-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Critical: Red Hat Fuse 7.12 release and security update
Advisory ID:       RHSA-2023:3954-01
Product:           Red Hat JBoss Fuse
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3954
Issue date:        2023-06-29
CVE Names:         CVE-2012-5783 CVE-2020-13956 CVE-2022-4492 
                   CVE-2022-24785 CVE-2022-31692 CVE-2022-36437 
                   CVE-2022-38398 CVE-2022-38648 CVE-2022-40146 
                   CVE-2022-41704 CVE-2022-41854 CVE-2022-41881 
                   CVE-2022-41940 CVE-2022-41946 CVE-2022-41966 
                   CVE-2022-42890 CVE-2022-42920 CVE-2022-45143 
                   CVE-2022-46363 CVE-2022-46364 CVE-2023-1108 
                   CVE-2023-1370 CVE-2023-20860 CVE-2023-20861 
                   CVE-2023-20883 CVE-2023-22602 CVE-2023-33201 
====================================================================
1. Summary:

A minor version update (from 7.11 to 7.12) is now available for Red Hat
Fuse. The purpose of this text-only errata is to inform you about the
security issues fixed in this release.

Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

This release of Red Hat Fuse 7.12 serves as a replacement for Red Hat Fuse
7.11 and includes bug fixes and enhancements, which are documented in the
Release Notes document linked in the References.

Security Fix(es):

* hazelcast: Hazelcast connection caching (CVE-2022-36437)

* spring-security: Authorization rules can be bypassed via forward or
include dispatcher types in Spring Security (CVE-2022-31692)

* xstream: Denial of Service by injecting recursive collections or maps
based on element's hash values raising a stack overflow (CVE-2022-41966)

* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds
writing (CVE-2022-42920)

* Apache CXF: SSRF Vulnerability (CVE-2022-46364)

* Undertow: Infinite loop in SslConduit during close (CVE-2023-1108)

* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart
(Resource Exhaustion) (CVE-2023-1370)

* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern
(CVE-2023-20860)

* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)

* jakarta-commons-httpclient: missing connection hostname check against
X.509 certificate name (CVE-2012-5783)

* apache-httpclient: incorrect handling of malformed authority component in
request URIs (CVE-2020-13956)

* undertow: Server identity in https connection is not checked by the
undertow client (CVE-2022-4492)

* Moment.js: Path traversal in moment.locale (CVE-2022-24785)

* batik: Server-Side Request Forgery (CVE-2022-38398)

* batik: Server-Side Request Forgery (CVE-2022-38648)

* batik: Server-Side Request Forgery (SSRF) vulnerability (CVE-2022-40146)

* batik: Apache XML Graphics Batik vulnerable to code execution via SVG
(CVE-2022-41704)

* dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)

* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS
(CVE-2022-41881)

* engine.io: Specially crafted HTTP request can trigger an uncaught
exception (CVE-2022-41940)

* postgresql-jdbc: Information leak of prepared statement data due to
insecure temporary file permissions (CVE-2022-41946)

* batik: Untrusted code execution in Apache XML Graphics Batik
(CVE-2022-42890)

* Apache CXF: directory listing / code exfiltration (CVE-2022-46363)

* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)

* shiro: Authentication bypass through a specially crafted HTTP request
(CVE-2023-22602)

* bouncycastle: potential  blind LDAP injection attack using a self-signed
certificate (CVE-2023-33201)

* tomcat: JsonErrorReportValve injection (CVE-2022-45143)

For more details about the security issues, including the impact, CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

873317 - CVE-2012-5783 jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name
1886587 - CVE-2020-13956 apache-httpclient: incorrect handling of malformed authority component in request URIs
2072009 - CVE-2022-24785 Moment.js: Path traversal  in moment.locale
2142707 - CVE-2022-42920 Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing
2144970 - CVE-2022-41940 engine.io: Specially crafted HTTP request can trigger an uncaught exception
2151988 - CVE-2022-41854 dev-java/snakeyaml: DoS via stack overflow
2153260 - CVE-2022-4492 undertow: Server identity in https connection is not checked by the undertow client
2153379 - CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS
2153399 - CVE-2022-41946 postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions
2155291 - CVE-2022-40146 batik: Server-Side Request Forgery (SSRF) vulnerability
2155292 - CVE-2022-38398 batik: Server-Side Request Forgery
2155295 - CVE-2022-38648 batik: Server-Side Request Forgery
2155681 - CVE-2022-46363 Apache CXF: directory listing / code exfiltration
2155682 - CVE-2022-46364 Apache CXF: SSRF Vulnerability
2158695 - CVE-2022-45143 tomcat: JsonErrorReportValve injection
2162053 - CVE-2022-36437 hazelcast: Hazelcast connection caching
2162206 - CVE-2022-31692 spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security
2170431 - CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow
2174246 - CVE-2023-1108 Undertow: Infinite loop in SslConduit during close
2180528 - CVE-2023-20860 springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern
2180530 - CVE-2023-20861 springframework: Spring Expression DoS Vulnerability
2182182 - CVE-2022-41704 batik: Apache XML Graphics Batik vulnerable to code execution via SVG
2182183 - CVE-2022-42890 batik: Untrusted code execution in Apache XML Graphics Batik
2182198 - CVE-2023-22602 shiro: Authentication bypass through a specially crafted HTTP request
2188542 - CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)
2209342 - CVE-2023-20883 spring-boot: Spring Boot Welcome Page DoS Vulnerability
2215465 - CVE-2023-33201 bouncycastle: potential  blind LDAP injection attack using a self-signed certificate

5. JIRA issues fixed (https://issues.redhat.com/):

ENTESB-20598 - Incomplete fix of CVE-2020-13956
ENTESB-20598 - Incomplete fix of CVE-2020-13956
ENTESB-21418 - CVE-2023-1370,  ensure that Syndesis is using fixed json-smart

6. References:

https://access.redhat.com/security/cve/CVE-2012-5783
https://access.redhat.com/security/cve/CVE-2020-13956
https://access.redhat.com/security/cve/CVE-2022-4492
https://access.redhat.com/security/cve/CVE-2022-24785
https://access.redhat.com/security/cve/CVE-2022-31692
https://access.redhat.com/security/cve/CVE-2022-36437
https://access.redhat.com/security/cve/CVE-2022-38398
https://access.redhat.com/security/cve/CVE-2022-38648
https://access.redhat.com/security/cve/CVE-2022-40146
https://access.redhat.com/security/cve/CVE-2022-41704
https://access.redhat.com/security/cve/CVE-2022-41854
https://access.redhat.com/security/cve/CVE-2022-41881
https://access.redhat.com/security/cve/CVE-2022-41940
https://access.redhat.com/security/cve/CVE-2022-41946
https://access.redhat.com/security/cve/CVE-2022-41966
https://access.redhat.com/security/cve/CVE-2022-42890
https://access.redhat.com/security/cve/CVE-2022-42920
https://access.redhat.com/security/cve/CVE-2022-45143
https://access.redhat.com/security/cve/CVE-2022-46363
https://access.redhat.com/security/cve/CVE-2022-46364
https://access.redhat.com/security/cve/CVE-2023-1108
https://access.redhat.com/security/cve/CVE-2023-1370
https://access.redhat.com/security/cve/CVE-2023-20860
https://access.redhat.com/security/cve/CVE-2023-20861
https://access.redhat.com/security/cve/CVE-2023-20883
https://access.redhat.com/security/cve/CVE-2023-22602
https://access.redhat.com/security/cve/CVE-2023-33201
https://access.redhat.com/security/updates/classification/#critical
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.fuse&version=7.12.0
https://access.redhat.com/documentation/en-us/red_hat_fuse/7.12/

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZJ38aNzjgjWX9erEAQinAxAAok8XXaAwrRfOZy4j/osu5ZPTMpagKw0Q
lf+XZ8a1F38yrVIxk7d48h04HBR865GIqAh5CrN0L9nrxGzkM6Dtiw43KzF3rXbd
39ozCXv3y1JzRygzUM/RDv10s7kQAqAS9ZU1DWla0ALlcteOfKT98Ao8MAIhgrHg
Ao+GtGN+jyVsIgfBkI7y6NoFmPG7OaPVg4F85Hq/uuOwg879CKkRIFWLFc8ziVtb
QoouQ5Zdtb4wnhSqhzJq4pccKeSFXQG+uJV/OIlgMhbdGGkUOtcwX4CW8F584LiH
ETBbkwnZfUF1FNo3sLRN942z4InkuLnqaX2TdT8wTaQCja1FW/O0Q7IfYTS9ESJ0
xi06Rn3IeUoJCKIfeKrjI0f1dWqfHy11/TTNgANFbMRjlxJkNAN9nZLD5KdvzOp4
1WfYTEsvuIaXchH/URDooI9BQ8m38kHogw/a9E/Qq4iXPRQtME7ANHfidCsuTq/9
uYqOhuaqF82TMEmq2Y3P2D8RT5rnHFjjRbUvKbljzNBX2Co4CJ32zk3L1ol6GHZh
rvnG1Tco9us8BbVHhSWaTSt3UOjf1eg1U9fhEijA8jR8tSf2Fw7c4e6dqU5kytVp
ihK2fPpJ1HKqEm3gmPBEIYzSn7UxpjFMN1aZLRa5CZAD4p410Qg1zNX3BVLLI3zp
vi0V6dxNE2g=yKwR
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-3954:01 Critical: Red Hat Fuse 7.12 release and security

A minor version update (from 7.11 to 7.12) is now available for Red Hat Fuse

Summary

This release of Red Hat Fuse 7.12 serves as a replacement for Red Hat Fuse 7.11 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.
Security Fix(es):
* hazelcast: Hazelcast connection caching (CVE-2022-36437)
* spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security (CVE-2022-31692)
* xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow (CVE-2022-41966)
* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)
* Apache CXF: SSRF Vulnerability (CVE-2022-46364)
* Undertow: Infinite loop in SslConduit during close (CVE-2023-1108)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)
* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)
* jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name (CVE-2012-5783)
* apache-httpclient: incorrect handling of malformed authority component in request URIs (CVE-2020-13956)
* undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492)
* Moment.js: Path traversal in moment.locale (CVE-2022-24785)
* batik: Server-Side Request Forgery (CVE-2022-38398)
* batik: Server-Side Request Forgery (CVE-2022-38648)
* batik: Server-Side Request Forgery (SSRF) vulnerability (CVE-2022-40146)
* batik: Apache XML Graphics Batik vulnerable to code execution via SVG (CVE-2022-41704)
* dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)
* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881)
* engine.io: Specially crafted HTTP request can trigger an uncaught exception (CVE-2022-41940)
* postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions (CVE-2022-41946)
* batik: Untrusted code execution in Apache XML Graphics Batik (CVE-2022-42890)
* Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)
* shiro: Authentication bypass through a specially crafted HTTP request (CVE-2023-22602)
* bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)
* tomcat: JsonErrorReportValve injection (CVE-2022-45143)
For more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2012-5783 https://access.redhat.com/security/cve/CVE-2020-13956 https://access.redhat.com/security/cve/CVE-2022-4492 https://access.redhat.com/security/cve/CVE-2022-24785 https://access.redhat.com/security/cve/CVE-2022-31692 https://access.redhat.com/security/cve/CVE-2022-36437 https://access.redhat.com/security/cve/CVE-2022-38398 https://access.redhat.com/security/cve/CVE-2022-38648 https://access.redhat.com/security/cve/CVE-2022-40146 https://access.redhat.com/security/cve/CVE-2022-41704 https://access.redhat.com/security/cve/CVE-2022-41854 https://access.redhat.com/security/cve/CVE-2022-41881 https://access.redhat.com/security/cve/CVE-2022-41940 https://access.redhat.com/security/cve/CVE-2022-41946 https://access.redhat.com/security/cve/CVE-2022-41966 https://access.redhat.com/security/cve/CVE-2022-42890 https://access.redhat.com/security/cve/CVE-2022-42920 https://access.redhat.com/security/cve/CVE-2022-45143 https://access.redhat.com/security/cve/CVE-2022-46363 https://access.redhat.com/security/cve/CVE-2022-46364 https://access.redhat.com/security/cve/CVE-2023-1108 https://access.redhat.com/security/cve/CVE-2023-1370 https://access.redhat.com/security/cve/CVE-2023-20860 https://access.redhat.com/security/cve/CVE-2023-20861 https://access.redhat.com/security/cve/CVE-2023-20883 https://access.redhat.com/security/cve/CVE-2023-22602 https://access.redhat.com/security/cve/CVE-2023-33201 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.fuse&version=7.12.0 https://access.redhat.com/documentation/en-us/red_hat_fuse/7.12/

Package List


Severity
Advisory ID: RHSA-2023:3954-01
Product: Red Hat JBoss Fuse
Advisory URL: https://access.redhat.com/errata/RHSA-2023:3954
Issued Date: : 2023-06-29
CVE Names: CVE-2012-5783 CVE-2020-13956 CVE-2022-4492 CVE-2022-24785 CVE-2022-31692 CVE-2022-36437 CVE-2022-38398 CVE-2022-38648 CVE-2022-40146 CVE-2022-41704 CVE-2022-41854 CVE-2022-41881 CVE-2022-41940 CVE-2022-41946 CVE-2022-41966 CVE-2022-42890 CVE-2022-42920 CVE-2022-45143 CVE-2022-46363 CVE-2022-46364 CVE-2023-1108 CVE-2023-1370 CVE-2023-20860 CVE-2023-20861 CVE-2023-20883 CVE-2023-22602 CVE-2023-33201

Topic

A minor version update (from 7.11 to 7.12) is now available for Red HatFuse. The purpose of this text-only errata is to inform you about thesecurity issues fixed in this release.Red Hat Product Security has rated this update as having a security impactof Critical. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

873317 - CVE-2012-5783 jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name

1886587 - CVE-2020-13956 apache-httpclient: incorrect handling of malformed authority component in request URIs

2072009 - CVE-2022-24785 Moment.js: Path traversal in moment.locale

2142707 - CVE-2022-42920 Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing

2144970 - CVE-2022-41940 engine.io: Specially crafted HTTP request can trigger an uncaught exception

2151988 - CVE-2022-41854 dev-java/snakeyaml: DoS via stack overflow

2153260 - CVE-2022-4492 undertow: Server identity in https connection is not checked by the undertow client

2153379 - CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS

2153399 - CVE-2022-41946 postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions

2155291 - CVE-2022-40146 batik: Server-Side Request Forgery (SSRF) vulnerability

2155292 - CVE-2022-38398 batik: Server-Side Request Forgery

2155295 - CVE-2022-38648 batik: Server-Side Request Forgery

2155681 - CVE-2022-46363 Apache CXF: directory listing / code exfiltration

2155682 - CVE-2022-46364 Apache CXF: SSRF Vulnerability

2158695 - CVE-2022-45143 tomcat: JsonErrorReportValve injection

2162053 - CVE-2022-36437 hazelcast: Hazelcast connection caching

2162206 - CVE-2022-31692 spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security

2170431 - CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow

2174246 - CVE-2023-1108 Undertow: Infinite loop in SslConduit during close

2180528 - CVE-2023-20860 springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern

2180530 - CVE-2023-20861 springframework: Spring Expression DoS Vulnerability

2182182 - CVE-2022-41704 batik: Apache XML Graphics Batik vulnerable to code execution via SVG

2182183 - CVE-2022-42890 batik: Untrusted code execution in Apache XML Graphics Batik

2182198 - CVE-2023-22602 shiro: Authentication bypass through a specially crafted HTTP request

2188542 - CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)

2209342 - CVE-2023-20883 spring-boot: Spring Boot Welcome Page DoS Vulnerability

2215465 - CVE-2023-33201 bouncycastle: potential blind LDAP injection attack using a self-signed certificate

5. JIRA issues fixed (https://issues.redhat.com/):

ENTESB-20598 - Incomplete fix of CVE-2020-13956

ENTESB-20598 - Incomplete fix of CVE-2020-13956

ENTESB-21418 - CVE-2023-1370, ensure that Syndesis is using fixed json-smart


Related News

8.Locks HexConnections CodeGlobe Esm H320
1 - 2 min read
The latest release of Debian , one of the oldest and most trusted distributions within the Linux ecosystem, redefines security, stability, and
20.Lock AbstractDigital Circular Esm H320
1 - 2 min read
The Ubuntu security team has recently discovered and addressed multiple vulnerabilities in the Apache HTTP Server. The vulnerabilities affected
1.Penguin Landscape Esm H320
1 - 2 min read
A critical vulnerability was discovered in the Linux kernel's netfilter subsystem, specifically within the nf_tables component, posing potential
19.Laptop Bed Esm H320
2 - 3 min read
The release of Google Chrome 124 addresses four vulnerabilities, including a critical security flaw that can enable attackers to execute arbitrary
23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved