Red Hat Fuse 7.11.0: RHSA-2022-5532 Important Security Fixes
red hat
July 27, 2022
A minor version update (from 7.10 to 7.11) is now available for Red Hat Fuse
Solution
Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.
Installation instructions are available from the Fuse 7.11.0 product
documentation page:
https://docs.redhat.com/en/documentation/red_hat_fuse/7.11
Summary
This release of Red Hat Fuse 7.11.0 serves as a replacement for Red Hat
Fuse 7.10 and includes bug fixes and enhancements, which are documented in
the Release Notes document linked in the References.
Security Fix(es):
* fastjson (CVE-2022-25845)
* jackson-databind (CVE-2020-36518)
* mysql-connector-java (CVE-2021-2471, CVE-2022-21363)
* undertow (CVE-2022-1259, CVE-2021-3629, CVE-2022-1319)
* wildfly-elytron (CVE-2021-3642)
* nodejs-ansi-regex (CVE-2021-3807, CVE-2021-3807)
* 3 qt (CVE-2021-3859)
* kubernetes-client (CVE-2021-4178)
* spring-security (CVE-2021-22119)
* protobuf-java (CVE-2021-22569)
* google-oauth-client (CVE-2021-22573)
* XStream (CVE-2021-29505, CVE-2021-43859)
* jdom (CVE-2021-33813, CVE-2021-33813)
* apache-commons-compress (CVE-2021-35515, CVE-2021-35516, CVE-2021-35517,
CVE-2021-36090)
* Kafka (CVE-2021-38153)
* xml-security (CVE-2021-40690)
* logback (CVE-2021-42550)
* netty (CVE-2021-43797)
* xnio (CVE-2022-0084)
* jdbc-postgresql (CVE-2022-21724)
* spring-expression (CVE-2022-22950)
* springframework (CVE-2021-22096, CVE-2021-22060, CVE-2021-22096,
CVE-2022-22976, CVE-2022-22970, CVE-2022-22971, CVE-2022-22978)
* h2 (CVE-2022-23221)
* junrar (CVE-2022-23596)
* artemis-commons (CVE-2022-23913)
* elasticsearch (CVE-2020-7020)
* tomcat (CVE-2021-24122, CVE-2021-25329, CVE-2020-9484, CVE-2021-25122,
CVE-2021-33037, CVE-2021-30640, CVE-2021-41079, CVE-2021-42340,
CVE-2022-23181)
* junit4 (CVE-2020-15250)
* wildfly-core (CVE-2020-25689, CVE-2021-3644)
* kotlin (CVE-2020-29582)
* karaf (CVE-2021-41766, CVE-2022-22932)
* Spring Framework (CVE-2022-22968)
* metadata-extractor (CVE-2022-24614)
* poi-scratchpad (CVE-2022-26336)
* postgresql-jdbc (CVE-2022-26520)
* tika-core (CVE-2022-30126)
For more details about the security issues, including the impact, CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Topics Covered
References
https://access.redhat.com/security/cve/CVE-2020-7020 https://access.redhat.com/security/cve/CVE-2020-9484 https://access.redhat.com/security/cve/CVE-2020-15250 https://access.redhat.com/security/cve/CVE-2020-25689 https://access.redhat.com/security/cve/CVE-2020-29582 https://access.redhat.com/security/cve/CVE-2020-36518 https://access.redhat.com/security/cve/CVE-2021-2471 https://access.redhat.com/security/cve/CVE-2021-3629 https://access.redhat.com/security/cve/CVE-2021-3642 https://access.redhat.com/security/cve/CVE-2021-3644 https://access.redhat.com/security/cve/CVE-2021-3807 https://access.redhat.com/security/cve/CVE-2021-3859 https://access.redhat.com/security/cve/CVE-2021-4178 https://access.redhat.com/security/cve/CVE-2021-22060 https://access.redhat.com/security/cve/CVE-2021-22096 https://access.redhat.com/security/cve/CVE-2021-22119 https://access.redhat.com/security/cve/CVE-2021-22569 https://access.redhat.com/security/cve/CVE-2021-22573 https://access.redhat.com/security/cve/CVE-2021-24122 https://access.redhat.com/security/cve/CVE-2021-25122 https://access.redhat.com/security/cve/CVE-2021-25329 https://access.redhat.com/security/cve/CVE-2021-29505 https://access.redhat.com/security/cve/CVE-2021-30640 Read the Full Advisory
Package List
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Advisory ID: RHSA-2022:5532-01
Product: Red Hat JBoss Fuse
Advisory URL: https://access.redhat.com/errata/RHSA-2022:5532
Issue date: 2022-07-07
Topic
A minor version update (from 7.10 to 7.11) is now available for Red HatFuse. The purpose of this text-only errata is to inform you about thesecurity issues fixed in this release.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.
Topics Covered
Relevant Releases Architectures
Bugs Fixed
1838332 - CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE
1887810 - CVE-2020-15250 junit4: TemporaryFolder is shared between all users across system which could result in information disclosure
1893070 - CVE-2020-25689 wildfly-core: memory leak in WildFly host-controller in domain mode while not able to reconnect to domain-controller
1893125 - CVE-2020-7020 elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure
1917209 - CVE-2021-24122 tomcat: Information disclosure when using NTFS file system
1930291 - CVE-2020-29582 kotlin: vulnerable Java API was used for temporary file and folder creation which could result in information disclosure
1934032 - CVE-2021-25122 tomcat: Request mix-up with h2c
1934061 - CVE-2021-25329 tomcat: Incomplete fix for CVE-2020-9484 (RCE via session persistence)
1966735 - CVE-2021-29505 XStream: remote command execution attack by manipulating the processed input stream
1973413 - CVE-2021-33813 jdom: XXE allows attackers to cause a DoS via a crafted HTTP request
1976052 - CVE-2021-3644 wildfly-core: Invalid Sensitivity Classification of Vault Expression
1977064 - CVE-2021-22119 spring-security: Denial-of-Service (DoS) attack via initiation of Authorization Request
1977362 - CVE-2021-3629 undertow: potential security issue in flow control over HTTP/2 may lead to DOS
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!