RHSA-2020:5568: Red Hat Security Advisory: Red Hat Fuse 7.8.0 release and security update

A minor version update (from 7.7 to 7.8) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This release of Red Hat Fuse 7.8.0 serves as a replacement for Red Hat Fuse 7.7, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es):

• libquartz: XXE attacks via job description (CVE-2019-13990)
• jetty: double release of resource can lead to information disclosure (CVE-2019-17638)
• keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution (CVE-2020-1714)
• springframework: RFD attack via Content-Disposition Header sourced from request input by Spring MVC or Spring WebFlux Application (CVE-2020-5398)
• wildfly: unsafe deserialization in Wildfly Enterprise Java Beans (CVE-2020-10740)
• camel: RabbitMQ enables Java deserialization by default which could leed to remote code execution (CVE-2020-11972)
• camel: Netty enables Java deserialization by default which could leed to remote code execution (CVE-2020-11973)
• shiro: spring dynamic controllers, a specially crafted request may cause an authentication bypass (CVE-2020-11989)
• camel: server-side template injection and arbitrary file disclosure on templating components (CVE-2020-11994)
• postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692)
• shiro: specially crafted HTTP request may cause an authentication bypass (CVE-2020-13933)
• RESTEasy: Caching routes in RootNode may result in DoS (CVE-2020-14326)
• jackson-modules-java8: DoS due to an Improper Input Validation (CVE-2018-1000873)
• thrift: Endless loop when feed with specific input data (CVE-2019-0205)
• thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210)
• mysql-connector-java: privilege escalation in MySQL connector (CVE-2019-2692)
• spring-ws: XML External Entity Injection (XXE) when receiving XML data from untrusted sources (CVE-2019-3773)
• spring-batch: XML External Entity Injection (XXE) when receiving XML data from untrusted sources (CVE-2019-3774)
• codehaus: incomplete fix for unsafe deserialization in jackson-databind vulnerabilities (CVE-2019-10202)
• hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219)
• org.eclipse.paho.client.mqttv3: Improper hostname validation in the MQTT library (CVE-2019-11777)
• cxf: does not restrict the number of message attachments (CVE-2019-12406)
• cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12423)
• hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900)
• batik: SSRF via “xlink:href” (CVE-2019-17566)
• Undertow: Memory Leak in Undertow HttpOpenListener due to holding remoting connections indefinitely (CVE-2019-19343)
• Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain (CVE-2020-1719)
• apache-flink: JMX information disclosure vulnerability (CVE-2020-1960)
• cryptacular: excessive memory allocation during a decode operation (CVE-2020-7226)
• tika-core: Denial of Service Vulnerabilities in Some of Apache Tika’s Parsers (CVE-2020-9489)
• dom4j: XML External Entity vulnerability in default SAX parser (CVE-2020-10683)
• netty: compression/decompression codecs don’t enforce limits on buffer allocation sizes (CVE-2020-11612)
• camel: DNS Rebinding in JMX Connector could result in remote command execution (CVE-2020-11971)
• karaf: A remote client could create MBeans from arbitrary URLs (CVE-2020-11980)
• tika: excessive memory usage in PSDParser (CVE-2020-1950)
• log4j: improper validation of certificate with host mismatch in SMTP appender (CVE-2020-9488) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Related CVEs:
• CVE-2018-1000873: jackson-modules-java8: DoS due to an Improper Input Validation
• CVE-2019-0205: thrift: Endless loop when feed with specific input data
• CVE-2019-0210: thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol
• CVE-2019-2692: mysql-connector-java: privilege escalation in MySQL connector
• CVE-2019-3773: spring-ws: XML External Entity Injection (XXE) when receiving XML data from untrusted sources
• CVE-2019-3774: spring-batch: XML External Entity Injection (XXE) when receiving XML data from untrusted sources
• CVE-2019-10202: codehaus: incomplete fix for unsafe deserialization in jackson-databind vulnerabilities
• CVE-2019-10219: hibernate-validator: safeHTML validator allows XSS
• CVE-2019-10768: AngularJS: Prototype pollution in merge function could result in code injection
• CVE-2019-11777: org.eclipse.paho.client.mqttv3: Improper hostname validation in the MQTT library
• CVE-2019-12406: cxf: does not restrict the number of message attachments
• CVE-2019-12423: cxf: OpenId Connect token service does not properly validate the clientId
• CVE-2019-13990: libquartz: XXE attacks via job description
• CVE-2019-14900: hibernate: SQL injection issue in Hibernate ORM
• CVE-2019-17566: batik: SSRF via “xlink:href”
• CVE-2019-17638: jetty: double release of resource can lead to information disclosure
• CVE-2019-19343: Undertow: Memory Leak in Undertow HttpOpenListener due to holding remoting connections indefinitely
• CVE-2020-1714: keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution
• CVE-2020-1719: Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain
• CVE-2020-1950: tika: excessive memory usage in PSDParser
• CVE-2020-1960: apache-flink: JMX information disclosure vulnerability
• CVE-2020-5398: springframework: RFD attack via Content-Disposition Header sourced from request input by Spring MVC or Spring WebFlux Application
• CVE-2020-5410: spring-cloud-config-server: sending a request using a specially crafted URL can lead to a directory traversal attack
• CVE-2020-7226: cryptacular: excessive memory allocation during a decode operation
• CVE-2020-7676: nodejs-angular: XSS due to regex-based HTML replacement
• CVE-2020-9488: log4j: improper validation of certificate with host mismatch in SMTP appender
• CVE-2020-9489: tika-core: Denial of Service Vulnerabilities in Some of Apache Tika’s Parsers
• CVE-2020-10683: dom4j: XML External Entity vulnerability in default SAX parser
• CVE-2020-10740: wildfly: unsafe deserialization in Wildfly Enterprise Java Beans
• CVE-2020-11612: netty: compression/decompression codecs don’t enforce limits on buffer allocation sizes
• CVE-2020-11971: camel: DNS Rebinding in JMX Connector could result in remote command execution
• CVE-2020-11972: camel: RabbitMQ enables Java deserialization by default which could leed to remote code execution
• CVE-2020-11973: camel: Netty enables Java deserialization by default which could leed to remote code execution
• CVE-2020-11980: karaf: A remote client could create MBeans from arbitrary URLs
• CVE-2020-11989: shiro: spring dynamic controllers, a specially crafted request may cause an authentication bypass
• CVE-2020-11994: camel: server-side template injection and arbitrary file disclosure on templating components
• CVE-2020-13692: postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML
• CVE-2020-13933: shiro: specially crafted HTTP request may cause an authentication bypass
• CVE-2020-14326: RESTEasy: Caching routes in RootNode may result in DoS