause an authentication bypass
- CVE-2020-11994: camel: server-side template injection and arbitrary file disclosure on templating components
- CVE-2020-13692: postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML
- CVE-2020-13933: shiro: specially crafted HTTP request may cause an authentication bypass
- CVE-2020-14326: RESTEasy: Caching routes in RootNode may result in DoS