Important: Fuse 7.1 security update

Synopsis

Important: Fuse 7.1 security update

Type/Severity

Security Advisory: Important

Topic

An update is now available for Red Hat Fuse.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform.

This release of Red Hat Fuse 7.1 serves as a replacement for Red Hat Fuse 7.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.

Security Fix(es):

• Apache Struts 1: Class Loader manipulation via request parameters (CVE-2014-0114)
  
• thrift: Improper file path sanitization in t_go_generator.cc:format_go_output() of the go client library can allow an attacker to inject commands (CVE-2016-5397)
  
• slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088)
  
• jolokia: JMX proxy mode vulnerable to remote code execution (CVE-2018-1000130)
  
• bouncycastle: DSA does not fully validate ASN.1 encoding during signature verification allowing for injection of unsigned data (CVE-2016-1000338)
  
• bouncycastle: Information leak in AESFastEngine class (CVE-2016-1000339)
  
• bouncycastle: Information exposure in DSA signature generation via timing attack (CVE-2016-1000341)
  
• bouncycastle: ECDSA improper validation of ASN.1 encoding of signature (CVE-2016-1000342)
  
• bouncycastle: DHIES implementation allowed the use of ECB mode (CVE-2016-1000344)
  
• bouncycastle: DHIES/ECIES CBC modes are vulnerable to padding oracle attack (CVE-2016-1000345)
  
• bouncycastle: Other party DH public keys are not fully validated (CVE-2016-1000346)
  
• bouncycastle: ECIES implementation allowed the use of ECB mode (CVE-2016-1000352)
  
• async-http-client: Invalid URL parsing with '?' (CVE-2017-14063)
  
• undertow: File descriptor leak caused by JarURLConnection.getLastModified() allows attacker to cause a denial of service (CVE-2018-1114)
  
• spring-framework: Directory traversal vulnerability with static resources on Windows filesystems (CVE-2018-1271)
  
• tika: Infinite loop in BPGParser can allow remote attacker to cause a denial of service (CVE-2018-1338)
  
• tika: Infinite loop in ChmParser can allow remote attacker to cause a denial of service (CVE-2018-1339)
  
• pdfbox: Infinite loop in AFMParser.java allows for out of memory erros via crafted PDF (CVE-2018-8036)
  
• jolokia: Cross site scripting in the HTTP servlet (CVE-2018-1000129)
  
• bouncycastle: flaw in the low-level interface to RSA key pair generator (CVE-2018-1000180)
  
• bouncycastle: Carry propagation bug in math.raw.Nat??? class (CVE-2016-1000340)
  
• bouncycastle: DSA key pair generator generates a weak private key by default (CVE-2016-1000343)
  
• spring-framework: Multipart content pollution (CVE-2018-1272)
  

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Chris McCown for reporting CVE-2018-8088.

Solution

Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.

Installation instructions are located in the download section of the customer portal.

The References section of this erratum contains a download link (you must log in to download the update).

Affected Products

• Red Hat JBoss Middleware Text-Only Advisories for MIDDLEWARE 1 x86_64

Fixes

• BZ - 1091938 - CVE-2014-0114 Apache Struts 1: Class Loader manipulation via request parameters
• BZ - 1487563 - CVE-2017-14063 async-http-client: Invalid URL parsing with '?'
• BZ - 1544620 - CVE-2016-5397 thrift: Improper file path sanitization in t_go_generator.cc:format_go_output() of the go client library can allow an attacker to inject commands
• BZ - 1548909 - CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution
• BZ - 1559316 - CVE-2018-1000130 jolokia: JMX proxy mode vulnerable to remote code execution
• BZ - 1559317 - CVE-2018-1000129 jolokia: Cross site scripting in the HTTP servlet
• BZ - 1564408 - CVE-2018-1272 spring-framework: Multipart content pollution
• BZ - 1571050 - CVE-2018-1271 spring-framework: Directory traversal vulnerability with static resources on Windows filesystems
• BZ - 1572421 - CVE-2018-1338 tika: Infinite loop in BPGParser can allow remote attacker to cause a denial of service
• BZ - 1572424 - CVE-2018-1339 tika: Infinite loop in ChmParser can allow remote attacker to cause a denial of service
• BZ - 1573045 - CVE-2018-1114 undertow: File descriptor leak caused by JarURLConnection.getLastModified() allows attacker to cause a denial of service
• BZ - 1588306 - CVE-2018-1000180 bouncycastle: flaw in the low-level interface to RSA key pair generator
• BZ - 1588313 - CVE-2016-1000338 bouncycastle: DSA does not fully validate ASN.1 encoding during signature verification allowing for injection of unsigned data
• BZ - 1588314 - CVE-2016-1000344 bouncycastle: DHIES implementation allowed the use of ECB mode
• BZ - 1588323 - CVE-2016-1000345 bouncycastle: DHIES/ECIES CBC modes are vulnerable to padding oracle attack
• BZ - 1588327 - CVE-2016-1000346 bouncycastle: Other party DH public keys are not fully validated
• BZ - 1588330 - CVE-2016-1000352 bouncycastle: ECIES implementation allowed the use of ECB mode
• BZ - 1588688 - CVE-2016-1000340 bouncycastle: Carry propagation bug in math.raw.Nat??? class
• BZ - 1588695 - CVE-2016-1000339 bouncycastle: Information leak in AESFastEngine class
• BZ - 1588708 - CVE-2016-1000341 bouncycastle: Information exposure in DSA signature generation via timing attack
• BZ - 1588715 - CVE-2016-1000342 bouncycastle: ECDSA improper validation of ASN.1 encoding of signature
• BZ - 1588721 - CVE-2016-1000343 bouncycastle: DSA key pair generator generates a weak private key by default
• BZ - 1597490 - CVE-2018-8036 pdfbox: Infinite loop in AFMParser.java allows for out of memory erros via crafted PDF

CVEs

• CVE-2014-0114
• CVE-2016-5397
• CVE-2016-1000338
• CVE-2016-1000339
• CVE-2016-1000340
• CVE-2016-1000341
• CVE-2016-1000342
• CVE-2016-1000343
• CVE-2016-1000344
• CVE-2016-1000345
• CVE-2016-1000346
• CVE-2016-1000352
• CVE-2017-14063
• CVE-2018-1114
• CVE-2018-1271
• CVE-2018-1272
• CVE-2018-1338
• CVE-2018-1339
• CVE-2018-8036
• CVE-2018-8088
• CVE-2018-1000129
• CVE-2018-1000130
• CVE-2018-1000180

References

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=7.1.0
• https://access.redhat.com/documentation/en-us/red_hat_fuse/7.1/
• https://access.redhat.com/articles/2939351