Red Hat Security Advisory: Red Hat Fuse 7.11.0 release and security update
🔗 CVE IDs covered (58)
📋 Description
CVE-2020-7020 — elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure CVE-2020-9484 — tomcat: deserialization flaw in session persistence storage leading to RCE CVE-2020-15250 — junit4: TemporaryFolder is shared between all users across system which could result in information disclosure CVE-2020-25689 — wildfly-core: memory leak in WildFly host-controller in domain mode while not able to reconnect to domain-controller CVE-2020-29582 — kotlin: vulnerable Java API was used for temporary file and folder creation which could result in information disclosure CVE-2020-36518 — jackson-databind: denial of service via a large depth of nested objects CVE-2021-2471 — mysql-connector-java: unauthorized access to critical CVE-2021-3629 — undertow: potential security issue in flow control over HTTP/2 may lead to DOS CVE-2021-3642 — wildfly-elytron: possible timing attack in ScramServer CVE-2021-3644 — wildfly-core: Invalid Sensitivity Classification of Vault Expression CVE-2021-3807 — nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes CVE-2021-3859 — undertow: client side invocation timeout raised when calling over HTTP2 CVE-2021-4178 — kubernetes-client: Insecure deserialization in unmarshalYaml method CVE-2021-22060 — springframework: Additional Log Injection in Spring Framework (follow-up to CVE-2021-22096) CVE-2021-22096 — springframework: malicious input leads to insertion of additional log entries CVE-2021-22119 — spring-security: Denial-of-Service (DoS) attack via initiation of Authorization Request CVE-2021-22569 — protobuf-java: potential DoS in the parsing procedure for binary data CVE-2021-22573 — google-oauth-client: Token signature not verified CVE-2021-24122 — tomcat: Information disclosure when using NTFS file system CVE-2021-25122 — tomcat: Request mix-up with h2c CVE-2021-25329 — tomcat: Incomplete fix for CVE-2020-9484 (RCE via session persistence) CVE-2021-29505 — XStream: remote command execution attack by manipulating the processed input stream CVE-2021-30640 — tomcat: JNDI realm authentication weakness CVE-2021-33037 — tomcat: HTTP request smuggling when used with a reverse proxy CVE-2021-33813 — jdom: XXE allows attackers to cause a DoS via a crafted HTTP request CVE-2021-35515 — apache-commons-compress: infinite loop when reading a specially crafted 7Z archive CVE-2021-35516 — apache-commons-compress: excessive memory allocation when reading a specially crafted 7Z archive CVE-2021-35517 — apache-commons-compress: excessive memory allocation when reading a specially crafted TAR archive CVE-2021-36090 — apache-commons-compress: excessive memory allocation when reading a specially crafted ZIP archive CVE-2021-38153 — Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients CVE-2021-40690 — xml-security: XPath Transform abuse allows for information disclosure CVE-2021-41079 — tomcat: Infinite loop while reading an unexpected TLS packet when using OpenSSL JSSE engine CVE-2021-41766 — karaf: insecure java deserialization CVE-2021-42340 — tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS CVE-2021-42550 — logback: remote code execution through JNDI call from within its configuration file CVE-2021-43797 — netty: control chars in header names may lead to HTTP request smuggling CVE-2021-43859 — xstream: Injecting highly recursive collections or maps can cause a DoS CVE-2022-0084 — xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr CVE-2022-1259 — undertow: potential security issue in flow control over HTTP/2 may lead to DOS(incomplete fix for CVE-2021-3629) CVE-2022-1319 — undertow: Double AJP response for 400 from EAP 7 results in CPING failures CVE-2022-21363 — mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors CVE-2022-21724 — jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes CVE-2022-22932 — karaf: path traversal flaws CVE-2022-22950 — spring-expression: Denial of service via specially crafted SpEL expression CVE-2022-22968 — Framework: Data Binding Rules Vulnerability CVE-2022-22970 — springframework: DoS via data binding to multipartFile or servlet part CVE-2022-22971 — springframework: DoS with STOMP over WebSocket CVE-2022-22976 — springframework: BCrypt skips salt rounds for work factor of 31 CVE-2022-22978 — springframework: Authorization Bypass in RegexRequestMatcher CVE-2022-23181 — tomcat: local privilege escalation vulnerability CVE-2022-23221 — h2: Loading of custom classes from remote servers through JNDI CVE-2022-23596 — junrar: A carefully crafted RAR archive can trigger an infinite loop while extracting CVE-2022-23913 — artemis-commons: Apache ActiveMQ Artemis DoS CVE-2022-24614 — metadata-extractor: Out-of-memory when reading a specially crafted JPEG file CVE-2022-25845 — fastjson: autoType shutdown restriction bypass leads to deserialization CVE-2022-26336 — poi-scratchpad: A carefully crafted TNEF file can cause an out of memory exception CVE-2022-26520 — postgresql-jdbc: Arbitrary File Write Vulnerability CVE-2022-30126 — tika-core: Regular Expression Denial of Service in standards extractor
🔗 References (63)
- selfhttps://access.redhat.com/errata/RHSA-2022:5532
- externalhttps://access.redhat.com/security/updates/classification/#important
- externalhttps://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.fuse&version=7.11.0
- externalhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1838332
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1887810
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1893070
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1893125
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1917209
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1930291
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1934032
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1934061
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1966735
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1973413
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1976052
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1977064
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1977362
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1981407
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1981533
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1981544
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1981895
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1981900
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1981903
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1981909
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2004820
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2007557
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2009041
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2010378
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2011190
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2014356
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2020583
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2031958
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2033560
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2034388
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2034584
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2039903
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2044596
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2046279
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2046282
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2047343
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2047417
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2049778
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2049783
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2050863
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2055480
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2058763
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2063292
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2063601
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2064007
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2064226
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2064698
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2069414
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2072339
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2073890
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2075441
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2081879
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2087214
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2087272
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2087274
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2087606
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2088523
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2100654
- selfhttps://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_5532.json