RedHat: RHSA-2018-2405:01 Critical: Red Hat FIS 2.0 on Fuse 6.3.0 R7
Summary
Red Hat Fuse Integration Services provides a set of tools and containerized
xPaaS images that enable development, deployment, and management of
integration microservices within OpenShift.
Security fix(es):
* undertow: Client can use bogus uri in Digest authentication
(CVE-2017-12196)
* spring-boot: Malicious PATCH requests submitted to servers can use
specially crafted JSON data to run arbitrary Java code (CVE-2017-8046)
* spring-framework: Improper URL path validation allows for bypassing of
security checks on static resources (CVE-2018-1199)
* ignite: Possible Execution of Arbitrary Code Within Deserialization
Endpoints (CVE-2018-1295)
* spark: Absolute and relative pathnames allow for unintended static file
disclosure (CVE-2018-9159)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
The CVE-2017-12196 issue was discovered by Jan Stourac (Red Hat).
Summary
Solution
Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.
Updating instructions and release notes may be found at:
https://access.redhat.com/articles/3060411
References
https://access.redhat.com/security/cve/CVE-2017-8046 https://access.redhat.com/security/cve/CVE-2017-12196 https://access.redhat.com/security/cve/CVE-2018-1199 https://access.redhat.com/security/cve/CVE-2018-1295 https://access.redhat.com/security/cve/CVE-2018-9159 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/articles/3060411
Package List
Topic
An update is now available for Red Hat Fuse Integration Services.Red Hat Product Security has rated this update as having a security impactof Critical. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.
Topic
Relevant Releases Architectures
Bugs Fixed
1503055 - CVE-2017-12196 undertow: Client can use bogus uri in Digest authentication
1540030 - CVE-2018-1199 spring-framework: Improper URL path validation allows for bypassing of security checks on static resources
1553024 - CVE-2017-8046 spring-boot: Malicious PATCH requests submitted to servers can use specially crafted JSON data to run arbitrary Java code
1563133 - CVE-2018-1295 ignite: Possible Execution of Arbitrary Code Within Deserialization Endpoints
1563732 - CVE-2018-9159 spark: Absolute and relative pathnames allow for unintended static file disclosure
5. JIRA issues fixed (https://issues.redhat.com/):
ENTESB-8308 - CVE-2017-8046 spring-boot: Malicious PATCH requests submitted to servers can use specially crafted JSON data to run arbitrary Java code
ENTESB-8456 - CVE-2018-1199 spring: spring-framework: Improper URL path validation allows for bypassing of security checks on static resources [fis-2.0]
ENTESB-8682 - CVE-2018-1295 ignite-core: ignite: Possible Execution of Arbitrary Code Within Deserialization Endpoints [fis-2.0]