Synopsis
Important: Red Hat Fuse 7.11.0 release and security update
Type/Severity
Security Advisory: Important
Topic
A minor version update (from 7.10 to 7.11) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
This release of Red Hat Fuse 7.11.0 serves as a replacement for Red Hat Fuse 7.10 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.
Security Fix(es):
- fastjson (CVE-2022-25845)
- jackson-databind (CVE-2020-36518)
- mysql-connector-java (CVE-2021-2471, CVE-2022-21363)
- undertow (CVE-2022-1259, CVE-2021-3629, CVE-2022-1319)
- wildfly-elytron (CVE-2021-3642)
- nodejs-ansi-regex (CVE-2021-3807, CVE-2021-3807)
- 3 qt (CVE-2021-3859)
- kubernetes-client (CVE-2021-4178)
- spring-security (CVE-2021-22119)
- protobuf-java (CVE-2021-22569)
- google-oauth-client (CVE-2021-22573)
- XStream (CVE-2021-29505, CVE-2021-43859)
- jdom (CVE-2021-33813, CVE-2021-33813)
- apache-commons-compress (CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090)
- Kafka (CVE-2021-38153)
- xml-security (CVE-2021-40690)
- logback (CVE-2021-42550)
- netty (CVE-2021-43797)
- xnio (CVE-2022-0084)
- jdbc-postgresql (CVE-2022-21724)
- spring-expression (CVE-2022-22950)
- springframework (CVE-2021-22096, CVE-2021-22060, CVE-2021-22096, CVE-2022-22976, CVE-2022-22970, CVE-2022-22971, CVE-2022-22978)
- h4 (CVE-2022-23221)
- junrar (CVE-2022-23596)
- artemis-commons (CVE-2022-23913)
- elasticsearch (CVE-2020-7020)
- tomcat (CVE-2021-24122, CVE-2021-25329, CVE-2020-9484, CVE-2021-25122, CVE-2021-33037, CVE-2021-30640, CVE-2021-41079, CVE-2021-42340, CVE-2022-23181)
- junit4 (CVE-2020-15250)
- wildfly-core (CVE-2020-25689, CVE-2021-3644)
- kotlin (CVE-2020-29582)
- karaf (CVE-2021-41766, CVE-2022-22932)
- Spring Framework (CVE-2022-22968)
- metadata-extractor (CVE-2022-24614)
- poi-scratchpad (CVE-2022-26336)
- postgresql-jdbc (CVE-2022-26520)
- tika-core (CVE-2022-30126)
For more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Fixes
-
BZ - 1838332
- CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE
-
BZ - 1887810
- CVE-2020-15250 junit4: TemporaryFolder is shared between all users across system which could result in information disclosure
-
BZ - 1893070
- CVE-2020-25689 wildfly-core: memory leak in WildFly host-controller in domain mode while not able to reconnect to domain-controller
-
BZ - 1893125
- CVE-2020-7020 elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure
-
BZ - 1917209
- CVE-2021-24122 tomcat: Information disclosure when using NTFS file system
-
BZ - 1930291
- CVE-2020-29582 kotlin: vulnerable Java API was used for temporary file and folder creation which could result in information disclosure
-
BZ - 1934032
- CVE-2021-25122 tomcat: Request mix-up with h4c
-
BZ - 1934061
- CVE-2021-25329 tomcat: Incomplete fix for CVE-2020-9484 (RCE via session persistence)
-
BZ - 1966735
- CVE-2021-29505 XStream: remote command execution attack by manipulating the processed input stream
-
BZ - 1973413
- CVE-2021-33813 jdom: XXE allows attackers to cause a DoS via a crafted HTTP request
-
BZ - 1976052
- CVE-2021-3644 wildfly-core: Invalid Sensitivity Classification of Vault Expression
-
BZ - 1977064
- CVE-2021-22119 spring-security: Denial-of-Service (DoS) attack via initiation of Authorization Request
-
BZ - 1977362
- CVE-2021-3629 undertow: potential security issue in flow control over HTTP/2 may lead to DOS
-
BZ - 1981407
- CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer
-
BZ - 1981533
- CVE-2021-33037 tomcat: HTTP request smuggling when used with a reverse proxy
-
BZ - 1981544
- CVE-2021-30640 tomcat: JNDI realm authentication weakness
-
BZ - 1981895
- CVE-2021-35515 apache-commons-compress: infinite loop when reading a specially crafted 7Z archive
-
BZ - 1981900
- CVE-2021-35516 apache-commons-compress: excessive memory allocation when reading a specially crafted 7Z archive
-
BZ - 1981903
- CVE-2021-35517 apache-commons-compress: excessive memory allocation when reading a specially crafted TAR archive
-
BZ - 1981909
- CVE-2021-36090 apache-commons-compress: excessive memory allocation when reading a specially crafted ZIP archive
-
BZ - 2004820
- CVE-2021-41079 tomcat: Infinite loop while reading an unexpected TLS packet when using OpenSSL JSSE engine
-
BZ - 2007557
- CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes
-
BZ - 2009041
- CVE-2021-38153 Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients
-
BZ - 2010378
- CVE-2021-3859 undertow: client side invocation timeout raised when calling over HTTP2
-
BZ - 2011190
- CVE-2021-40690 xml-security: XPath Transform abuse allows for information disclosure
-
BZ - 2014356
- CVE-2021-42340 tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS
-
BZ - 2020583
- CVE-2021-2471 mysql-connector-java: unauthorized access to critical
-
BZ - 2031958
- CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling
-
BZ - 2033560
- CVE-2021-42550 logback: remote code execution through JNDI call from within its configuration file
-
BZ - 2034388
- CVE-2021-4178 kubernetes-client: Insecure deserialization in unmarshalYaml method
-
BZ - 2034584
- CVE-2021-22096 springframework: malicious input leads to insertion of additional log entries
-
BZ - 2039903
- CVE-2021-22569 protobuf-java: potential DoS in the parsing procedure for binary data
-
BZ - 2044596
- CVE-2022-23221 h4: Loading of custom classes from remote servers through JNDI
-
BZ - 2046279
- CVE-2022-22932 karaf: path traversal flaws
-
BZ - 2046282
- CVE-2021-41766 karaf: insecure java deserialization
-
BZ - 2047343
- CVE-2022-21363 mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors
-
BZ - 2047417
- CVE-2022-23181 tomcat: local privilege escalation vulnerability
-
BZ - 2049778
- CVE-2022-23596 junrar: A carefully crafted RAR archive can trigger an infinite loop while extracting
-
BZ - 2049783
- CVE-2021-43859 xstream: Injecting highly recursive collections or maps can cause a DoS
-
BZ - 2050863
- CVE-2022-21724 jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes
-
BZ - 2055480
- CVE-2021-22060 springframework: Additional Log Injection in Spring Framework (follow-up to CVE-2021-22096)
-
BZ - 2058763
- CVE-2022-24614 metadata-extractor: Out-of-memory when reading a specially crafted JPEG file
-
BZ - 2063292
- CVE-2022-26336 poi-scratchpad: A carefully crafted TNEF file can cause an out of memory exception
-
BZ - 2063601
- CVE-2022-23913 artemis-commons: Apache ActiveMQ Artemis DoS
-
BZ - 2064007
- CVE-2022-26520 postgresql-jdbc: Arbitrary File Write Vulnerability
-
BZ - 2064226
- CVE-2022-0084 xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr
-
BZ - 2064698
- CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects
-
BZ - 2069414
- CVE-2022-22950 spring-expression: Denial of service via specially crafted SpEL expression
-
BZ - 2072339
- CVE-2022-1259 undertow: potential security issue in flow control over HTTP/2 may lead to DOS(incomplete fix for CVE-2021-3629)
-
BZ - 2073890
- CVE-2022-1319 undertow: Double AJP response for 400 from EAP 7 results in CPING failures
-
BZ - 2075441
- CVE-2022-22968 Spring Framework: Data Binding Rules Vulnerability
-
BZ - 2081879
- CVE-2021-22573 google-oauth-client: Token signature not verified
-
BZ - 2087214
- CVE-2022-22976 springframework: BCrypt skips salt rounds for work factor of 31
-
BZ - 2087272
- CVE-2022-22970 springframework: DoS via data binding to multipartFile or servlet part
-
BZ - 2087274
- CVE-2022-22971 springframework: DoS with STOMP over WebSocket
-
BZ - 2087606
- CVE-2022-22978 springframework: Authorization Bypass in RegexRequestMatcher
-
BZ - 2088523
- CVE-2022-30126 tika-core: Regular Expression Denial of Service in standards extractor
-
BZ - 2100654
- CVE-2022-25845 fastjson: autoType shutdown restriction bypass leads to deserialization