Red Hat Fuse Integration Services Update RHSA-2018-2405-01 Critical Issue
red hat
August 14, 2018
An update is now available for Red Hat Fuse Integration Services
Solution
Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.
Updating instructions and release notes may be found at:
https://access.redhat.com/articles/3060411
Summary
Red Hat Fuse Integration Services provides a set of tools and containerized
xPaaS images that enable development, deployment, and management of
integration microservices within OpenShift.
Security fix(es):
* undertow: Client can use bogus uri in Digest authentication
(CVE-2017-12196)
* spring-boot: Malicious PATCH requests submitted to servers can use
specially crafted JSON data to run arbitrary Java code (CVE-2017-8046)
* spring-framework: Improper URL path validation allows for bypassing of
security checks on static resources (CVE-2018-1199)
* ignite: Possible Execution of Arbitrary Code Within Deserialization
Endpoints (CVE-2018-1295)
* spark: Absolute and relative pathnames allow for unintended static file
disclosure (CVE-2018-9159)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
The CVE-2017-12196 issue was discovered by Jan Stourac (Red Hat).
Topics Covered
References
https://access.redhat.com/security/cve/CVE-2017-8046 https://access.redhat.com/security/cve/CVE-2017-12196 https://access.redhat.com/security/cve/CVE-2018-1199 https://access.redhat.com/security/cve/CVE-2018-1295 https://access.redhat.com/security/cve/CVE-2018-9159 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/articles/3060411
Package List
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Advisory ID: RHSA-2018:2405-01
Product: Red Hat JBoss Fuse
Advisory URL: https://access.redhat.com/errata/RHSA-2018:2405
Issue date: 2018-08-14
Topic
An update is now available for Red Hat Fuse Integration Services.Red Hat Product Security has rated this update as having a security impactof Critical. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.
Topics Covered
Relevant Releases Architectures
Bugs Fixed
1503055 - CVE-2017-12196 undertow: Client can use bogus uri in Digest authentication
1540030 - CVE-2018-1199 spring-framework: Improper URL path validation allows for bypassing of security checks on static resources
1553024 - CVE-2017-8046 spring-boot: Malicious PATCH requests submitted to servers can use specially crafted JSON data to run arbitrary Java code
1563133 - CVE-2018-1295 ignite: Possible Execution of Arbitrary Code Within Deserialization Endpoints
1563732 - CVE-2018-9159 spark: Absolute and relative pathnames allow for unintended static file disclosure
5. JIRA issues fixed (https://redhat.atlassian.net/jira/projects):
ENTESB-8308 - CVE-2017-8046 spring-boot: Malicious PATCH requests submitted to servers can use specially crafted JSON data to run arbitrary Java code
ENTESB-8456 - CVE-2018-1199 spring: spring-framework: Improper URL path validation allows for bypassing of security checks on static resources [fis-2.0]
ENTESB-8682 - CVE-2018-1295 ignite-core: ignite: Possible Execution of Arbitrary Code Within Deserialization Endpoints [fis-2.0]
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!