Issued:: 2014-05-14
Updated:: 2014-05-14

RHSA-2014:0497 - Important: Red Hat JBoss Fuse 6.1.0 security update

Synopsis

Important: Red Hat JBoss Fuse 6.1.0 security update

Type/Severity

Security Advisory Important

Topic

Red Hat JBoss Fuse 6.1.0 Patch 1, a security update that addresses one security issue, is now available from the Red Hat Customer Portal.

The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Description

Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform.

It was found that the Struts 1 ActionForm object allowed access to the 'class' parameter, which is directly mapped to the getClass() method. A remote attacker could use this flaw to manipulate the ClassLoader used by an application server running Struts 1. This could lead to remote code execution under certain conditions. (CVE-2014-0114)

Refer to the readme.txt file included with the patch files for installation instructions.

All users of Red Hat JBoss Fuse 6.1.0 as provided from the Red Hat Customer Portal are advised to apply this security update.

Solution

The References section of this erratum contains a download link (you must log in to download the update).

Affected Products

Product	Version	Arch
Red Hat Fuse	1	x86_64

Fixes

This content is not included.BZ - 1091938

CVEs

CVE-2014-0114

References

Additional information

The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.