ESB-2017.1991 - [RedHat] Red Hat JBoss Fuse and Red Hat JBoss A-MQ: Multiple vulnerabilities 2017-08-11

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.1991
   Important: Red Hat JBoss Fuse/A-MQ 6.3 R4 security and bug fix update
                              11 August 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat JBoss Fuse
                   Red Hat JBoss A-MQ
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Denial of Service              -- Remote/Unauthenticated      
                   Access Confidential Data       -- Remote/Unauthenticated      
                   Provide Misleading Information -- Remote with User Interaction
                   Reduced Security               -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-7957 CVE-2017-5929 CVE-2017-5656
                   CVE-2017-5653 CVE-2017-5643 CVE-2017-3156
                   CVE-2017-2594 CVE-2017-2589 CVE-2016-9879
                   CVE-2016-8749 CVE-2015-6644 

Reference:         ESB-2017.1674
                   ESB-2017.1085
                   ESB-2017.0938
                   ESB-2016.0024

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2017:1832

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Fuse/A-MQ 6.3 R4 security and bug fix update
Advisory ID:       RHSA-2017:1832-01
Product:           Red Hat JBoss Fuse
Advisory URL:      https://access.redhat.com/errata/RHSA-2017:1832
Issue date:        2017-08-10
CVE Names:         CVE-2015-6644 CVE-2016-8749 CVE-2016-9879 
                   CVE-2017-2589 CVE-2017-2594 CVE-2017-3156 
                   CVE-2017-5643 CVE-2017-5653 CVE-2017-5656 
                   CVE-2017-5929 CVE-2017-7957 
=====================================================================

1. Summary:

An update is now available for Red Hat JBoss Fuse and Red Hat JBoss A-MQ.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,
flexible, open source enterprise service bus and integration platform. Red
Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant
messaging system that is tailored for use in mission critical applications.

This patch is an update to Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ
6.3. It includes bug fixes and enhancements, which are documented in the
readme.txt file included with the patch files.

Security Fix(es):

* It was discovered that the hawtio servlet uses a single HttpClient
instance to proxy requests with a persistent cookie store (cookies are
stored locally and are not passed between the client and the end URL) which
means all clients using that proxy are sharing the same cookies.
(CVE-2017-2589)

* It was found that an information disclosure flaw in Bouncy Castle could
enable a local malicious application to gain access to user's private
information. (CVE-2015-6644)

* It was found that Apache Camel's camel-jackson and camel-jacksonxml
components are vulnerable to Java object de-serialisation vulnerability.
De-serializing untrusted data can lead to security flaws as demonstrated in
various similar reports about Java de-serialization issues. (CVE-2016-8749)

* It was found that Spring Security does not consider URL path parameters
when processing security constraints. By adding a URL path parameter with
an encoded / to a request an attacker may be able to bypass a security
constraint. (CVE-2016-9879)

* It was found that a path traversal vulnerability in hawtio leads to a
NullPointerException with a full stacktrace. An attacker could use this
flaw to gather undisclosed information from within hawtio's root.
(CVE-2017-2594)

* It was found that Apache CXF OAuth2 Hawk and JOSE MAC Validation code is
not using a constant time MAC signature comparison algorithm which may be
exploited by some sophisticated timing attacks. It may only affect OAuth2
Hawk, JWT access tokens, or JOSE JWS/JWE interceptors which depend on HMAC
secret key algorithms. (CVE-2017-3156)

* It was found that Apache Camel's validation component evaluates DTD
headers of XML stream sources, although a validation against XML schemas
(XSD) is executed. Remote attackers can use this feature to make
Server-Side Request Forgery (SSRF) attacks by sending XML documents with
remote DTDs URLs or XML External Entities (XXE). (CVE-2017-5643)

* It was found that a flaw exists in JAX-RS clients using the streaming
approach for XML signatures and encryption, where it does not enforce the
message to be signed/encrypted. This could allow an attacker to subvert the
integrity of the message. (CVE-2017-5653)

* It was found that the token cacher in Apache cxf uses a flawed way of
caching tokens that are associated with the delegation token received from
Security Token Service (STS). This vulnerability could allow an attacker to
craft a token which could return an identifier corresponding to a cached
token for another user. (CVE-2017-5656)

* It was found that logback is vulnerable to a deserialization issue.
Logback can be configured to allow remote logging through
SocketServer/ServerSocketReceiver interfaces that can accept untrusted
serialized data. Authenticated attackers on the adjacent network can
leverage this vulnerability to execute arbitrary code through
deserialization of custom gadget chains. (CVE-2017-5929)

* It was found that XStream contains a vulnerability that allows a
maliciously crafted file to be parsed successfully which could cause an
application crash. The crash occurs if the file that is being fed into
XStream input stream contains an instances of the primitive type 'void'. An
attacker could use this flaw to create a denial of service on the target
system. (CVE-2017-7957)

The CVE-2017-2589 issue was discovered by Adam Willard (Blue Canopy) and
Dennis Reed (Red Hat) and the CVE-2017-2594 issue was discovered by Hooman
Broujerdi (Red Hat).

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

You can find installation instructions in the download section of the
customer portal.

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

1409838 - CVE-2016-9879 Spring Security: Improper handling of path parameters allows bypassing the security constraint
1413905 - CVE-2017-2589 hawtio: Proxy is sharing cookies among all the clients
1415543 - CVE-2017-2594 Hawtio information Disclosure flaws due to unsafe path traversal
1420832 - CVE-2016-8749 camel-jackson, camel-jacksonxml: Unmarshalling operation are vulnerable to RCE
1425455 - CVE-2017-3156 cxf: CXF OAuth2 Hawk and JOSE MAC Validation code are vulnerable to timing attacks
1432858 - CVE-2017-5929 logback: Serialization vulnerability in SocketServer and ServerSocketReceiver
1433374 - CVE-2017-5643 camel-core: Validation component vulnerable to SSRF via remote DTDs and XXE
1441538 - CVE-2017-7957 XStream: DoS when unmarshalling void type
1444015 - CVE-2015-6644 bouncycastle: Information disclosure in GCMBlockCipher
1445327 - CVE-2017-5653 cxf: CXF JAX-RS XML Security streaming clients do not validate that the service response was signed or encrypted
1445329 - CVE-2017-5656 cxf: CXF's STSClient uses a flawed way of caching tokens that are associated with delegation tokens

5. References:

https://access.redhat.com/security/cve/CVE-2015-6644
https://access.redhat.com/security/cve/CVE-2016-8749
https://access.redhat.com/security/cve/CVE-2016-9879
https://access.redhat.com/security/cve/CVE-2017-2589
https://access.redhat.com/security/cve/CVE-2017-2594
https://access.redhat.com/security/cve/CVE-2017-3156
https://access.redhat.com/security/cve/CVE-2017-5643
https://access.redhat.com/security/cve/CVE-2017-5653
https://access.redhat.com/security/cve/CVE-2017-5656
https://access.redhat.com/security/cve/CVE-2017-5929
https://access.redhat.com/security/cve/CVE-2017-7957
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.3
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=securityPatches&version=6.3
https://access.redhat.com/documentation/en/red-hat-jboss-fuse/

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFZjOeSXlSAg2UNWIIRAlJyAJ0SQuzh7ygwEkV13KsYvsAU+mmM4wCeOP47
KasCT9HsJuncvPk4hGkjKxY=
=pWh5
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWY0RvYx+lLeg9Ub1AQgnNQ/9F9xK0w9zPKVYe/Hzd2CBGq/UViV1x26c
Kf4gyY9ozEIQic41iu3YphRXyB+XOiALcMin3TrHScaPv1ZvhVQNf58BkH5Kz9Qp
Q/BmQumstvUSQXy2gT+iV3b8p5qS0Vqo188mxIK3/vtZoIScefb/b9U/Pq3N4QKZ
aEsZVHYEWaS+/bsk/Nyge1wY+8W6wtvyEQIHiUXN/dXzlPfEN51AEsyTgKEmr5MT
uQ7eCLd1FMZjC2gOOtGQ71Ku6QAeNLgbDe8FwkOYwZ6E9nBwPNsi6nGGUG5iOkuH
t9bkiBPaLvCy5fb7YKgPATBomR3pIGyAXv3GCCWO5uIQUr3caCqrQLHd7Xaqbo0G
2TqBz2ve8ZtcMB0rE89cLj54NiVYUSagnYaBTBF1JPXnBxq1w1P38mqa1yzEPF0m
VHpQOeLPeWXqIckc3coS7pEgtdNyCyxxLLd0ZUZ8u36KMJUmdfuD9qkFjiAaayuw
hgYgjnWsSc7CjtAorPKdn1vZikHJSKP1lggx3TFscshpq3JAvX6LyrBt6TilboIY
yyoUY+k11UL8do1BN/CqrHB+xbl/TW12qxFrr5E+BrNevYgBMzd04+S5jlCCP62G
u2ddjFIPjBbNjhU8zSwKy92dWyi+8Gt2o31T5IhHiR/xg7yGk5/HRExbojFph56e
B3GKL+/dKUc=
=gsk7
-----END PGP SIGNATURE-----

« Back to bulletins