ESB-2018.3763 - [RedHat] Red Hat Fuse 7.2: Multiple vulnerabilities 2018-12-05

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3763
                Important: Red Hat Fuse 7.2 security update
                              5 December 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat Fuse 7.2
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Access Privileged Data          -- Remote with User Interaction
                   Denial of Service               -- Remote/Unauthenticated      
                   Delete Arbitrary Files          -- Existing Account            
                   Provide Misleading Information  -- Remote/Unauthenticated      
                   Unauthorised Access             -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-12537 CVE-2018-8041 CVE-2018-8039
                   CVE-2018-8018 CVE-2018-8014 CVE-2018-1336
                   CVE-2018-1288 CVE-2018-1259 CVE-2018-1257
                   CVE-2017-12196 CVE-2016-5003 CVE-2016-5002

Reference:         ASB-2018.0258
                   ESB-2018.2621
                   ESB-2018.2298
                   ESB-2018.1867
                   ESB-2018.1630
                   ESB-2018.1509

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2018:3768

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat Fuse 7.2 security update
Advisory ID:       RHSA-2018:3768-01
Product:           Red Hat JBoss Fuse
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:3768
Issue date:        2018-12-04
CVE Names:         CVE-2016-5002 CVE-2016-5003 CVE-2017-12196 
                   CVE-2018-1257 CVE-2018-1259 CVE-2018-1288 
                   CVE-2018-1336 CVE-2018-8014 CVE-2018-8018 
                   CVE-2018-8039 CVE-2018-8041 CVE-2018-12537 
=====================================================================

1. Summary:

An update is now available for Red Hat Fuse.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat Fuse enables integration experts, application developers, and
business users to collaborate and independently develop connected
solutions.

Fuse is part of an agile integration solution. Its distributed approach
allows teams to deploy integrated services where required. The API-centric,
container-based architecture decouples services so they can be created,
extended, and deployed independently.

This release of Red Hat Fuse 7.2 serves as a replacement for Red Hat Fuse
7.1, and includes bug fixes and enhancements, which are documented in the
Release Notes document linked to in the References.

Security Fix(es):

* xmlrpc: Deserialization of untrusted Java object through
<ex:serializable> tag (CVE-2016-5003)

* tomcat: A bug in the UTF-8 decoder can lead to DoS (CVE-2018-1336)

* ignite: Improper deserialization allows for code execution via
GridClientJdkMarshaller endpoint (CVE-2018-8018)

* apache-cxf: TLS hostname verification does not work correctly with
com.sun.net.ssl.* (CVE-2018-8039)

* xmlrpc: XML external entity vulnerability SSRF via a crafted DTD
(CVE-2016-5002)

* undertow: Client can use bogus uri in Digest authentication
(CVE-2017-12196)

* spring-data-commons: XXE with Spring Dataâ\x{128}\x{153}s XMLBeam integration
(CVE-2018-1259)

* kafka: Users can perform Broker actions via crafted fetch requests,
interfering with data replication and causing data lass (CVE-2018-1288)

* tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for
all origins (CVE-2018-8014)

* camel-mail: path traversal vulnerability (CVE-2018-8041)

* vertx: Improper neutralization of CRLF sequences allows remote attackers
to inject arbitrary HTTP response headers (CVE-2018-12537)

* spring-framework: ReDoS Attack with spring-messaging (CVE-2018-1257)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Red Hat would like to thank Eedo Shapira (GE Digital) for reporting
CVE-2018-8041. The CVE-2017-12196 issue was discovered by Jan Stourac (Red
Hat).

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

Installation instructions are located in the download section of the
customer portal.

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

1503055 - CVE-2017-12196 undertow: Client can use bogus uri in Digest authentication
1508110 - CVE-2016-5002 xmlrpc: XML external entity vulnerability SSRF via a crafted DTD
1508123 - CVE-2016-5003 xmlrpc: Deserialization of untrusted Java object through <ex:serializable> tag
1578578 - CVE-2018-1257 spring-framework: ReDoS Attack with spring-messaging
1578902 - CVE-2018-1259 spring-data-commons: XXE with Spring Dataâ\x{128}\x{153}s XMLBeam integration
1579611 - CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins
1591072 - CVE-2018-12537 vertx: Improper neutralization of CRLF sequences allows remote attackers to inject arbitrary HTTP response headers
1595332 - CVE-2018-8039 apache-cxf: TLS hostname verification does not work correctly with com.sun.net.ssl.*
1607591 - CVE-2018-1336 tomcat: A bug in the UTF-8 decoder can lead to DoS
1607731 - CVE-2018-8018 ignite: Improper deserialization allows for code execution via GridClientJdkMarshaller endpoint
1611059 - CVE-2018-1288 kafka: Users can perform Broker actions via crafted fetch requests, interfering with data replication and causing data lass
1612644 - CVE-2018-8041 camel-mail: path traversal vulnerability

5. References:

https://access.redhat.com/security/cve/CVE-2016-5002
https://access.redhat.com/security/cve/CVE-2016-5003
https://access.redhat.com/security/cve/CVE-2017-12196
https://access.redhat.com/security/cve/CVE-2018-1257
https://access.redhat.com/security/cve/CVE-2018-1259
https://access.redhat.com/security/cve/CVE-2018-1288
https://access.redhat.com/security/cve/CVE-2018-1336
https://access.redhat.com/security/cve/CVE-2018-8014
https://access.redhat.com/security/cve/CVE-2018-8018
https://access.redhat.com/security/cve/CVE-2018-8039
https://access.redhat.com/security/cve/CVE-2018-8041
https://access.redhat.com/security/cve/CVE-2018-12537
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=7.2.0
https://access.redhat.com/documentation/en-us/red_hat_fuse/7.2/
https://access.redhat.com/articles/2939351

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXAakytzjgjWX9erEAQgDkw//Wb1MeuX1VOUq4u9qkgtp3ECPTAR3GE8B
RWHYBguzM+WJrDPTtgH1sy1BstIEPgVooQLTKWhZYtJpR64S5T6YAv+aFh1vA7qI
87GDERqiATIm3l8qKBBOF02FukP9ywkaH5hR+pT7tM2OuN8iZ4dvKl0Rdzs6vnhF
Ea+qVCKeQlyn88HUUqYw51nBX7tbK0H1RuG7DxlU93LBYqymMIZ90KhcGeuvNPu/
BVk7xMDtbdPSagSBy5WFpTvZ/ozeYBmO7u8p9l67SiD3obR6Rtn83B3DKvL/AFP4
ahKlIrK62hk2qgXrpLQ9aVUwBMZ1Lqu99LelF20hRt38L7qy/EXtD+Xdt0H9Xl/H
bcLyRvjq8pOjdrdqAvnfI5HBDdSZrxujYX9t6egoQg3wFuS9h0DbKFMXSKMSaW2S
WlP4L5zbCTvhPy3mIPOECKDxP8Xa2g2HnqCal2PpHIXGVBvD0CTuxI0b7a6WKKYf
dbhm5uIEhdoS/vSuHntq+o+3IzlhRNHKx2Uh+03arWYyj4N26bbKFB+v+7gjL2e9
1ITf4HXEUphym5PY0R1GGc2Xr5Xc8BjV8xX3pgvI8FcRov4XGsS37TYpvNxPmTCA
e4VB2C4WS+AFhk1QJR7cNuACwUxjarIoKUp1CX5gvqu35pVgxR97KxoblGdMtR9g
UOgTm4iHIhQ=
=RCpd
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXAdgOGaOgq3Tt24GAQh45A/9Hgs5pt5brVoOGLbSiMAyk2OTJoeV6PMD
TS4vkvygpVz2hXlIOHpesnqCIKy6bEm2NhUylhlo8co8oGMpLdDVEd8qb6SeNq2w
GAXNj/ETz3YXsCRDJirUNTNEjgym5K5dZXnth7z7NUPvL0hx/eAIHAZKEFGJlvPB
cLIr1lKpJPbUCLtfBpQwQRjdI9KlFwO4pIgu4ajZc4vh5Iz/z6y3ymIn4RXOygNe
1QtbfTmksFFBvgxbia6TgMm/aPugxDaYMoAxwxP1i/owvWPAKxqGILRe1ifZdRjF
KFpE/X2ZLzxojKfXbscCpHTUr4utd78i1NkZm9dwY6E4OYJqGgVLhTuiya2l4FXS
xh7xI/iFv8aKK1X2GKMqCzKcmtkM1dH+698E+FxjEp1AO2HhzPyJeFBO9QO9Sadx
pp1+yLnP02OhEWNKO7sCRP1gkulXpB6rrovsvz8Tn1FIe6ZV2SbXPdvNA1k9/8cM
X4h88ODxktwyeO65oyM62Jg+TmlhPZESPr/Pz8G2JH5GmKuQLO8vF+XGi8z7bKgK
4Fihq9yk6Hgr4c1X4Chzc49bclZu9ZIh5CnZp76lkIuum3Fva5kE3oovpkRuttZr
2bx5dt1g+Jry1/Mw3zBePz0pO1SFn225js9fXciXF2mFvZr75Wm0VW40E4xjz5XZ
04ZCZlCMdsw=
=XHS+
-----END PGP SIGNATURE-----

« Back to bulletins