Red Hat Security Advisory: Red Hat Fuse 7.7.0 release and security update
🔗 CVE IDs covered (49)
📋 Description
CVE-2016-4970 — netty: Infinite loop vulnerability when handling renegotiation using SslProvider.OpenSsl CVE-2018-3831 — elasticsearch: Information exposure via _cluster/settings API CVE-2018-11797 — pdfbox: unbounded computation in parser resulting in a denial of service CVE-2018-12541 — vertx: WebSocket HTTP upgrade implementation holds the entire http request in memory before the handshake CVE-2018-1000632 — dom4j: XML Injection in Class: Element. Methods: addElement, addAttribute which can impact the integrity of XML documents CVE-2019-0231 — mina-core: Retaining an open socket in close_notify SSL-TLS leading to Information disclosure. CVE-2019-3797 — spring-data-jpa: Additional information exposure with Spring Data JPA derived queries CVE-2019-9511 — HTTP/2: large amount of data requests leads to denial of service CVE-2019-9827 — hawtio: server side request forgery via initial /proxy/ substring of a URI CVE-2019-10086 — apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default CVE-2019-10172 — jackson-mapper-asl: XML external entity similar to CVE-2016-3720 CVE-2019-12086 — jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server. CVE-2019-12400 — xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source CVE-2019-12419 — cxf: OpenId Connect token service does not properly validate the clientId CVE-2019-14540 — jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig CVE-2019-14888 — undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS CVE-2019-14892 — jackson-databind: Serialization gadgets in classes of the commons-configuration package CVE-2019-14893 — jackson-databind: Serialization gadgets in classes of the xalan package CVE-2019-16335 — jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource CVE-2019-16942 — jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.* CVE-2019-16943 — jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource CVE-2019-17267 — jackson-databind: Serialization gadgets in classes of the ehcache package CVE-2019-17531 — jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.* CVE-2019-17573 — cxf: reflected XSS in the services listing page CVE-2019-20330 — jackson-databind: lacks certain net.sf.ehcache blocking CVE-2019-20444 — netty: HTTP request smuggling CVE-2019-20445 — netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header CVE-2020-1745 — undertow: AJP File Read/Inclusion Vulnerability CVE-2020-1757 — undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass CVE-2020-1953 — apache-commons-configuration: uncontrolled class instantiation when loading YAML files CVE-2020-7238 — netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling CVE-2020-8840 — jackson-databind: Lacks certain xbean-reflect/JNDI blocking CVE-2020-9546 — jackson-databind: Serialization gadgets in shaded-hikari-config CVE-2020-9547 — jackson-databind: Serialization gadgets in ibatis-sqlmap CVE-2020-9548 — jackson-databind: Serialization gadgets in anteros-core CVE-2020-10672 — jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution CVE-2020-10673 — jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution CVE-2020-10687 — Undertow: Incomplete fix for CVE-2017-2666 due to permitting invalid characters in HTTP requests CVE-2020-10968 — jackson-databind: Serialization gadgets in org.aoju.bus.proxy.provider.*.RmiProvider CVE-2020-10969 — jackson-databind: Serialization gadgets in javax.swing.JEditorPane CVE-2020-11111 — jackson-databind: Serialization gadgets in org.apache.activemq.jms.pool.XaPooledConnectionFactory CVE-2020-11112 — jackson-databind: Serialization gadgets in org.apache.commons.proxy.provider.remoting.RmiProvider CVE-2020-11113 — jackson-databind: Serialization gadgets in org.apache.openjpa.ee.WASRegistryManagedRuntime CVE-2020-11619 — jackson-databind: Serialization gadgets in org.springframework:spring-aop CVE-2020-11620 — jackson-databind: Serialization gadgets in commons-jelly:commons-jelly CVE-2020-14060 — jackson-databind: serialization in oadd.org.apache.xalan.lib.sql.JNDIConnectionPool CVE-2020-14061 — jackson-databind: serialization in weblogic/oracle-aqjms CVE-2020-14062 — jackson-databind: serialization in com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool CVE-2020-14195 — jackson-databind: serialization in org.jsecurity.realm.jndi.JndiRealmFactory
🔗 References (52)
- selfhttps://access.redhat.com/errata/RHSA-2020:3192
- externalhttps://access.redhat.com/security/updates/classification/#important
- externalhttps://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.fuse&version=7.7.0
- externalhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.7/
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1343616
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1620529
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1632452
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1637492
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1638391
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1697598
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1700016
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1713468
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1715075
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1728604
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1741860
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1752770
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1755831
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1755849
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1758167
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1758171
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1758182
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1758187
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1758191
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1764658
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1767483
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1772464
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1775293
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1793154
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1796225
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1797011
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1798509
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1798524
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1807305
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1815212
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1815470
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1815495
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1816330
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1816332
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1816337
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1816340
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1819208
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1819212
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1821304
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1821311
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1821315
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1826798
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1826805
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1848958
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1848960
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1848962
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1848966
- selfhttps://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_3192.json