Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.3611
Red Hat Fuse security update
27 July 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat Fuse
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-30126 CVE-2022-26520 CVE-2022-26336
CVE-2022-25845 CVE-2022-24614 CVE-2022-23913
CVE-2022-23596 CVE-2022-23221 CVE-2022-23181
CVE-2022-22978 CVE-2022-22976 CVE-2022-22971
CVE-2022-22970 CVE-2022-22968 CVE-2022-22950
CVE-2022-22932 CVE-2022-21724 CVE-2022-21363
CVE-2022-1319 CVE-2022-1259 CVE-2022-0084
CVE-2021-43859 CVE-2021-43797 CVE-2021-42550
CVE-2021-42340 CVE-2021-41766 CVE-2021-41079
CVE-2021-40690 CVE-2021-38153 CVE-2021-36090
CVE-2021-35517 CVE-2021-35516 CVE-2021-35515
CVE-2021-33813 CVE-2021-33037 CVE-2021-30640
CVE-2021-29505 CVE-2021-25329 CVE-2021-25122
CVE-2021-24122 CVE-2021-22573 CVE-2021-22569
CVE-2021-22119 CVE-2021-22096 CVE-2021-22060
CVE-2021-4178 CVE-2021-3859 CVE-2021-3807
CVE-2021-3644 CVE-2021-3642 CVE-2021-3629
CVE-2021-2471 CVE-2020-36518 CVE-2020-29582
CVE-2020-25689 CVE-2020-15250 CVE-2020-9484
CVE-2020-7020
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:5532
Comment: CVSS (Max): 9.8 CVE-2022-23221 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Note: Recent issues with access to Red Hat advisories has resulted in some delayed reporting.
- --------------------------BEGIN INCLUDED TEXT--------------------
Red Hat Product Errata RHSA-2022:5532 - Security Advisory
Issued:
2022-07-07
Updated:
2022-07-07
RHSA-2022:5532 - Security Advisory
Topic
A minor version update (from 7.10 to 7.11) is now available for Red Hat Fuse.
The purpose of this text-only errata is to inform you about the security
issues fixed in this release.
Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from the
CVE link(s) in the References section.
Description
This release of Red Hat Fuse 7.11.0 serves as a replacement for Red Hat Fuse
7.10 and includes bug fixes and enhancements, which are documented in the
Release Notes document linked in the References.
Security Fix(es):
o fastjson (CVE-2022-25845)
o jackson-databind (CVE-2020-36518)
o mysql-connector-java (CVE-2021-2471, CVE-2022-21363)
o undertow (CVE-2022-1259, CVE-2021-3629, CVE-2022-1319)
o wildfly-elytron (CVE-2021-3642)
o nodejs-ansi-regex (CVE-2021-3807, CVE-2021-3807)
o 3 qt (CVE-2021-3859)
o kubernetes-client (CVE-2021-4178)
o spring-security (CVE-2021-22119)
o protobuf-java (CVE-2021-22569)
o google-oauth-client (CVE-2021-22573)
o XStream (CVE-2021-29505, CVE-2021-43859)
o jdom (CVE-2021-33813, CVE-2021-33813)
o apache-commons-compress (CVE-2021-35515, CVE-2021-35516, CVE-2021-35517,
CVE-2021-36090)
o Kafka (CVE-2021-38153)
o xml-security (CVE-2021-40690)
o logback (CVE-2021-42550)
o netty (CVE-2021-43797)
o xnio (CVE-2022-0084)
o jdbc-postgresql (CVE-2022-21724)
o spring-expression (CVE-2022-22950)
o springframework (CVE-2021-22096, CVE-2021-22060, CVE-2021-22096,
CVE-2022-22976, CVE-2022-22970, CVE-2022-22971, CVE-2022-22978)
o h2 (CVE-2022-23221)
o junrar (CVE-2022-23596)
o artemis-commons (CVE-2022-23913)
o elasticsearch (CVE-2020-7020)
o tomcat (CVE-2021-24122, CVE-2021-25329, CVE-2020-9484, CVE-2021-25122,
CVE-2021-33037, CVE-2021-30640, CVE-2021-41079, CVE-2021-42340,
CVE-2022-23181)
o junit4 (CVE-2020-15250)
o wildfly-core (CVE-2020-25689, CVE-2021-3644)
o kotlin (CVE-2020-29582)
o karaf (CVE-2021-41766, CVE-2022-22932)
o Spring Framework (CVE-2022-22968)
o metadata-extractor (CVE-2022-24614)
o poi-scratchpad (CVE-2022-26336)
o postgresql-jdbc (CVE-2022-26520)
o tika-core (CVE-2022-30126)
For more details about the security issues, including the impact, CVSS score,
acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.
Solution
Before applying the update, back up your existing installation, including all
applications, configuration files, databases and database settings, and so on.
Installation instructions are available from the Fuse 7.11.0 product
documentation page:
https://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/
Affected Products
o Red Hat Fuse 1 x86_64
Fixes
o BZ - 1838332 - CVE-2020-9484 tomcat: deserialization flaw in session
persistence storage leading to RCE
o BZ - 1887810 - CVE-2020-15250 junit4: TemporaryFolder is shared between
all users across system which could result in information disclosure
o BZ - 1893070 - CVE-2020-25689 wildfly-core: memory leak in WildFly
host-controller in domain mode while not able to reconnect to
domain-controller
o BZ - 1893125 - CVE-2020-7020 elasticsearch: not properly preserving
security permissions when executing complex queries may lead to
information disclosure
o BZ - 1917209 - CVE-2021-24122 tomcat: Information disclosure when using
NTFS file system
o BZ - 1930291 - CVE-2020-29582 kotlin: vulnerable Java API was used for
temporary file and folder creation which could result in information
disclosure
o BZ - 1934032 - CVE-2021-25122 tomcat: Request mix-up with h2c
o BZ - 1934061 - CVE-2021-25329 tomcat: Incomplete fix for CVE-2020-9484
(RCE via session persistence)
o BZ - 1966735 - CVE-2021-29505 XStream: remote command execution attack by
manipulating the processed input stream
o BZ - 1973413 - CVE-2021-33813 jdom: XXE allows attackers to cause a DoS
via a crafted HTTP request
o BZ - 1976052 - CVE-2021-3644 wildfly-core: Invalid Sensitivity
Classification of Vault Expression
o BZ - 1977064 - CVE-2021-22119 spring-security: Denial-of-Service (DoS)
attack via initiation of Authorization Request
o BZ - 1977362 - CVE-2021-3629 undertow: potential security issue in flow
control over HTTP/2 may lead to DOS
o BZ - 1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in
ScramServer
o BZ - 1981533 - CVE-2021-33037 tomcat: HTTP request smuggling when used
with a reverse proxy
o BZ - 1981544 - CVE-2021-30640 tomcat: JNDI realm authentication weakness
o BZ - 1981895 - CVE-2021-35515 apache-commons-compress: infinite loop when
reading a specially crafted 7Z archive
o BZ - 1981900 - CVE-2021-35516 apache-commons-compress: excessive memory
allocation when reading a specially crafted 7Z archive
o BZ - 1981903 - CVE-2021-35517 apache-commons-compress: excessive memory
allocation when reading a specially crafted TAR archive
o BZ - 1981909 - CVE-2021-36090 apache-commons-compress: excessive memory
allocation when reading a specially crafted ZIP archive
o BZ - 2004820 - CVE-2021-41079 tomcat: Infinite loop while reading an
unexpected TLS packet when using OpenSSL JSSE engine
o BZ - 2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial
of service (ReDoS) matching ANSI escape codes
o BZ - 2009041 - CVE-2021-38153 Kafka: Timing Attack Vulnerability for
Apache Kafka Connect and Clients
o BZ - 2010378 - CVE-2021-3859 undertow: client side invocation timeout
raised when calling over HTTP2
o BZ - 2011190 - CVE-2021-40690 xml-security: XPath Transform abuse allows
for information disclosure
o BZ - 2014356 - CVE-2021-42340 tomcat: OutOfMemoryError caused by HTTP
upgrade connection leak could lead to DoS
o BZ - 2020583 - CVE-2021-2471 mysql-connector-java: unauthorized access to
critical
o BZ - 2031958 - CVE-2021-43797 netty: control chars in header names may
lead to HTTP request smuggling
o BZ - 2033560 - CVE-2021-42550 logback: remote code execution through JNDI
call from within its configuration file
o BZ - 2034388 - CVE-2021-4178 kubernetes-client: Insecure deserialization
in unmarshalYaml method
o BZ - 2034584 - CVE-2021-22096 springframework: malicious input leads to
insertion of additional log entries
o BZ - 2039903 - CVE-2021-22569 protobuf-java: potential DoS in the parsing
procedure for binary data
o BZ - 2044596 - CVE-2022-23221 h2: Loading of custom classes from remote
servers through JNDI
o BZ - 2046279 - CVE-2022-22932 karaf: path traversal flaws
o BZ - 2046282 - CVE-2021-41766 karaf: insecure java deserialization
o BZ - 2047343 - CVE-2022-21363 mysql-connector-java: Difficult to exploit
vulnerability allows high privileged attacker with network access via
multiple protocols to compromise MySQL Connectors
o BZ - 2047417 - CVE-2022-23181 tomcat: local privilege escalation
vulnerability
o BZ - 2049778 - CVE-2022-23596 junrar: A carefully crafted RAR archive can
trigger an infinite loop while extracting
o BZ - 2049783 - CVE-2021-43859 xstream: Injecting highly recursive
collections or maps can cause a DoS
o BZ - 2050863 - CVE-2022-21724 jdbc-postgresql: Unchecked Class
Instantiation when providing Plugin Classes
o BZ - 2055480 - CVE-2021-22060 springframework: Additional Log Injection in
Spring Framework (follow-up to CVE-2021-22096)
o BZ - 2058763 - CVE-2022-24614 metadata-extractor: Out-of-memory when
reading a specially crafted JPEG file
o BZ - 2063292 - CVE-2022-26336 poi-scratchpad: A carefully crafted TNEF
file can cause an out of memory exception
o BZ - 2063601 - CVE-2022-23913 artemis-commons: Apache ActiveMQ Artemis DoS
o BZ - 2064007 - CVE-2022-26520 postgresql-jdbc: Arbitrary File Write
Vulnerability
o BZ - 2064226 - CVE-2022-0084 xnio:
org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr
o BZ - 2064698 - CVE-2020-36518 jackson-databind: denial of service via a
large depth of nested objects
o BZ - 2069414 - CVE-2022-22950 spring-expression: Denial of service via
specially crafted SpEL expression
o BZ - 2072339 - CVE-2022-1259 undertow: potential security issue in flow
control over HTTP/2 may lead to DOS(incomplete fix for CVE-2021-3629)
o BZ - 2073890 - CVE-2022-1319 undertow: Double AJP response for 400 from
EAP 7 results in CPING failures
o BZ - 2075441 - CVE-2022-22968 Spring Framework: Data Binding Rules
Vulnerability
o BZ - 2081879 - CVE-2021-22573 google-oauth-client: Token signature not
verified
o BZ - 2087214 - CVE-2022-22976 springframework: BCrypt skips salt rounds
for work factor of 31
o BZ - 2087272 - CVE-2022-22970 springframework: DoS via data binding to
multipartFile or servlet part
o BZ - 2087274 - CVE-2022-22971 springframework: DoS with STOMP over
WebSocket
o BZ - 2087606 - CVE-2022-22978 springframework: Authorization Bypass in
RegexRequestMatcher
o BZ - 2088523 - CVE-2022-30126 tika-core: Regular Expression Denial of
Service in standards extractor
o BZ - 2100654 - CVE-2022-25845 fastjson: autoType shutdown restriction
bypass leads to deserialization
CVEs
o CVE-2020-7020
o CVE-2020-9484
o CVE-2020-15250
o CVE-2020-25689
o CVE-2020-29582
o CVE-2020-36518
o CVE-2021-2471
o CVE-2021-3629
o CVE-2021-3642
o CVE-2021-3644
o CVE-2021-3807
o CVE-2021-3859
o CVE-2021-4178
o CVE-2021-22060
o CVE-2021-22096
o CVE-2021-22119
o CVE-2021-22569
o CVE-2021-22573
o CVE-2021-24122
o CVE-2021-25122
o CVE-2021-25329
o CVE-2021-29505
o CVE-2021-30640
o CVE-2021-33037
o CVE-2021-33813
o CVE-2021-35515
o CVE-2021-35516
o CVE-2021-35517
o CVE-2021-36090
o CVE-2021-38153
o CVE-2021-40690
o CVE-2021-41079
o CVE-2021-41766
o CVE-2021-42340
o CVE-2021-42550
o CVE-2021-43797
o CVE-2021-43859
o CVE-2022-0084
o CVE-2022-1259
o CVE-2022-1319
o CVE-2022-21363
o CVE-2022-21724
o CVE-2022-22932
o CVE-2022-22950
o CVE-2022-22968
o CVE-2022-22970
o CVE-2022-22971
o CVE-2022-22976
o CVE-2022-22978
o CVE-2022-23181
o CVE-2022-23221
o CVE-2022-23596
o CVE-2022-23913
o CVE-2022-24614
o CVE-2022-25845
o CVE-2022-26336
o CVE-2022-26520
o CVE-2022-30126
References
o https://access.redhat.com/security/updates/classification/#important
o https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?
downloadType=distributions&product=jboss.fuse&version=7.11.0
o https://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/
Contact
The Red Hat security contact is secalert@redhat.com. More
contact details at https://access.redhat.com/security/team/contact/.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBYuCFOMkNZI30y1K9AQiz4A/+NY+gtpDZjkrYUVFTy8JTFxAbfcwO43I4
NYZSJYlPkeUL9QQC/DD9gAJhxBbYpJgK4VLIo1wjx777VDiBRKlK20hPlZWWuHeS
tNDJ0BBcAhy1ZcH8UQ1Y1KopLZtEpnU6pDxPwkJsQJ2mvCKaDQVpd1un4TLlbB/f
P/vMS5M2S64Vn1Yzqx9fq1fJqsJT0SyEKsNkaKdkMAhyAzA0g5sUOtv01/uqzHNb
ZwPR5MqpAt15XP5qk4GO6Pip5q9/IY4AE6NaG7TYsNpxB1FVc9hvHVLR2R3fJ2+w
TPIsNT1aZRIsN7z7RT/TUdubvBUs1ypHgIdG3NBdOey79VVDlyXo6dFrRNikTPIf
1zB6NXFsTobsa/c+vxLDktD2sB/vrWuaNY0L6x7gxvrdmJxWsZk0d4Ytk+g2c0w2
aqfdh8+NLtk3qF/e/5ch5ET5GhTaVNcN5p4atntS1JeuXS5o9npl54I6voO+iVBE
37jI47Wn897mJRC6sOBkfuDy9cCgXII1QfanlP9vgQ1hbqv4lHD5BVcb/lQCr94n
mnbGa21w3gS1zr/4m4tWPplVTn1rlQ9N8/rbxqmhoKL+fFJyic+cEQCsWkv5J6JN
Ke6Lt1/xynCX8JPV0Jb04pUBALJn1l01hNx/eYKa3hQnb6gkmYEJ1R54QWIMqFsz
yacILTPeBU8=
=pdF4
-----END PGP SIGNATURE-----