-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Fuse/A-MQ 6.3 R14 security and bug fix update
Advisory ID:       RHSA-2019:4352-01
Product:           Red Hat JBoss Fuse
Advisory URL:      https://access.redhat.com/errata/RHSA-2019:4352
Issue date:        2019-12-19
CVE Names:         CVE-2019-0201 CVE-2019-9512 CVE-2019-9514 
                   CVE-2019-9515 CVE-2019-9518 CVE-2019-10173 
                   CVE-2019-12384 
====================================================================
1. Summary:

An update is now available for Red Hat JBoss Fuse 6.3 and Red Hat JBoss
A-MQ 6.3.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat Fuse provides a small-footprint, flexible, open source enterprise
service bus and integration platform. Red Hat A-MQ is a standards compliant
messaging system that is tailored for use in mission critical applications.

This patch is an update to Red Hat Fuse 6.3 and Red Hat A-MQ 6.3. It
includes bug fixes, which are documented in the patch notes accompanying
the package on the download page. See the download link given in the
references section below.

Security fix(es):

* zookeeper: Information disclosure in Apache ZooKeeper (CVE-2019-0201)

* HTTP/2: flood using PING frames results in unbounded memory growth
(CVE-2019-9512)

* HTTP/2: flood using HEADERS frames results in unbounded memory growth
(CVE-2019-9514)

* HTTP/2: flood using SETTINGS frames results in unbounded memory growth
(CVE-2019-9515) 

* HTTP/2: flood using empty frames results in excessive resource
consumption (CVE-2019-9518)

* xstream: remote code execution due to insecure XML deserialization
(CVE-2019-10173)

* jackson-databind: failure to block the logback-core class from
polymorphic deserialization leading to remote code execution
(CVE-2019-12384)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

Installation instructions are located in the download section of the
customer portal.

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

1715197 - CVE-2019-0201 zookeeper: Information disclosure in Apache ZooKeeper
1722971 - CVE-2019-10173 xstream: remote code execution due to insecure XML deserialization (regression of  CVE-2013-7285)
1725807 - CVE-2019-12384 jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution
1735645 - CVE-2019-9512 HTTP/2: flood using PING frames results in unbounded memory growth
1735744 - CVE-2019-9514 HTTP/2: flood using HEADERS frames results in unbounded memory growth
1735745 - CVE-2019-9515 HTTP/2: flood using SETTINGS frames results in unbounded memory growth
1735749 - CVE-2019-9518 HTTP/2: flood using empty frames results in excessive resource consumption

5. References:

https://access.redhat.com/security/cve/CVE-2019-0201
https://access.redhat.com/security/cve/CVE-2019-9512
https://access.redhat.com/security/cve/CVE-2019-9514
https://access.redhat.com/security/cve/CVE-2019-9515
https://access.redhat.com/security/cve/CVE-2019-9518
https://access.redhat.com/security/cve/CVE-2019-10173
https://access.redhat.com/security/cve/CVE-2019-12384
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq.broker&downloadType=securityPatches&version=6.3.0
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.3
https://access.redhat.com/documentation/en-us/red_hat_jboss_fuse/6.3/html/release_notes/index

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXfu1vtzjgjWX9erEAQiMjA//XqIwbDhdop0p5RpMbd3RJ87mafa5zuK8
IzZGKOQ8PqTtSWhfH7t56gl+GASljIExgFGI43Sbo+gcbyVuC4EHYQz4p8lZA5SW
P7Qg2pSc3Kw2IAEOIn68j7uE1IsZd1gqsPyqpLT7FXaiNobxLYCCvn+V47IHfb91
r9sAVe69BNFBsamvdij/dIAp8vovgwrzpl6XFhSG83AJCSe527Eh96MRJ3O7DXBc
jszqf41l6td7UECYRfgILyBibnrnFgwjyHEOabsniEGRrRCZzVTfFbmnA6e4Vi1H
0hGZ97qoizQ2cxe515UlBNZ2rglITgp9hzZ27stNIFa4vKLOKLgh0IBRqdtY9gJV
hNOyAN3VV7B3e/RSxnOH9s+GS9581+dG8J2j/4fsIh3yCm5517RtV0doaQB6ldTo
Dg+7+tKTtrJVedUsjFduC0RZ6fQgtqz2DruktOfejN+bbFKEhFFHoYJD9ItBqJLq
elH2TglaQkjIWtP+vrmBHWKGOsZ0Q7gTPWIHnralMMYtT0LgPh1SiWam4Fy6Hfu1
4aHCBdWEr5OeGXupPcb926+E2IpsAN3B/zcSoJyfO+fq8ySCagHu+EtNAC1Pn2G5
0C0qKlU6ZdTMixwzMvSd/weLE1Evldp2rYdg7TqvJq6l4drkqJqC48DqD4YoO0W0
ohGOzwauhEI=ohgL
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2019-4352:01 Important: Red Hat JBoss Fuse/A-MQ 6.3 R14

An update is now available for Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3

Summary

Red Hat Fuse provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat A-MQ is a standards compliant messaging system that is tailored for use in mission critical applications.
This patch is an update to Red Hat Fuse 6.3 and Red Hat A-MQ 6.3. It includes bug fixes, which are documented in the patch notes accompanying the package on the download page. See the download link given in the references section below.
Security fix(es):
* zookeeper: Information disclosure in Apache ZooKeeper (CVE-2019-0201)
* HTTP/2: flood using PING frames results in unbounded memory growth (CVE-2019-9512)
* HTTP/2: flood using HEADERS frames results in unbounded memory growth (CVE-2019-9514)
* HTTP/2: flood using SETTINGS frames results in unbounded memory growth (CVE-2019-9515)
* HTTP/2: flood using empty frames results in excessive resource consumption (CVE-2019-9518)
* xstream: remote code execution due to insecure XML deserialization (CVE-2019-10173)
* jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution (CVE-2019-12384)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
Installation instructions are located in the download section of the customer portal.
The References section of this erratum contains a download link (you must log in to download the update).

References

https://access.redhat.com/security/cve/CVE-2019-0201 https://access.redhat.com/security/cve/CVE-2019-9512 https://access.redhat.com/security/cve/CVE-2019-9514 https://access.redhat.com/security/cve/CVE-2019-9515 https://access.redhat.com/security/cve/CVE-2019-9518 https://access.redhat.com/security/cve/CVE-2019-10173 https://access.redhat.com/security/cve/CVE-2019-12384 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq.broker&downloadType=securityPatches&version=6.3.0 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.3 https://access.redhat.com/documentation/en-us/red_hat_jboss_fuse/6.3/html/release_notes/index

Package List


Severity
Advisory ID: RHSA-2019:4352-01
Product: Red Hat JBoss Fuse
Advisory URL: https://access.redhat.com/errata/RHSA-2019:4352
Issued Date: : 2019-12-19
CVE Names: CVE-2019-0201 CVE-2019-9512 CVE-2019-9514 CVE-2019-9515 CVE-2019-9518 CVE-2019-10173 CVE-2019-12384

Topic

An update is now available for Red Hat JBoss Fuse 6.3 and Red Hat JBossA-MQ 6.3.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

1715197 - CVE-2019-0201 zookeeper: Information disclosure in Apache ZooKeeper

1722971 - CVE-2019-10173 xstream: remote code execution due to insecure XML deserialization (regression of CVE-2013-7285)

1725807 - CVE-2019-12384 jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution

1735645 - CVE-2019-9512 HTTP/2: flood using PING frames results in unbounded memory growth

1735744 - CVE-2019-9514 HTTP/2: flood using HEADERS frames results in unbounded memory growth

1735745 - CVE-2019-9515 HTTP/2: flood using SETTINGS frames results in unbounded memory growth

1735749 - CVE-2019-9518 HTTP/2: flood using empty frames results in excessive resource consumption


Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved