Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2021:3140: Red Hat Security Advisory: Red Hat Fuse 7.9.0 release and security update

A minor version update (from 7.8 to 7.9) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This release of Red Hat Fuse 7.9.0 serves as a replacement for Red Hat Fuse 7.8, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es):

  • hawtio-osgi (CVE-2017-5645)
  • prometheus-jmx-exporter: snakeyaml (CVE-2017-18640)
  • apache-commons-compress (CVE-2019-12402)
  • karaf-transaction-manager-narayana: netty (CVE-2019-16869, CVE-2019-20445)
  • tomcat (CVE-2020-1935, CVE-2020-1938, CVE-2020-9484, CVE-2020-13934, CVE-2020-13935, CVE-2020-11996)
  • spring-cloud-config-server (CVE-2020-5410)
  • velocity (CVE-2020-13936)
  • httpclient: apache-httpclient (CVE-2020-13956)
  • shiro-core: shiro (CVE-2020-17510)
  • hibernate-core (CVE-2020-25638)
  • wildfly-openssl (CVE-2020-25644)
  • jetty (CVE-2020-27216, CVE-2021-28165)
  • bouncycastle (CVE-2020-28052)
  • wildfly (CVE-2019-14887, CVE-2020-25640)
  • resteasy-jaxrs: resteasy (CVE-2020-1695)
  • camel-olingo4 (CVE-2020-1925)
  • springframework (CVE-2020-5421)
  • jsf-impl: Mojarra (CVE-2020-6950)
  • resteasy (CVE-2020-10688)
  • hibernate-validator (CVE-2020-10693)
  • wildfly-elytron (CVE-2020-10714)
  • undertow (CVE-2020-10719)
  • activemq (CVE-2020-13920)
  • cxf-core: cxf (CVE-2020-13954)
  • fuse-apicurito-operator-container: golang.org/x/text (CVE-2020-14040)
  • jboss-ejb-client: wildfly (CVE-2020-14297)
  • xercesimpl: wildfly (CVE-2020-14338)
  • xnio (CVE-2020-14340)
  • flink: apache-flink (CVE-2020-17518)
  • resteasy-client (CVE-2020-25633)
  • xstream (CVE-2020-26258)
  • mybatis (CVE-2020-26945)
  • pdfbox (CVE-2021-27807, CVE-2021-27906) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Related CVEs:
  • CVE-2017-5645: log4j: Socket receiver deserialization vulnerability
  • CVE-2017-18640: snakeyaml: Billion laughs attack via alias feature
  • CVE-2019-12402: apache-commons-compress: Infinite loop in name encoding algorithm
  • CVE-2019-14887: wildfly: The ‘enabled-protocols’ value in legacy security is not respected if OpenSSL security provider is in use
  • CVE-2019-16869: netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers
  • CVE-2019-20445: netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header
  • CVE-2020-1695: resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class
  • CVE-2020-1925: olingo-odata: Server side request forgery in AsyncResponseWrapperImpl
  • CVE-2020-1935: tomcat: Mishandling of Transfer-Encoding header allows for HTTP request smuggling
  • CVE-2020-1938: tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability
  • CVE-2020-5410: spring-cloud-config-server: sending a request using a specially crafted URL can lead to a directory traversal attack
  • CVE-2020-5421: springframework: RFD protection bypass via jsessionid
  • CVE-2020-6950: Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371
  • CVE-2020-9484: tomcat: deserialization flaw in session persistence storage leading to RCE
  • CVE-2020-10688: RESTEasy: RESTEASY003870 exception in RESTEasy can lead to a reflected XSS attack
  • CVE-2020-10693: hibernate-validator: Improper input validation in the interpolation of constraint error messages
  • CVE-2020-10714: wildfly-elytron: session fixation when using FORM authentication
  • CVE-2020-10719: undertow: invalid HTTP request with large chunk size
  • CVE-2020-11996: tomcat: specially crafted sequence of HTTP/2 requests can lead to DoS
  • CVE-2020-13920: activemq: improper authentication allows MITM attack
  • CVE-2020-13934: tomcat: OutOfMemoryException caused by HTTP/2 connection leak could lead to DoS
  • CVE-2020-13935: tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS
  • CVE-2020-13936: velocity: arbitrary code execution when attacker is able to modify templates
  • CVE-2020-13954: cxf: XSS via the styleSheetPath
  • CVE-2020-13956: apache-httpclient: incorrect handling of malformed authority component in request URIs
  • CVE-2020-14040: golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash
  • CVE-2020-14297: wildfly: Some EJB transaction objects may get accumulated causing Denial of Service
  • CVE-2020-14338: wildfly: XML validation manipulation due to incomplete application of use-grammar-pool-only in xercesImpl
  • CVE-2020-14340: xnio: file descriptor leak caused by growing amounts of NIO Selector file handles may lead to DoS
  • CVE-2020-17510: shiro: specially crafted HTTP request may cause an authentication bypass
  • CVE-2020-17518: apache-flink: directory traversal attack allows remote file writing through the REST API
  • CVE-2020-25633: resteasy-client: potential sensitive information leakage in JAX-RS RESTEasy Client’s WebApplicationException handling
  • CVE-2020-25638: hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String literals are used
  • CVE-2020-25640: wildfly: resource adapter logs plaintext JMS password at warning level on connection error
  • CVE-2020-25644: wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL
  • CVE-2020-26258: XStream: Server-Side Forgery Request vulnerability can be activated when unmarshalling
  • CVE-2020-26945: mybatis: mishandles deserialization of object streams which could result in remote code execution
  • CVE-2020-27216: jetty: local temporary directory hijacking vulnerability
  • CVE-2020-28052: bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible
  • CVE-2021-27807: pdfbox: infinite loop while loading a crafted PDF file
  • CVE-2021-27906: pdfbox: OutOfMemory-Exception while loading a crafted PDF file
  • CVE-2021-28165: jetty: Resource exhaustion when receiving an invalid large TLS frame
Red Hat Security Data
Open in Source
#sql#xss#vulnerability#web#red_hat#dos#apache#js#java

Red Hat Security Data: Latest News

RHSA-2023:5627: Red Hat Security Advisory: kernel security, bug fix, and enhancement update
Red Hat Security Data