RedHat: RHSA-2022-5532:01 Important: Red Hat Fuse 7.11.0 release an...

Advisories

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat Fuse 7.11.0 release and security update
Advisory ID:       RHSA-2022:5532-01
Product:           Red Hat JBoss Fuse
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5532
Issue date:        2022-07-07
CVE Names:         CVE-2020-7020 CVE-2020-9484 CVE-2020-15250 
                   CVE-2020-25689 CVE-2020-29582 CVE-2020-36518 
                   CVE-2021-2471 CVE-2021-3629 CVE-2021-3642 
                   CVE-2021-3644 CVE-2021-3807 CVE-2021-3859 
                   CVE-2021-4178 CVE-2021-22060 CVE-2021-22096 
                   CVE-2021-22119 CVE-2021-22569 CVE-2021-22573 
                   CVE-2021-24122 CVE-2021-25122 CVE-2021-25329 
                   CVE-2021-29505 CVE-2021-30640 CVE-2021-33037 
                   CVE-2021-33813 CVE-2021-35515 CVE-2021-35516 
                   CVE-2021-35517 CVE-2021-36090 CVE-2021-38153 
                   CVE-2021-40690 CVE-2021-41079 CVE-2021-41766 
                   CVE-2021-42340 CVE-2021-42550 CVE-2021-43797 
                   CVE-2021-43859 CVE-2022-0084 CVE-2022-1259 
                   CVE-2022-1319 CVE-2022-21363 CVE-2022-21724 
                   CVE-2022-22932 CVE-2022-22950 CVE-2022-22968 
                   CVE-2022-22970 CVE-2022-22971 CVE-2022-22976 
                   CVE-2022-22978 CVE-2022-23181 CVE-2022-23221 
                   CVE-2022-23596 CVE-2022-23913 CVE-2022-24614 
                   CVE-2022-25845 CVE-2022-26336 CVE-2022-26520 
                   CVE-2022-30126 
=====================================================================

1. Summary:

A minor version update (from 7.10 to 7.11) is now available for Red Hat
Fuse. The purpose of this text-only errata is to inform you about the
security issues fixed in this release.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

This release of Red Hat Fuse 7.11.0 serves as a replacement for Red Hat
Fuse 7.10 and includes bug fixes and enhancements, which are documented in
the Release Notes document linked in the References.

Security Fix(es):

* fastjson (CVE-2022-25845)

* jackson-databind (CVE-2020-36518)

* mysql-connector-java (CVE-2021-2471, CVE-2022-21363)

* undertow (CVE-2022-1259, CVE-2021-3629, CVE-2022-1319)

* wildfly-elytron (CVE-2021-3642)

* nodejs-ansi-regex (CVE-2021-3807, CVE-2021-3807)

* 3 qt (CVE-2021-3859)

* kubernetes-client (CVE-2021-4178)

* spring-security (CVE-2021-22119)

* protobuf-java (CVE-2021-22569)

* google-oauth-client (CVE-2021-22573)

* XStream (CVE-2021-29505, CVE-2021-43859)

* jdom (CVE-2021-33813, CVE-2021-33813)

* apache-commons-compress (CVE-2021-35515, CVE-2021-35516, CVE-2021-35517,
CVE-2021-36090)

* Kafka (CVE-2021-38153)

* xml-security (CVE-2021-40690)

* logback (CVE-2021-42550)

* netty (CVE-2021-43797)

* xnio (CVE-2022-0084)

* jdbc-postgresql (CVE-2022-21724)

* spring-expression (CVE-2022-22950)

* springframework (CVE-2021-22096, CVE-2021-22060, CVE-2021-22096,
CVE-2022-22976, CVE-2022-22970, CVE-2022-22971, CVE-2022-22978)

* h2 (CVE-2022-23221)

* junrar (CVE-2022-23596)

* artemis-commons (CVE-2022-23913)

* elasticsearch (CVE-2020-7020)

* tomcat (CVE-2021-24122, CVE-2021-25329, CVE-2020-9484, CVE-2021-25122,
CVE-2021-33037, CVE-2021-30640, CVE-2021-41079, CVE-2021-42340,
CVE-2022-23181)

* junit4 (CVE-2020-15250)

* wildfly-core (CVE-2020-25689, CVE-2021-3644)

* kotlin (CVE-2020-29582)

* karaf (CVE-2021-41766, CVE-2022-22932)

* Spring Framework (CVE-2022-22968)

* metadata-extractor (CVE-2022-24614)

* poi-scratchpad (CVE-2022-26336)

* postgresql-jdbc (CVE-2022-26520)

* tika-core (CVE-2022-30126)

For more details about the security issues, including the impact, CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

Installation instructions are available from the Fuse 7.11.0 product
documentation page:
https://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/

4. Bugs fixed (https://bugzilla.redhat.com/):

1838332 - CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE
1887810 - CVE-2020-15250 junit4: TemporaryFolder is shared between all users across system which could result in information disclosure
1893070 - CVE-2020-25689 wildfly-core: memory leak in WildFly host-controller in domain mode while not able to reconnect to domain-controller
1893125 - CVE-2020-7020 elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure
1917209 - CVE-2021-24122 tomcat: Information disclosure when using NTFS file system
1930291 - CVE-2020-29582 kotlin: vulnerable Java API was used for temporary file and folder creation which could result in information disclosure
1934032 - CVE-2021-25122 tomcat: Request mix-up with h2c
1934061 - CVE-2021-25329 tomcat: Incomplete fix for CVE-2020-9484 (RCE via session persistence)
1966735 - CVE-2021-29505 XStream: remote command execution attack by manipulating the processed input stream
1973413 - CVE-2021-33813 jdom: XXE allows attackers to cause a DoS via a crafted HTTP request
1976052 - CVE-2021-3644 wildfly-core: Invalid Sensitivity Classification of Vault Expression
1977064 - CVE-2021-22119 spring-security: Denial-of-Service (DoS) attack via initiation of Authorization Request
1977362 - CVE-2021-3629 undertow: potential security issue in flow control over HTTP/2 may lead to DOS
1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer
1981533 - CVE-2021-33037 tomcat: HTTP request smuggling when used with a reverse proxy
1981544 - CVE-2021-30640 tomcat: JNDI realm authentication weakness
1981895 - CVE-2021-35515 apache-commons-compress: infinite loop when reading a specially crafted 7Z archive
1981900 - CVE-2021-35516 apache-commons-compress: excessive memory allocation when reading a specially crafted 7Z archive
1981903 - CVE-2021-35517 apache-commons-compress: excessive memory allocation when reading a specially crafted TAR archive
1981909 - CVE-2021-36090 apache-commons-compress: excessive memory allocation when reading a specially crafted ZIP archive
2004820 - CVE-2021-41079 tomcat: Infinite loop while reading an unexpected TLS packet when using OpenSSL JSSE engine
2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes
2009041 - CVE-2021-38153 Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients
2010378 - CVE-2021-3859 undertow: client side invocation timeout raised when calling over HTTP2
2011190 - CVE-2021-40690 xml-security: XPath Transform abuse allows for information disclosure
2014356 - CVE-2021-42340 tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS
2020583 - CVE-2021-2471 mysql-connector-java: unauthorized access to critical
2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling
2033560 - CVE-2021-42550 logback: remote code execution through JNDI call from within its configuration file
2034388 - CVE-2021-4178 kubernetes-client: Insecure deserialization in unmarshalYaml method
2034584 - CVE-2021-22096 springframework: malicious input leads to insertion of additional log entries
2039903 - CVE-2021-22569 protobuf-java: potential DoS in the parsing procedure for binary data
2044596 - CVE-2022-23221 h2: Loading of custom classes from remote servers through JNDI
2046279 - CVE-2022-22932 karaf: path traversal flaws
2046282 - CVE-2021-41766 karaf: insecure java deserialization
2047343 - CVE-2022-21363 mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors
2047417 - CVE-2022-23181 tomcat: local privilege escalation vulnerability
2049778 - CVE-2022-23596 junrar: A carefully crafted RAR archive can trigger an infinite loop while extracting
2049783 - CVE-2021-43859 xstream: Injecting highly recursive collections or maps can cause a DoS
2050863 - CVE-2022-21724 jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes
2055480 - CVE-2021-22060 springframework: Additional Log Injection in Spring Framework (follow-up to CVE-2021-22096)
2058763 - CVE-2022-24614 metadata-extractor: Out-of-memory when reading a specially crafted JPEG file
2063292 - CVE-2022-26336 poi-scratchpad: A carefully crafted TNEF file can cause an out of memory exception
2063601 - CVE-2022-23913 artemis-commons: Apache ActiveMQ Artemis DoS
2064007 - CVE-2022-26520 postgresql-jdbc: Arbitrary File Write Vulnerability
2064226 - CVE-2022-0084 xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr
2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects
2069414 - CVE-2022-22950 spring-expression: Denial of service via specially crafted SpEL expression
2072339 - CVE-2022-1259 undertow: potential security issue in flow control over HTTP/2 may lead to DOS(incomplete fix for CVE-2021-3629)
2073890 - CVE-2022-1319 undertow: Double AJP response for 400 from EAP 7 results in CPING failures
2075441 - CVE-2022-22968 Spring Framework: Data Binding Rules Vulnerability
2081879 - CVE-2021-22573 google-oauth-client: Token signature not verified
2087214 - CVE-2022-22976 springframework: BCrypt skips salt rounds for work factor of 31
2087272 - CVE-2022-22970 springframework: DoS via data binding to multipartFile or servlet part
2087274 - CVE-2022-22971 springframework: DoS with STOMP over WebSocket
2087606 - CVE-2022-22978 springframework: Authorization Bypass in RegexRequestMatcher
2088523 - CVE-2022-30126 tika-core: Regular Expression Denial of Service in standards extractor
2100654 - CVE-2022-25845 fastjson: autoType shutdown restriction bypass leads to deserialization

5. References:

https://access.redhat.com/security/cve/CVE-2020-7020
https://access.redhat.com/security/cve/CVE-2020-9484
https://access.redhat.com/security/cve/CVE-2020-15250
https://access.redhat.com/security/cve/CVE-2020-25689
https://access.redhat.com/security/cve/CVE-2020-29582
https://access.redhat.com/security/cve/CVE-2020-36518
https://access.redhat.com/security/cve/CVE-2021-2471
https://access.redhat.com/security/cve/CVE-2021-3629
https://access.redhat.com/security/cve/CVE-2021-3642
https://access.redhat.com/security/cve/CVE-2021-3644
https://access.redhat.com/security/cve/CVE-2021-3807
https://access.redhat.com/security/cve/CVE-2021-3859
https://access.redhat.com/security/cve/CVE-2021-4178
https://access.redhat.com/security/cve/CVE-2021-22060
https://access.redhat.com/security/cve/CVE-2021-22096
https://access.redhat.com/security/cve/CVE-2021-22119
https://access.redhat.com/security/cve/CVE-2021-22569
https://access.redhat.com/security/cve/CVE-2021-22573
https://access.redhat.com/security/cve/CVE-2021-24122
https://access.redhat.com/security/cve/CVE-2021-25122
https://access.redhat.com/security/cve/CVE-2021-25329
https://access.redhat.com/security/cve/CVE-2021-29505
https://access.redhat.com/security/cve/CVE-2021-30640
https://access.redhat.com/security/cve/CVE-2021-33037
https://access.redhat.com/security/cve/CVE-2021-33813
https://access.redhat.com/security/cve/CVE-2021-35515
https://access.redhat.com/security/cve/CVE-2021-35516
https://access.redhat.com/security/cve/CVE-2021-35517
https://access.redhat.com/security/cve/CVE-2021-36090
https://access.redhat.com/security/cve/CVE-2021-38153
https://access.redhat.com/security/cve/CVE-2021-40690
https://access.redhat.com/security/cve/CVE-2021-41079
https://access.redhat.com/security/cve/CVE-2021-41766
https://access.redhat.com/security/cve/CVE-2021-42340
https://access.redhat.com/security/cve/CVE-2021-42550
https://access.redhat.com/security/cve/CVE-2021-43797
https://access.redhat.com/security/cve/CVE-2021-43859
https://access.redhat.com/security/cve/CVE-2022-0084
https://access.redhat.com/security/cve/CVE-2022-1259
https://access.redhat.com/security/cve/CVE-2022-1319
https://access.redhat.com/security/cve/CVE-2022-21363
https://access.redhat.com/security/cve/CVE-2022-21724
https://access.redhat.com/security/cve/CVE-2022-22932
https://access.redhat.com/security/cve/CVE-2022-22950
https://access.redhat.com/security/cve/CVE-2022-22968
https://access.redhat.com/security/cve/CVE-2022-22970
https://access.redhat.com/security/cve/CVE-2022-22971
https://access.redhat.com/security/cve/CVE-2022-22976
https://access.redhat.com/security/cve/CVE-2022-22978
https://access.redhat.com/security/cve/CVE-2022-23181
https://access.redhat.com/security/cve/CVE-2022-23221
https://access.redhat.com/security/cve/CVE-2022-23596
https://access.redhat.com/security/cve/CVE-2022-23913
https://access.redhat.com/security/cve/CVE-2022-24614
https://access.redhat.com/security/cve/CVE-2022-25845
https://access.redhat.com/security/cve/CVE-2022-26336
https://access.redhat.com/security/cve/CVE-2022-26520
https://access.redhat.com/security/cve/CVE-2022-30126
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.fuse&version=7.11.0
https://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYuFkRNzjgjWX9erEAQg9LQ/9HYM6Ig0vTdDrN6ITdimAnjShWe/4Nyxx
iZeg/VprKnpSQDRvNKIKUBuiKSggiTY4MZa3dXSJLkS57EyqZiWWTT2ADyN0Z6cm
+sAQar6GTPg9eyZdMDeuM7plwQQZk8mzSj8aDN2QzHevnmNBlHlVE2MwpZmzVUjo
O3/UhM4up60Z5Ryyk/4tWRry8wpj7rL9pW3HiVkxdHlDNijaxJ7PerXGItMpVytT
0IVDwHz3jdJJH3/5uaeippUFu1S+L+75CwIUlvr25YIj3XQ4Sv1vdLvamf8j9P+8
pVRnRyPl7vh2hXl8p2fby58LBINJKmUOOugeMWo2yoz9B4HQiTUOqXrOTe9nUD+P
Ntx9YGTX6UhNG562eTAGGrKi0J0rd11FdqVfw12JeXWGqzYRfFW/UdKaRYCUQt24
9O7FuzAHALe5Bcl7rGtKvbnY2DyLJ4AO3YdbskS502sTFjEfcdPObfQWaYniBBhx
n8cmjdMB3bdGzpbPt/tlnYFNqdC9MSEn2J8kSlGMWP5Ntj5WYzReTiPAFY42dYpM
gA4vqWNTn+lRAPm232u4CY9K7cDCz8Qdz22hoS21YulQXV+lDYyeyxCv0SwmG4yO
rL5Uv5DOSmtH8UHa/vLTHKW7R59uuOLeAumfjRVxj52DJSCUTTGeKjBVTkjkpzq4
rUyXD0vegnU=
=m5cz
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-5532:01 Important: Red Hat Fuse 7.11.0 release and

A minor version update (from 7.10 to 7.11) is now available for Red Hat Fuse

Summary

This release of Red Hat Fuse 7.11.0 serves as a replacement for Red Hat Fuse 7.10 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.
Security Fix(es):
* fastjson (CVE-2022-25845)
* jackson-databind (CVE-2020-36518)
* mysql-connector-java (CVE-2021-2471, CVE-2022-21363)
* undertow (CVE-2022-1259, CVE-2021-3629, CVE-2022-1319)
* wildfly-elytron (CVE-2021-3642)
* nodejs-ansi-regex (CVE-2021-3807, CVE-2021-3807)
* 3 qt (CVE-2021-3859)
* kubernetes-client (CVE-2021-4178)
* spring-security (CVE-2021-22119)
* protobuf-java (CVE-2021-22569)
* google-oauth-client (CVE-2021-22573)
* XStream (CVE-2021-29505, CVE-2021-43859)
* jdom (CVE-2021-33813, CVE-2021-33813)
* apache-commons-compress (CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090)
* Kafka (CVE-2021-38153)
* xml-security (CVE-2021-40690)
* logback (CVE-2021-42550)
* netty (CVE-2021-43797)
* xnio (CVE-2022-0084)
* jdbc-postgresql (CVE-2022-21724)
* spring-expression (CVE-2022-22950)
* springframework (CVE-2021-22096, CVE-2021-22060, CVE-2021-22096, CVE-2022-22976, CVE-2022-22970, CVE-2022-22971, CVE-2022-22978)
* h2 (CVE-2022-23221)
* junrar (CVE-2022-23596)
* artemis-commons (CVE-2022-23913)
* elasticsearch (CVE-2020-7020)
* tomcat (CVE-2021-24122, CVE-2021-25329, CVE-2020-9484, CVE-2021-25122, CVE-2021-33037, CVE-2021-30640, CVE-2021-41079, CVE-2021-42340, CVE-2022-23181)
* junit4 (CVE-2020-15250)
* wildfly-core (CVE-2020-25689, CVE-2021-3644)
* kotlin (CVE-2020-29582)
* karaf (CVE-2021-41766, CVE-2022-22932)
* Spring Framework (CVE-2022-22968)
* metadata-extractor (CVE-2022-24614)
* poi-scratchpad (CVE-2022-26336)
* postgresql-jdbc (CVE-2022-26520)
* tika-core (CVE-2022-30126)
For more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying the update, back up your existing installation, includingall applications, configuration files, databases and database settings, andso on.Installation instructions are available from the Fuse 7.11.0 productdocumentation page:https://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/

References

https://access.redhat.com/security/cve/CVE-2020-7020 https://access.redhat.com/security/cve/CVE-2020-9484 https://access.redhat.com/security/cve/CVE-2020-15250 https://access.redhat.com/security/cve/CVE-2020-25689 https://access.redhat.com/security/cve/CVE-2020-29582 https://access.redhat.com/security/cve/CVE-2020-36518 https://access.redhat.com/security/cve/CVE-2021-2471 https://access.redhat.com/security/cve/CVE-2021-3629 https://access.redhat.com/security/cve/CVE-2021-3642 https://access.redhat.com/security/cve/CVE-2021-3644 https://access.redhat.com/security/cve/CVE-2021-3807 https://access.redhat.com/security/cve/CVE-2021-3859 https://access.redhat.com/security/cve/CVE-2021-4178 https://access.redhat.com/security/cve/CVE-2021-22060 https://access.redhat.com/security/cve/CVE-2021-22096 https://access.redhat.com/security/cve/CVE-2021-22119 https://access.redhat.com/security/cve/CVE-2021-22569 https://access.redhat.com/security/cve/CVE-2021-22573 https://access.redhat.com/security/cve/CVE-2021-24122 https://access.redhat.com/security/cve/CVE-2021-25122 https://access.redhat.com/security/cve/CVE-2021-25329 https://access.redhat.com/security/cve/CVE-2021-29505 https://access.redhat.com/security/cve/CVE-2021-30640 https://access.redhat.com/security/cve/CVE-2021-33037 https://access.redhat.com/security/cve/CVE-2021-33813 https://access.redhat.com/security/cve/CVE-2021-35515 https://access.redhat.com/security/cve/CVE-2021-35516 https://access.redhat.com/security/cve/CVE-2021-35517 https://access.redhat.com/security/cve/CVE-2021-36090 https://access.redhat.com/security/cve/CVE-2021-38153 https://access.redhat.com/security/cve/CVE-2021-40690 https://access.redhat.com/security/cve/CVE-2021-41079 https://access.redhat.com/security/cve/CVE-2021-41766 https://access.redhat.com/security/cve/CVE-2021-42340 https://access.redhat.com/security/cve/CVE-2021-42550 https://access.redhat.com/security/cve/CVE-2021-43797 https://access.redhat.com/security/cve/CVE-2021-43859 https://access.redhat.com/security/cve/CVE-2022-0084 https://access.redhat.com/security/cve/CVE-2022-1259 https://access.redhat.com/security/cve/CVE-2022-1319 https://access.redhat.com/security/cve/CVE-2022-21363 https://access.redhat.com/security/cve/CVE-2022-21724 https://access.redhat.com/security/cve/CVE-2022-22932 https://access.redhat.com/security/cve/CVE-2022-22950 https://access.redhat.com/security/cve/CVE-2022-22968 https://access.redhat.com/security/cve/CVE-2022-22970 https://access.redhat.com/security/cve/CVE-2022-22971 https://access.redhat.com/security/cve/CVE-2022-22976 https://access.redhat.com/security/cve/CVE-2022-22978 https://access.redhat.com/security/cve/CVE-2022-23181 https://access.redhat.com/security/cve/CVE-2022-23221 https://access.redhat.com/security/cve/CVE-2022-23596 https://access.redhat.com/security/cve/CVE-2022-23913 https://access.redhat.com/security/cve/CVE-2022-24614 https://access.redhat.com/security/cve/CVE-2022-25845 https://access.redhat.com/security/cve/CVE-2022-26336 https://access.redhat.com/security/cve/CVE-2022-26520 https://access.redhat.com/security/cve/CVE-2022-30126 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.fuse&version=7.11.0 https://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/

Package List

Severity
Advisory ID: RHSA-2022:5532-01
Product: Red Hat JBoss Fuse
Advisory URL: https://access.redhat.com/errata/RHSA-2022:5532
Issued Date: : 2022-07-07
CVE Names: CVE-2020-7020 CVE-2020-9484 CVE-2020-15250 CVE-2020-25689 CVE-2020-29582 CVE-2020-36518 CVE-2021-2471 CVE-2021-3629 CVE-2021-3642 CVE-2021-3644 CVE-2021-3807 CVE-2021-3859 CVE-2021-4178 CVE-2021-22060 CVE-2021-22096 CVE-2021-22119 CVE-2021-22569 CVE-2021-22573 CVE-2021-24122 CVE-2021-25122 CVE-2021-25329 CVE-2021-29505 CVE-2021-30640 CVE-2021-33037 CVE-2021-33813 CVE-2021-35515 CVE-2021-35516 CVE-2021-35517 CVE-2021-36090 CVE-2021-38153 CVE-2021-40690 CVE-2021-41079 CVE-2021-41766 CVE-2021-42340 CVE-2021-42550 CVE-2021-43797 CVE-2021-43859 CVE-2022-0084 CVE-2022-1259 CVE-2022-1319 CVE-2022-21363 CVE-2022-21724 CVE-2022-22932 CVE-2022-22950 CVE-2022-22968 CVE-2022-22970 CVE-2022-22971 CVE-2022-22976 CVE-2022-22978 CVE-2022-23181 CVE-2022-23221 CVE-2022-23596 CVE-2022-23913 CVE-2022-24614 CVE-2022-25845 CVE-2022-26336 CVE-2022-26520 CVE-2022-30126

Topic

A minor version update (from 7.10 to 7.11) is now available for Red HatFuse. The purpose of this text-only errata is to inform you about thesecurity issues fixed in this release.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Relevant Releases Architectures

Bugs Fixed

1838332 - CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE

1887810 - CVE-2020-15250 junit4: TemporaryFolder is shared between all users across system which could result in information disclosure

1893070 - CVE-2020-25689 wildfly-core: memory leak in WildFly host-controller in domain mode while not able to reconnect to domain-controller

1893125 - CVE-2020-7020 elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure

1917209 - CVE-2021-24122 tomcat: Information disclosure when using NTFS file system

1930291 - CVE-2020-29582 kotlin: vulnerable Java API was used for temporary file and folder creation which could result in information disclosure

1934032 - CVE-2021-25122 tomcat: Request mix-up with h2c

1934061 - CVE-2021-25329 tomcat: Incomplete fix for CVE-2020-9484 (RCE via session persistence)

1966735 - CVE-2021-29505 XStream: remote command execution attack by manipulating the processed input stream

1973413 - CVE-2021-33813 jdom: XXE allows attackers to cause a DoS via a crafted HTTP request

1976052 - CVE-2021-3644 wildfly-core: Invalid Sensitivity Classification of Vault Expression

1977064 - CVE-2021-22119 spring-security: Denial-of-Service (DoS) attack via initiation of Authorization Request

1977362 - CVE-2021-3629 undertow: potential security issue in flow control over HTTP/2 may lead to DOS

1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer

1981533 - CVE-2021-33037 tomcat: HTTP request smuggling when used with a reverse proxy

1981544 - CVE-2021-30640 tomcat: JNDI realm authentication weakness

1981895 - CVE-2021-35515 apache-commons-compress: infinite loop when reading a specially crafted 7Z archive

1981900 - CVE-2021-35516 apache-commons-compress: excessive memory allocation when reading a specially crafted 7Z archive

1981903 - CVE-2021-35517 apache-commons-compress: excessive memory allocation when reading a specially crafted TAR archive

1981909 - CVE-2021-36090 apache-commons-compress: excessive memory allocation when reading a specially crafted ZIP archive

2004820 - CVE-2021-41079 tomcat: Infinite loop while reading an unexpected TLS packet when using OpenSSL JSSE engine

2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes

2009041 - CVE-2021-38153 Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients

2010378 - CVE-2021-3859 undertow: client side invocation timeout raised when calling over HTTP2

2011190 - CVE-2021-40690 xml-security: XPath Transform abuse allows for information disclosure

2014356 - CVE-2021-42340 tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS

2020583 - CVE-2021-2471 mysql-connector-java: unauthorized access to critical

2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling

2033560 - CVE-2021-42550 logback: remote code execution through JNDI call from within its configuration file

2034388 - CVE-2021-4178 kubernetes-client: Insecure deserialization in unmarshalYaml method

2034584 - CVE-2021-22096 springframework: malicious input leads to insertion of additional log entries

2039903 - CVE-2021-22569 protobuf-java: potential DoS in the parsing procedure for binary data

2044596 - CVE-2022-23221 h2: Loading of custom classes from remote servers through JNDI

2046279 - CVE-2022-22932 karaf: path traversal flaws

2046282 - CVE-2021-41766 karaf: insecure java deserialization

2047343 - CVE-2022-21363 mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors

2047417 - CVE-2022-23181 tomcat: local privilege escalation vulnerability

2049778 - CVE-2022-23596 junrar: A carefully crafted RAR archive can trigger an infinite loop while extracting

2049783 - CVE-2021-43859 xstream: Injecting highly recursive collections or maps can cause a DoS

2050863 - CVE-2022-21724 jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes

2055480 - CVE-2021-22060 springframework: Additional Log Injection in Spring Framework (follow-up to CVE-2021-22096)

2058763 - CVE-2022-24614 metadata-extractor: Out-of-memory when reading a specially crafted JPEG file

2063292 - CVE-2022-26336 poi-scratchpad: A carefully crafted TNEF file can cause an out of memory exception

2063601 - CVE-2022-23913 artemis-commons: Apache ActiveMQ Artemis DoS

2064007 - CVE-2022-26520 postgresql-jdbc: Arbitrary File Write Vulnerability

2064226 - CVE-2022-0084 xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr

2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects

2069414 - CVE-2022-22950 spring-expression: Denial of service via specially crafted SpEL expression

2072339 - CVE-2022-1259 undertow: potential security issue in flow control over HTTP/2 may lead to DOS(incomplete fix for CVE-2021-3629)

2073890 - CVE-2022-1319 undertow: Double AJP response for 400 from EAP 7 results in CPING failures

2075441 - CVE-2022-22968 Spring Framework: Data Binding Rules Vulnerability

2081879 - CVE-2021-22573 google-oauth-client: Token signature not verified

2087214 - CVE-2022-22976 springframework: BCrypt skips salt rounds for work factor of 31

2087272 - CVE-2022-22970 springframework: DoS via data binding to multipartFile or servlet part

2087274 - CVE-2022-22971 springframework: DoS with STOMP over WebSocket

2087606 - CVE-2022-22978 springframework: Authorization Bypass in RegexRequestMatcher

2088523 - CVE-2022-30126 tika-core: Regular Expression Denial of Service in standards extractor

2100654 - CVE-2022-25845 fastjson: autoType shutdown restriction bypass leads to deserialization

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.