Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.3611 Red Hat Fuse security update 27 July 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat Fuse Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-30126 CVE-2022-26520 CVE-2022-26336 CVE-2022-25845 CVE-2022-24614 CVE-2022-23913 CVE-2022-23596 CVE-2022-23221 CVE-2022-23181 CVE-2022-22978 CVE-2022-22976 CVE-2022-22971 CVE-2022-22970 CVE-2022-22968 CVE-2022-22950 CVE-2022-22932 CVE-2022-21724 CVE-2022-21363 CVE-2022-1319 CVE-2022-1259 CVE-2022-0084 CVE-2021-43859 CVE-2021-43797 CVE-2021-42550 CVE-2021-42340 CVE-2021-41766 CVE-2021-41079 CVE-2021-40690 CVE-2021-38153 CVE-2021-36090 CVE-2021-35517 CVE-2021-35516 CVE-2021-35515 CVE-2021-33813 CVE-2021-33037 CVE-2021-30640 CVE-2021-29505 CVE-2021-25329 CVE-2021-25122 CVE-2021-24122 CVE-2021-22573 CVE-2021-22569 CVE-2021-22119 CVE-2021-22096 CVE-2021-22060 CVE-2021-4178 CVE-2021-3859 CVE-2021-3807 CVE-2021-3644 CVE-2021-3642 CVE-2021-3629 CVE-2021-2471 CVE-2020-36518 CVE-2020-29582 CVE-2020-25689 CVE-2020-15250 CVE-2020-9484 CVE-2020-7020 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:5532 Comment: CVSS (Max): 9.8 CVE-2022-23221 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Note: Recent issues with access to Red Hat advisories has resulted in some delayed reporting. - --------------------------BEGIN INCLUDED TEXT-------------------- Red Hat Product Errata RHSA-2022:5532 - Security Advisory Issued: 2022-07-07 Updated: 2022-07-07 RHSA-2022:5532 - Security Advisory Topic A minor version update (from 7.10 to 7.11) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description This release of Red Hat Fuse 7.11.0 serves as a replacement for Red Hat Fuse 7.10 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. Security Fix(es): o fastjson (CVE-2022-25845) o jackson-databind (CVE-2020-36518) o mysql-connector-java (CVE-2021-2471, CVE-2022-21363) o undertow (CVE-2022-1259, CVE-2021-3629, CVE-2022-1319) o wildfly-elytron (CVE-2021-3642) o nodejs-ansi-regex (CVE-2021-3807, CVE-2021-3807) o 3 qt (CVE-2021-3859) o kubernetes-client (CVE-2021-4178) o spring-security (CVE-2021-22119) o protobuf-java (CVE-2021-22569) o google-oauth-client (CVE-2021-22573) o XStream (CVE-2021-29505, CVE-2021-43859) o jdom (CVE-2021-33813, CVE-2021-33813) o apache-commons-compress (CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090) o Kafka (CVE-2021-38153) o xml-security (CVE-2021-40690) o logback (CVE-2021-42550) o netty (CVE-2021-43797) o xnio (CVE-2022-0084) o jdbc-postgresql (CVE-2022-21724) o spring-expression (CVE-2022-22950) o springframework (CVE-2021-22096, CVE-2021-22060, CVE-2021-22096, CVE-2022-22976, CVE-2022-22970, CVE-2022-22971, CVE-2022-22978) o h2 (CVE-2022-23221) o junrar (CVE-2022-23596) o artemis-commons (CVE-2022-23913) o elasticsearch (CVE-2020-7020) o tomcat (CVE-2021-24122, CVE-2021-25329, CVE-2020-9484, CVE-2021-25122, CVE-2021-33037, CVE-2021-30640, CVE-2021-41079, CVE-2021-42340, CVE-2022-23181) o junit4 (CVE-2020-15250) o wildfly-core (CVE-2020-25689, CVE-2021-3644) o kotlin (CVE-2020-29582) o karaf (CVE-2021-41766, CVE-2022-22932) o Spring Framework (CVE-2022-22968) o metadata-extractor (CVE-2022-24614) o poi-scratchpad (CVE-2022-26336) o postgresql-jdbc (CVE-2022-26520) o tika-core (CVE-2022-30126) For more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. Installation instructions are available from the Fuse 7.11.0 product documentation page: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/ Affected Products o Red Hat Fuse 1 x86_64 Fixes o BZ - 1838332 - CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE o BZ - 1887810 - CVE-2020-15250 junit4: TemporaryFolder is shared between all users across system which could result in information disclosure o BZ - 1893070 - CVE-2020-25689 wildfly-core: memory leak in WildFly host-controller in domain mode while not able to reconnect to domain-controller o BZ - 1893125 - CVE-2020-7020 elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure o BZ - 1917209 - CVE-2021-24122 tomcat: Information disclosure when using NTFS file system o BZ - 1930291 - CVE-2020-29582 kotlin: vulnerable Java API was used for temporary file and folder creation which could result in information disclosure o BZ - 1934032 - CVE-2021-25122 tomcat: Request mix-up with h2c o BZ - 1934061 - CVE-2021-25329 tomcat: Incomplete fix for CVE-2020-9484 (RCE via session persistence) o BZ - 1966735 - CVE-2021-29505 XStream: remote command execution attack by manipulating the processed input stream o BZ - 1973413 - CVE-2021-33813 jdom: XXE allows attackers to cause a DoS via a crafted HTTP request o BZ - 1976052 - CVE-2021-3644 wildfly-core: Invalid Sensitivity Classification of Vault Expression o BZ - 1977064 - CVE-2021-22119 spring-security: Denial-of-Service (DoS) attack via initiation of Authorization Request o BZ - 1977362 - CVE-2021-3629 undertow: potential security issue in flow control over HTTP/2 may lead to DOS o BZ - 1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer o BZ - 1981533 - CVE-2021-33037 tomcat: HTTP request smuggling when used with a reverse proxy o BZ - 1981544 - CVE-2021-30640 tomcat: JNDI realm authentication weakness o BZ - 1981895 - CVE-2021-35515 apache-commons-compress: infinite loop when reading a specially crafted 7Z archive o BZ - 1981900 - CVE-2021-35516 apache-commons-compress: excessive memory allocation when reading a specially crafted 7Z archive o BZ - 1981903 - CVE-2021-35517 apache-commons-compress: excessive memory allocation when reading a specially crafted TAR archive o BZ - 1981909 - CVE-2021-36090 apache-commons-compress: excessive memory allocation when reading a specially crafted ZIP archive o BZ - 2004820 - CVE-2021-41079 tomcat: Infinite loop while reading an unexpected TLS packet when using OpenSSL JSSE engine o BZ - 2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes o BZ - 2009041 - CVE-2021-38153 Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients o BZ - 2010378 - CVE-2021-3859 undertow: client side invocation timeout raised when calling over HTTP2 o BZ - 2011190 - CVE-2021-40690 xml-security: XPath Transform abuse allows for information disclosure o BZ - 2014356 - CVE-2021-42340 tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS o BZ - 2020583 - CVE-2021-2471 mysql-connector-java: unauthorized access to critical o BZ - 2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling o BZ - 2033560 - CVE-2021-42550 logback: remote code execution through JNDI call from within its configuration file o BZ - 2034388 - CVE-2021-4178 kubernetes-client: Insecure deserialization in unmarshalYaml method o BZ - 2034584 - CVE-2021-22096 springframework: malicious input leads to insertion of additional log entries o BZ - 2039903 - CVE-2021-22569 protobuf-java: potential DoS in the parsing procedure for binary data o BZ - 2044596 - CVE-2022-23221 h2: Loading of custom classes from remote servers through JNDI o BZ - 2046279 - CVE-2022-22932 karaf: path traversal flaws o BZ - 2046282 - CVE-2021-41766 karaf: insecure java deserialization o BZ - 2047343 - CVE-2022-21363 mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors o BZ - 2047417 - CVE-2022-23181 tomcat: local privilege escalation vulnerability o BZ - 2049778 - CVE-2022-23596 junrar: A carefully crafted RAR archive can trigger an infinite loop while extracting o BZ - 2049783 - CVE-2021-43859 xstream: Injecting highly recursive collections or maps can cause a DoS o BZ - 2050863 - CVE-2022-21724 jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes o BZ - 2055480 - CVE-2021-22060 springframework: Additional Log Injection in Spring Framework (follow-up to CVE-2021-22096) o BZ - 2058763 - CVE-2022-24614 metadata-extractor: Out-of-memory when reading a specially crafted JPEG file o BZ - 2063292 - CVE-2022-26336 poi-scratchpad: A carefully crafted TNEF file can cause an out of memory exception o BZ - 2063601 - CVE-2022-23913 artemis-commons: Apache ActiveMQ Artemis DoS o BZ - 2064007 - CVE-2022-26520 postgresql-jdbc: Arbitrary File Write Vulnerability o BZ - 2064226 - CVE-2022-0084 xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr o BZ - 2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects o BZ - 2069414 - CVE-2022-22950 spring-expression: Denial of service via specially crafted SpEL expression o BZ - 2072339 - CVE-2022-1259 undertow: potential security issue in flow control over HTTP/2 may lead to DOS(incomplete fix for CVE-2021-3629) o BZ - 2073890 - CVE-2022-1319 undertow: Double AJP response for 400 from EAP 7 results in CPING failures o BZ - 2075441 - CVE-2022-22968 Spring Framework: Data Binding Rules Vulnerability o BZ - 2081879 - CVE-2021-22573 google-oauth-client: Token signature not verified o BZ - 2087214 - CVE-2022-22976 springframework: BCrypt skips salt rounds for work factor of 31 o BZ - 2087272 - CVE-2022-22970 springframework: DoS via data binding to multipartFile or servlet part o BZ - 2087274 - CVE-2022-22971 springframework: DoS with STOMP over WebSocket o BZ - 2087606 - CVE-2022-22978 springframework: Authorization Bypass in RegexRequestMatcher o BZ - 2088523 - CVE-2022-30126 tika-core: Regular Expression Denial of Service in standards extractor o BZ - 2100654 - CVE-2022-25845 fastjson: autoType shutdown restriction bypass leads to deserialization CVEs o CVE-2020-7020 o CVE-2020-9484 o CVE-2020-15250 o CVE-2020-25689 o CVE-2020-29582 o CVE-2020-36518 o CVE-2021-2471 o CVE-2021-3629 o CVE-2021-3642 o CVE-2021-3644 o CVE-2021-3807 o CVE-2021-3859 o CVE-2021-4178 o CVE-2021-22060 o CVE-2021-22096 o CVE-2021-22119 o CVE-2021-22569 o CVE-2021-22573 o CVE-2021-24122 o CVE-2021-25122 o CVE-2021-25329 o CVE-2021-29505 o CVE-2021-30640 o CVE-2021-33037 o CVE-2021-33813 o CVE-2021-35515 o CVE-2021-35516 o CVE-2021-35517 o CVE-2021-36090 o CVE-2021-38153 o CVE-2021-40690 o CVE-2021-41079 o CVE-2021-41766 o CVE-2021-42340 o CVE-2021-42550 o CVE-2021-43797 o CVE-2021-43859 o CVE-2022-0084 o CVE-2022-1259 o CVE-2022-1319 o CVE-2022-21363 o CVE-2022-21724 o CVE-2022-22932 o CVE-2022-22950 o CVE-2022-22968 o CVE-2022-22970 o CVE-2022-22971 o CVE-2022-22976 o CVE-2022-22978 o CVE-2022-23181 o CVE-2022-23221 o CVE-2022-23596 o CVE-2022-23913 o CVE-2022-24614 o CVE-2022-25845 o CVE-2022-26336 o CVE-2022-26520 o CVE-2022-30126 References o https://access.redhat.com/security/updates/classification/#important o https://access.redhat.com/jbossnetwork/restricted/listSoftware.html? downloadType=distributions&product=jboss.fuse&version=7.11.0 o https://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/ Contact The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYuCFOMkNZI30y1K9AQiz4A/+NY+gtpDZjkrYUVFTy8JTFxAbfcwO43I4 NYZSJYlPkeUL9QQC/DD9gAJhxBbYpJgK4VLIo1wjx777VDiBRKlK20hPlZWWuHeS tNDJ0BBcAhy1ZcH8UQ1Y1KopLZtEpnU6pDxPwkJsQJ2mvCKaDQVpd1un4TLlbB/f P/vMS5M2S64Vn1Yzqx9fq1fJqsJT0SyEKsNkaKdkMAhyAzA0g5sUOtv01/uqzHNb ZwPR5MqpAt15XP5qk4GO6Pip5q9/IY4AE6NaG7TYsNpxB1FVc9hvHVLR2R3fJ2+w TPIsNT1aZRIsN7z7RT/TUdubvBUs1ypHgIdG3NBdOey79VVDlyXo6dFrRNikTPIf 1zB6NXFsTobsa/c+vxLDktD2sB/vrWuaNY0L6x7gxvrdmJxWsZk0d4Ytk+g2c0w2 aqfdh8+NLtk3qF/e/5ch5ET5GhTaVNcN5p4atntS1JeuXS5o9npl54I6voO+iVBE 37jI47Wn897mJRC6sOBkfuDy9cCgXII1QfanlP9vgQ1hbqv4lHD5BVcb/lQCr94n mnbGa21w3gS1zr/4m4tWPplVTn1rlQ9N8/rbxqmhoKL+fFJyic+cEQCsWkv5J6JN Ke6Lt1/xynCX8JPV0Jb04pUBALJn1l01hNx/eYKa3hQnb6gkmYEJ1R54QWIMqFsz yacILTPeBU8= =pdF4 -----END PGP SIGNATURE-----