Synopsis
Important: Red Hat Fuse 7.11.1 release and security update
Type/Severity
Security Advisory: Important
Topic
A minor version update (from 7.11 to 7.11.1) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
This release of Red Hat Fuse 7.11.1 serves as a replacement for Red Hat Fuse 7.11 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.
Security Fix(es):
- hsqldb: Untrusted input may lead to RCE attack [fuse-7] (CVE-2022-41853)
- io.hawt-hawtio-online: bootstrap: XSS in the tooltip or popover data-template attribute [fuse-7] (CVE-2019-8331)
- io.hawt-project: bootstrap: XSS in the tooltip or popover data-template attribute [fuse-7] (CVE-2019-8331)
- wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users [fuse-7] (CVE-2021-3717)
- json-smart: Denial of Service in JSONParserByteArray function [fuse-7] (CVE-2021-31684)
- io.hawt-hawtio-integration: minimist: prototype pollution [fuse-7] (CVE-2021-44906)
- urijs: Authorization Bypass Through User-Controlled Key [fuse-7] (CVE-2022-0613)
- http2-server: Invalid HTTP/2 requests cause DoS [fuse-7] (CVE-2022-2048)
- snakeyaml: Denial of Service due to missing nested depth limitation for collections [fuse-7] (CVE-2022-25857)
- urijs: Leading white space bypasses protocol validation [fuse-7] (CVE-2022-24723)
- Moment.js: Path traversal in moment.locale [fuse-7] (CVE-2022-24785)
- netty: world readable temporary file containing sensitive data [fuse-7] (CVE-2022-24823)
- jdbc-postgresql: postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names [fuse-7] (CVE-2022-31197)
- commons-configuration2: apache-commons-configuration: Apache Commons Configuration insecure interpolation defaults [fuse-7] (CVE-2022-33980)
- commons-text: apache-commons-text: variable interpolation RCE [fuse-7] (CVE-2022-42889)
- undertow: Large AJP request may cause DoS [fuse-7] (CVE-2022-2053)
- moment: inefficient parsing algorithm resulting in DoS [fuse-7] (CVE-2022-31129)
- snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode [fuse-7] (CVE-2022-38749)
For more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Fixes
-
BZ - 1686454
- CVE-2019-8331 bootstrap: XSS in the tooltip or popover data-template attribute
-
BZ - 1991305
- CVE-2021-3717 wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users
-
BZ - 2055496
- CVE-2022-0613 urijs: Authorization Bypass Through User-Controlled Key
-
BZ - 2062370
- CVE-2022-24723 urijs: Leading white space bypasses protocol validation
-
BZ - 2066009
- CVE-2021-44906 minimist: prototype pollution
-
BZ - 2072009
- CVE-2022-24785 Moment.js: Path traversal in moment.locale
-
BZ - 2087186
- CVE-2022-24823 netty: world readable temporary file containing sensitive data
-
BZ - 2095862
- CVE-2022-2053 undertow: Large AJP request may cause DoS
-
BZ - 2102695
- CVE-2021-31684 json-smart: Denial of Service in JSONParserByteArray function
-
BZ - 2105067
- CVE-2022-33980 apache-commons-configuration: Apache Commons Configuration insecure interpolation defaults
-
BZ - 2105075
- CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS
-
BZ - 2116952
- CVE-2022-2048 http2-server: Invalid HTTP/2 requests cause DoS
-
BZ - 2126789
- CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections
-
BZ - 2129428
- CVE-2022-31197 postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names
-
BZ - 2129706
- CVE-2022-38749 snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode
-
BZ - 2135435
- CVE-2022-42889 apache-commons-text: variable interpolation RCE
-
BZ - 2136141
- CVE-2022-41853 hsqldb: Untrusted input may lead to RCE attack