Important: Red Hat Fuse 7.11.0 release and security update

Topic

A minor version update (from 7.10 to 7.11) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

This release of Red Hat Fuse 7.11.0 serves as a replacement for Red Hat Fuse 7.10 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.

Security Fix(es):

• fastjson (CVE-2022-25845)
• jackson-databind (CVE-2020-36518)
• mysql-connector-java (CVE-2021-2471, CVE-2022-21363)
• undertow (CVE-2022-1259, CVE-2021-3629, CVE-2022-1319)
• wildfly-elytron (CVE-2021-3642)
• nodejs-ansi-regex (CVE-2021-3807, CVE-2021-3807)
• 3 qt (CVE-2021-3859)
• kubernetes-client (CVE-2021-4178)
• spring-security (CVE-2021-22119)
• protobuf-java (CVE-2021-22569)
• google-oauth-client (CVE-2021-22573)
• XStream (CVE-2021-29505, CVE-2021-43859)
• jdom (CVE-2021-33813, CVE-2021-33813)
• apache-commons-compress (CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090)
• Kafka (CVE-2021-38153)
• xml-security (CVE-2021-40690)
• logback (CVE-2021-42550)
• netty (CVE-2021-43797)
• xnio (CVE-2022-0084)
• jdbc-postgresql (CVE-2022-21724)
• spring-expression (CVE-2022-22950)
• springframework (CVE-2021-22096, CVE-2021-22060, CVE-2021-22096, CVE-2022-22976, CVE-2022-22970, CVE-2022-22971, CVE-2022-22978)
• h4 (CVE-2022-23221)
• junrar (CVE-2022-23596)
• artemis-commons (CVE-2022-23913)
• elasticsearch (CVE-2020-7020)
• tomcat (CVE-2021-24122, CVE-2021-25329, CVE-2020-9484, CVE-2021-25122, CVE-2021-33037, CVE-2021-30640, CVE-2021-41079, CVE-2021-42340, CVE-2022-23181)
• junit4 (CVE-2020-15250)
• wildfly-core (CVE-2020-25689, CVE-2021-3644)
• kotlin (CVE-2020-29582)
• karaf (CVE-2021-41766, CVE-2022-22932)
• Spring Framework (CVE-2022-22968)
• metadata-extractor (CVE-2022-24614)
• poi-scratchpad (CVE-2022-26336)
• postgresql-jdbc (CVE-2022-26520)
• tika-core (CVE-2022-30126)

For more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.

Installation instructions are available from the Fuse 7.11.0 product documentation page:
https://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/

Affected Products

• Red Hat Fuse 1 x86_64

Fixes

• BZ - 1838332 - CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE
• BZ - 1887810 - CVE-2020-15250 junit4: TemporaryFolder is shared between all users across system which could result in information disclosure
• BZ - 1893070 - CVE-2020-25689 wildfly-core: memory leak in WildFly host-controller in domain mode while not able to reconnect to domain-controller
• BZ - 1893125 - CVE-2020-7020 elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure
• BZ - 1917209 - CVE-2021-24122 tomcat: Information disclosure when using NTFS file system
• BZ - 1930291 - CVE-2020-29582 kotlin: vulnerable Java API was used for temporary file and folder creation which could result in information disclosure
• BZ - 1934032 - CVE-2021-25122 tomcat: Request mix-up with h4c
• BZ - 1934061 - CVE-2021-25329 tomcat: Incomplete fix for CVE-2020-9484 (RCE via session persistence)
• BZ - 1966735 - CVE-2021-29505 XStream: remote command execution attack by manipulating the processed input stream
• BZ - 1973413 - CVE-2021-33813 jdom: XXE allows attackers to cause a DoS via a crafted HTTP request
• BZ - 1976052 - CVE-2021-3644 wildfly-core: Invalid Sensitivity Classification of Vault Expression
• BZ - 1977064 - CVE-2021-22119 spring-security: Denial-of-Service (DoS) attack via initiation of Authorization Request
• BZ - 1977362 - CVE-2021-3629 undertow: potential security issue in flow control over HTTP/2 may lead to DOS
• BZ - 1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer
• BZ - 1981533 - CVE-2021-33037 tomcat: HTTP request smuggling when used with a reverse proxy
• BZ - 1981544 - CVE-2021-30640 tomcat: JNDI realm authentication weakness
• BZ - 1981895 - CVE-2021-35515 apache-commons-compress: infinite loop when reading a specially crafted 7Z archive
• BZ - 1981900 - CVE-2021-35516 apache-commons-compress: excessive memory allocation when reading a specially crafted 7Z archive
• BZ - 1981903 - CVE-2021-35517 apache-commons-compress: excessive memory allocation when reading a specially crafted TAR archive
• BZ - 1981909 - CVE-2021-36090 apache-commons-compress: excessive memory allocation when reading a specially crafted ZIP archive
• BZ - 2004820 - CVE-2021-41079 tomcat: Infinite loop while reading an unexpected TLS packet when using OpenSSL JSSE engine
• BZ - 2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes
• BZ - 2009041 - CVE-2021-38153 Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients
• BZ - 2010378 - CVE-2021-3859 undertow: client side invocation timeout raised when calling over HTTP2
• BZ - 2011190 - CVE-2021-40690 xml-security: XPath Transform abuse allows for information disclosure
• BZ - 2014356 - CVE-2021-42340 tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS
• BZ - 2020583 - CVE-2021-2471 mysql-connector-java: unauthorized access to critical
• BZ - 2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling
• BZ - 2033560 - CVE-2021-42550 logback: remote code execution through JNDI call from within its configuration file
• BZ - 2034388 - CVE-2021-4178 kubernetes-client: Insecure deserialization in unmarshalYaml method
• BZ - 2034584 - CVE-2021-22096 springframework: malicious input leads to insertion of additional log entries
• BZ - 2039903 - CVE-2021-22569 protobuf-java: potential DoS in the parsing procedure for binary data
• BZ - 2044596 - CVE-2022-23221 h4: Loading of custom classes from remote servers through JNDI
• BZ - 2046279 - CVE-2022-22932 karaf: path traversal flaws
• BZ - 2046282 - CVE-2021-41766 karaf: insecure java deserialization
• BZ - 2047343 - CVE-2022-21363 mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors
• BZ - 2047417 - CVE-2022-23181 tomcat: local privilege escalation vulnerability
• BZ - 2049778 - CVE-2022-23596 junrar: A carefully crafted RAR archive can trigger an infinite loop while extracting
• BZ - 2049783 - CVE-2021-43859 xstream: Injecting highly recursive collections or maps can cause a DoS
• BZ - 2050863 - CVE-2022-21724 jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes
• BZ - 2055480 - CVE-2021-22060 springframework: Additional Log Injection in Spring Framework (follow-up to CVE-2021-22096)
• BZ - 2058763 - CVE-2022-24614 metadata-extractor: Out-of-memory when reading a specially crafted JPEG file
• BZ - 2063292 - CVE-2022-26336 poi-scratchpad: A carefully crafted TNEF file can cause an out of memory exception
• BZ - 2063601 - CVE-2022-23913 artemis-commons: Apache ActiveMQ Artemis DoS
• BZ - 2064007 - CVE-2022-26520 postgresql-jdbc: Arbitrary File Write Vulnerability
• BZ - 2064226 - CVE-2022-0084 xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr
• BZ - 2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects
• BZ - 2069414 - CVE-2022-22950 spring-expression: Denial of service via specially crafted SpEL expression
• BZ - 2072339 - CVE-2022-1259 undertow: potential security issue in flow control over HTTP/2 may lead to DOS(incomplete fix for CVE-2021-3629)
• BZ - 2073890 - CVE-2022-1319 undertow: Double AJP response for 400 from EAP 7 results in CPING failures
• BZ - 2075441 - CVE-2022-22968 Spring Framework: Data Binding Rules Vulnerability
• BZ - 2081879 - CVE-2021-22573 google-oauth-client: Token signature not verified
• BZ - 2087214 - CVE-2022-22976 springframework: BCrypt skips salt rounds for work factor of 31
• BZ - 2087272 - CVE-2022-22970 springframework: DoS via data binding to multipartFile or servlet part
• BZ - 2087274 - CVE-2022-22971 springframework: DoS with STOMP over WebSocket
• BZ - 2087606 - CVE-2022-22978 springframework: Authorization Bypass in RegexRequestMatcher
• BZ - 2088523 - CVE-2022-30126 tika-core: Regular Expression Denial of Service in standards extractor
• BZ - 2100654 - CVE-2022-25845 fastjson: autoType shutdown restriction bypass leads to deserialization

CVEs

• CVE-2020-7020
• CVE-2020-9484
• CVE-2020-15250
• CVE-2020-25689
• CVE-2020-29582
• CVE-2020-36518
• CVE-2021-2471
• CVE-2021-3629
• CVE-2021-3642
• CVE-2021-3644
• CVE-2021-3807
• CVE-2021-3859
• CVE-2021-4178
• CVE-2021-22060
• CVE-2021-22096
• CVE-2021-22119
• CVE-2021-22569
• CVE-2021-22573
• CVE-2021-24122
• CVE-2021-25122
• CVE-2021-25329
• CVE-2021-29505
• CVE-2021-30640
• CVE-2021-33037
• CVE-2021-33813
• CVE-2021-35515
• CVE-2021-35516
• CVE-2021-35517
• CVE-2021-36090
• CVE-2021-38153
• CVE-2021-40690
• CVE-2021-41079
• CVE-2021-41766
• CVE-2021-42340
• CVE-2021-42550
• CVE-2021-43797
• CVE-2021-43859
• CVE-2022-0084
• CVE-2022-1259
• CVE-2022-1319
• CVE-2022-21363
• CVE-2022-21724
• CVE-2022-22932
• CVE-2022-22950
• CVE-2022-22968
• CVE-2022-22970
• CVE-2022-22971
• CVE-2022-22976
• CVE-2022-22978
• CVE-2022-23181
• CVE-2022-23221
• CVE-2022-23596
• CVE-2022-23913
• CVE-2022-24614
• CVE-2022-25845
• CVE-2022-26336
• CVE-2022-26520
• CVE-2022-30126

References

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.fuse&version=7.11.0
• https://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/