Red Hat Fuse 7.9.0 RHSA-2021-3140 Moderate: Fixes for Security Issues
red hat
August 11, 2021
A minor version update (from 7.8 to 7.9) is now available for Red Hat Fuse
Solution
Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.
Installation instructions are available from the Fuse 7.9.0 product
documentation page:
https://access.redhat.com/documentation/en-us/red_hat_fuse/7.9/
Summary
This release of Red Hat Fuse 7.9.0 serves as a replacement for Red Hat Fuse
7.8, and includes bug fixes and enhancements, which are documented in the
Release Notes document linked to in the References.
Security Fix(es):
* hawtio-osgi (CVE-2017-5645)
* prometheus-jmx-exporter: snakeyaml (CVE-2017-18640)
* apache-commons-compress (CVE-2019-12402)
* karaf-transaction-manager-narayana: netty (CVE-2019-16869,
CVE-2019-20445)
* tomcat (CVE-2020-1935, CVE-2020-1938, CVE-2020-9484, CVE-2020-13934,
CVE-2020-13935, CVE-2020-11996)
* spring-cloud-config-server (CVE-2020-5410)
* velocity (CVE-2020-13936)
* httpclient: apache-httpclient (CVE-2020-13956)
* shiro-core: shiro (CVE-2020-17510)
* hibernate-core (CVE-2020-25638)
* wildfly-openssl (CVE-2020-25644)
* jetty (CVE-2020-27216, CVE-2021-28165)
* bouncycastle (CVE-2020-28052)
* wildfly (CVE-2019-14887, CVE-2020-25640)
* resteasy-jaxrs: resteasy (CVE-2020-1695)
* camel-olingo4 (CVE-2020-1925)
* springframework (CVE-2020-5421)
* jsf-impl: Mojarra (CVE-2020-6950)
* resteasy (CVE-2020-10688)
* hibernate-validator (CVE-2020-10693)
* wildfly-elytron (CVE-2020-10714)
* undertow (CVE-2020-10719)
* activemq (CVE-2020-13920)
* cxf-core: cxf (CVE-2020-13954)
* fuse-apicurito-operator-container: golang.org/x/text (CVE-2020-14040)
* jboss-ejb-client: wildfly (CVE-2020-14297)
* xercesimpl: wildfly (CVE-2020-14338)
* xnio (CVE-2020-14340)
* flink: apache-flink (CVE-2020-17518)
* resteasy-client (CVE-2020-25633)
* xstream (CVE-2020-26258)
* mybatis (CVE-2020-26945)
* pdfbox (CVE-2021-27807, CVE-2021-27906)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
References
https://access.redhat.com/security/cve/CVE-2017-5645 https://access.redhat.com/security/cve/CVE-2017-18640 https://access.redhat.com/security/cve/CVE-2019-12402 https://access.redhat.com/security/cve/CVE-2019-14887 https://access.redhat.com/security/cve/CVE-2019-16869 https://access.redhat.com/security/cve/CVE-2019-20445 https://access.redhat.com/security/cve/CVE-2020-1695 https://access.redhat.com/security/cve/CVE-2020-1925 https://access.redhat.com/security/cve/CVE-2020-1935 https://access.redhat.com/security/cve/CVE-2020-1938 https://access.redhat.com/security/cve/CVE-2020-5410 https://access.redhat.com/security/cve/CVE-2020-5421 https://access.redhat.com/security/cve/CVE-2020-6950 https://access.redhat.com/security/cve/CVE-2020-9484 https://access.redhat.com/security/cve/CVE-2020-10688 https://access.redhat.com/security/cve/CVE-2020-10693 https://access.redhat.com/security/cve/CVE-2020-10714 https://access.redhat.com/security/cve/CVE-2020-10719 https://access.redhat.com/security/cve/CVE-2020-11996 https://access.redhat.com/security/cve/CVE-2020-13920 https://access.redhat.com/security/cve/CVE-2020-13934 https://access.redhat.com/security/cve/CVE-2020-13935 https://access.redhat.com/security/cve/CVE-2020-13936 Read the Full Advisory
Package List
PREVIOUS
NEXT
Advisory ID: RHSA-2021:3140-01
Product: Red Hat JBoss Fuse
Advisory URL: https://access.redhat.com/errata/RHSA-2021:3140
Issue date: 2021-08-11
Topic
A minor version update (from 7.8 to 7.9) is now available for Red Hat Fuse.The purpose of this text-only errata is to inform you about the securityissues fixed in this release.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.
Relevant Releases Architectures
Bugs Fixed
1443635 - CVE-2017-5645 log4j: Socket receiver deserialization vulnerability
1730462 - CVE-2020-1695 resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class
1758619 - CVE-2019-16869 netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers1764640 - CVE-2019-12402 apache-commons-compress: Infinite loop in name encoding algorithm
1772008 - CVE-2019-14887 wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use
1785376 - CVE-2017-18640 snakeyaml: Billion laughs attack via alias feature
1790309 - CVE-2020-1925 olingo-odata: Server side request forgery in AsyncResponseWrapperImpl
1798509 - CVE-2019-20445 netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header
1805006 - CVE-2020-6950 Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371
1805501 - CVE-2020-10693 hibernate-validator: Improper input validation in the interpolation of constraint error messages
1806398 - CVE-2020-1938 tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability
1806835 - CVE-2020-1935 tomcat: Mishandling of Transfer-Encoding header allows for HTTP request smuggling
1814974 - CVE-2020-10688 RESTEasy: RESTEASY003870 exception in RESTEasy can lead to a reflected XSS attack
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!