- Issued:
- 2024-05-23
- Updated:
- 2024-05-23
RHSA-2024:3354 - Important: Red Hat Fuse 7.13.0 release and security update
Synopsis
Important: Red Hat Fuse 7.13.0 release and security update
Type/Severity
Security Advisory Important
Topic
Red Hat Fuse 7.13.0 release is now available. The purpose of this text-only errata is to inform you about the security issues fixed in this release.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat Fuse 7.13.0 is released which includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.
Security Fix(es):
-
undertow: OutOfMemoryError due to @MultipartConfig handling (CVE-2023-3223)
-
jetty-servlets: jetty: Improper addition of quotation marks to user inputs in CgiServlet (CVE-2023-36479)
-
jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)
-
jetty-http: jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)
-
avro: apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK (CVE-2023-39410)
-
JSON-java: parser confusion leads to OOM (CVE-2023-5072)
-
http2-hpack: jetty: hpack header values cause denial of service in http/2 (CVE-2023-36478)
-
spring-boot: org.springframework.boot:spring-boot-actuator class vulnerable to denial of service (CVE-2023-34055)
-
tomcat: HTTP request smuggling via malformed trailer headers (CVE-2023-46589)
-
activemq: Apache ActiveMQ: Deserialization vulnerability on Jolokia that allows authenticated users to perform RCE (CVE-2022-41678)
-
logback: serialization vulnerability in logback receiver (CVE-2023-6378)
-
logback: A serialization vulnerability in logback receiver (CVE-2023-6481)
-
solr: : Apache Solr: Host environment variables are published via the Metrics API (CVE-2023-50290)
-
shiro: path traversal attack may lead to authentication bypass (CVE-2023-46749)
-
tomcat: Leaking of unrelated request bodies in default error page (CVE-2024-21733)
-
springframework: URL Parsing with Host Validation (CVE-2024-22243)
For more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Solution
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat Fuse | 1 | x86_64 |
Fixes
- This content is not included.BZ - 2209689
- This content is not included.BZ - 2239630
- This content is not included.BZ - 2239634
- This content is not included.BZ - 2242521
- This content is not included.BZ - 2243123
- This content is not included.BZ - 2246417
- This content is not included.BZ - 2251917
- This content is not included.BZ - 2252050
- This content is not included.BZ - 2252185
- This content is not included.BZ - 2252230
- This content is not included.BZ - 2252956
- This content is not included.BZ - 2258132
- This content is not included.BZ - 2258134
- This content is not included.BZ - 2259204
- This content is not included.BZ - 2265735
CVEs
- CVE-2022-41678
- CVE-2023-3223
- CVE-2023-5072
- CVE-2023-6378
- CVE-2023-6481
- CVE-2023-34055
- CVE-2023-36478
- CVE-2023-36479
- CVE-2023-39410
- CVE-2023-40167
- CVE-2023-46589
- CVE-2023-46749
- CVE-2023-50290
- CVE-2024-1635
- CVE-2024-21733
- CVE-2024-22243
- CVE-2024-22257
- CVE-2024-28752
References
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.