Issued:
2018-09-11
Updated:
2018-09-11

RHSA-2018:2669 - Important: Fuse 7.1 security update

Synopsis

Important: Fuse 7.1 security update

Type/Severity

Security Advisory Important

Topic

An update is now available for Red Hat Fuse.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform.

This release of Red Hat Fuse 7.1 serves as a replacement for Red Hat Fuse 7.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.

Security Fix(es):

  • Apache Struts 1: Class Loader manipulation via request parameters (CVE-2014-0114)

  • thrift: Improper file path sanitization in t_go_generator.cc:format_go_output() of the go client library can allow an attacker to inject commands (CVE-2016-5397)

  • slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088)

  • jolokia: JMX proxy mode vulnerable to remote code execution (CVE-2018-1000130)

  • bouncycastle: DSA does not fully validate ASN.1 encoding during signature verification allowing for injection of unsigned data (CVE-2016-1000338)

  • bouncycastle: Information leak in AESFastEngine class (CVE-2016-1000339)

  • bouncycastle: Information exposure in DSA signature generation via timing attack (CVE-2016-1000341)

  • bouncycastle: ECDSA improper validation of ASN.1 encoding of signature (CVE-2016-1000342)

  • bouncycastle: DHIES implementation allowed the use of ECB mode (CVE-2016-1000344)

  • bouncycastle: DHIES/ECIES CBC modes are vulnerable to padding oracle attack (CVE-2016-1000345)

  • bouncycastle: Other party DH public keys are not fully validated (CVE-2016-1000346)

  • bouncycastle: ECIES implementation allowed the use of ECB mode (CVE-2016-1000352)

  • async-http-client: Invalid URL parsing with '?' (CVE-2017-14063)

  • undertow: File descriptor leak caused by JarURLConnection.getLastModified() allows attacker to cause a denial of service (CVE-2018-1114)

  • spring-framework: Directory traversal vulnerability with static resources on Windows filesystems (CVE-2018-1271)

  • tika: Infinite loop in BPGParser can allow remote attacker to cause a denial of service (CVE-2018-1338)

  • tika: Infinite loop in ChmParser can allow remote attacker to cause a denial of service (CVE-2018-1339)

  • pdfbox: Infinite loop in AFMParser.java allows for out of memory erros via crafted PDF (CVE-2018-8036)

  • jolokia: Cross site scripting in the HTTP servlet (CVE-2018-1000129)

  • bouncycastle: flaw in the low-level interface to RSA key pair generator (CVE-2018-1000180)

  • bouncycastle: Carry propagation bug in math.raw.Nat??? class (CVE-2016-1000340)

  • bouncycastle: DSA key pair generator generates a weak private key by default (CVE-2016-1000343)

  • spring-framework: Multipart content pollution (CVE-2018-1272)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Chris McCown for reporting CVE-2018-8088.

Solution

Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.

Installation instructions are located in the download section of the customer portal.

The References section of this erratum contains a download link (you must log in to download the update).

Affected Products

ProductVersionArch
Red Hat Fuse1x86_64

Fixes

CVEs

References

Additional information