-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Critical: Red Hat Fuse 7.12 release and security update
Advisory ID:       RHSA-2023:3954-01
Product:           Red Hat JBoss Fuse
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3954
Issue date:        2023-06-29
CVE Names:         CVE-2012-5783 CVE-2020-13956 CVE-2022-4492 
                   CVE-2022-24785 CVE-2022-31692 CVE-2022-36437 
                   CVE-2022-38398 CVE-2022-38648 CVE-2022-40146 
                   CVE-2022-41704 CVE-2022-41854 CVE-2022-41881 
                   CVE-2022-41940 CVE-2022-41946 CVE-2022-41966 
                   CVE-2022-42890 CVE-2022-42920 CVE-2022-45143 
                   CVE-2022-46363 CVE-2022-46364 CVE-2023-1108 
                   CVE-2023-1370 CVE-2023-20860 CVE-2023-20861 
                   CVE-2023-20883 CVE-2023-22602 CVE-2023-33201 
====================================================================
1. Summary:

A minor version update (from 7.11 to 7.12) is now available for Red Hat
Fuse. The purpose of this text-only errata is to inform you about the
security issues fixed in this release.

Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

This release of Red Hat Fuse 7.12 serves as a replacement for Red Hat Fuse
7.11 and includes bug fixes and enhancements, which are documented in the
Release Notes document linked in the References.

Security Fix(es):

* hazelcast: Hazelcast connection caching (CVE-2022-36437)

* spring-security: Authorization rules can be bypassed via forward or
include dispatcher types in Spring Security (CVE-2022-31692)

* xstream: Denial of Service by injecting recursive collections or maps
based on element's hash values raising a stack overflow (CVE-2022-41966)

* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds
writing (CVE-2022-42920)

* Apache CXF: SSRF Vulnerability (CVE-2022-46364)

* Undertow: Infinite loop in SslConduit during close (CVE-2023-1108)

* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart
(Resource Exhaustion) (CVE-2023-1370)

* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern
(CVE-2023-20860)

* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)

* jakarta-commons-httpclient: missing connection hostname check against
X.509 certificate name (CVE-2012-5783)

* apache-httpclient: incorrect handling of malformed authority component in
request URIs (CVE-2020-13956)

* undertow: Server identity in https connection is not checked by the
undertow client (CVE-2022-4492)

* Moment.js: Path traversal in moment.locale (CVE-2022-24785)

* batik: Server-Side Request Forgery (CVE-2022-38398)

* batik: Server-Side Request Forgery (CVE-2022-38648)

* batik: Server-Side Request Forgery (SSRF) vulnerability (CVE-2022-40146)

* batik: Apache XML Graphics Batik vulnerable to code execution via SVG
(CVE-2022-41704)

* dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)

* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS
(CVE-2022-41881)

* engine.io: Specially crafted HTTP request can trigger an uncaught
exception (CVE-2022-41940)

* postgresql-jdbc: Information leak of prepared statement data due to
insecure temporary file permissions (CVE-2022-41946)

* batik: Untrusted code execution in Apache XML Graphics Batik
(CVE-2022-42890)

* Apache CXF: directory listing / code exfiltration (CVE-2022-46363)

* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)

* shiro: Authentication bypass through a specially crafted HTTP request
(CVE-2023-22602)

* bouncycastle: potential  blind LDAP injection attack using a self-signed
certificate (CVE-2023-33201)

* tomcat: JsonErrorReportValve injection (CVE-2022-45143)

For more details about the security issues, including the impact, CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

873317 - CVE-2012-5783 jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name
1886587 - CVE-2020-13956 apache-httpclient: incorrect handling of malformed authority component in request URIs
2072009 - CVE-2022-24785 Moment.js: Path traversal  in moment.locale
2142707 - CVE-2022-42920 Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing
2144970 - CVE-2022-41940 engine.io: Specially crafted HTTP request can trigger an uncaught exception
2151988 - CVE-2022-41854 dev-java/snakeyaml: DoS via stack overflow
2153260 - CVE-2022-4492 undertow: Server identity in https connection is not checked by the undertow client
2153379 - CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS
2153399 - CVE-2022-41946 postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions
2155291 - CVE-2022-40146 batik: Server-Side Request Forgery (SSRF) vulnerability
2155292 - CVE-2022-38398 batik: Server-Side Request Forgery
2155295 - CVE-2022-38648 batik: Server-Side Request Forgery
2155681 - CVE-2022-46363 Apache CXF: directory listing / code exfiltration
2155682 - CVE-2022-46364 Apache CXF: SSRF Vulnerability
2158695 - CVE-2022-45143 tomcat: JsonErrorReportValve injection
2162053 - CVE-2022-36437 hazelcast: Hazelcast connection caching
2162206 - CVE-2022-31692 spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security
2170431 - CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow
2174246 - CVE-2023-1108 Undertow: Infinite loop in SslConduit during close
2180528 - CVE-2023-20860 springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern
2180530 - CVE-2023-20861 springframework: Spring Expression DoS Vulnerability
2182182 - CVE-2022-41704 batik: Apache XML Graphics Batik vulnerable to code execution via SVG
2182183 - CVE-2022-42890 batik: Untrusted code execution in Apache XML Graphics Batik
2182198 - CVE-2023-22602 shiro: Authentication bypass through a specially crafted HTTP request
2188542 - CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)
2209342 - CVE-2023-20883 spring-boot: Spring Boot Welcome Page DoS Vulnerability
2215465 - CVE-2023-33201 bouncycastle: potential  blind LDAP injection attack using a self-signed certificate

5. JIRA issues fixed (https://issues.redhat.com/):

ENTESB-20598 - Incomplete fix of CVE-2020-13956
ENTESB-20598 - Incomplete fix of CVE-2020-13956
ENTESB-21418 - CVE-2023-1370,  ensure that Syndesis is using fixed json-smart

6. References:

https://access.redhat.com/security/cve/CVE-2012-5783
https://access.redhat.com/security/cve/CVE-2020-13956
https://access.redhat.com/security/cve/CVE-2022-4492
https://access.redhat.com/security/cve/CVE-2022-24785
https://access.redhat.com/security/cve/CVE-2022-31692
https://access.redhat.com/security/cve/CVE-2022-36437
https://access.redhat.com/security/cve/CVE-2022-38398
https://access.redhat.com/security/cve/CVE-2022-38648
https://access.redhat.com/security/cve/CVE-2022-40146
https://access.redhat.com/security/cve/CVE-2022-41704
https://access.redhat.com/security/cve/CVE-2022-41854
https://access.redhat.com/security/cve/CVE-2022-41881
https://access.redhat.com/security/cve/CVE-2022-41940
https://access.redhat.com/security/cve/CVE-2022-41946
https://access.redhat.com/security/cve/CVE-2022-41966
https://access.redhat.com/security/cve/CVE-2022-42890
https://access.redhat.com/security/cve/CVE-2022-42920
https://access.redhat.com/security/cve/CVE-2022-45143
https://access.redhat.com/security/cve/CVE-2022-46363
https://access.redhat.com/security/cve/CVE-2022-46364
https://access.redhat.com/security/cve/CVE-2023-1108
https://access.redhat.com/security/cve/CVE-2023-1370
https://access.redhat.com/security/cve/CVE-2023-20860
https://access.redhat.com/security/cve/CVE-2023-20861
https://access.redhat.com/security/cve/CVE-2023-20883
https://access.redhat.com/security/cve/CVE-2023-22602
https://access.redhat.com/security/cve/CVE-2023-33201
https://access.redhat.com/security/updates/classification/#critical
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.fuse&version=7.12.0
https://access.redhat.com/documentation/en-us/red_hat_fuse/7.12/

7. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZJ38aNzjgjWX9erEAQinAxAAok8XXaAwrRfOZy4j/osu5ZPTMpagKw0Q
lf+XZ8a1F38yrVIxk7d48h04HBR865GIqAh5CrN0L9nrxGzkM6Dtiw43KzF3rXbd
39ozCXv3y1JzRygzUM/RDv10s7kQAqAS9ZU1DWla0ALlcteOfKT98Ao8MAIhgrHg
Ao+GtGN+jyVsIgfBkI7y6NoFmPG7OaPVg4F85Hq/uuOwg879CKkRIFWLFc8ziVtb
QoouQ5Zdtb4wnhSqhzJq4pccKeSFXQG+uJV/OIlgMhbdGGkUOtcwX4CW8F584LiH
ETBbkwnZfUF1FNo3sLRN942z4InkuLnqaX2TdT8wTaQCja1FW/O0Q7IfYTS9ESJ0
xi06Rn3IeUoJCKIfeKrjI0f1dWqfHy11/TTNgANFbMRjlxJkNAN9nZLD5KdvzOp4
1WfYTEsvuIaXchH/URDooI9BQ8m38kHogw/a9E/Qq4iXPRQtME7ANHfidCsuTq/9
uYqOhuaqF82TMEmq2Y3P2D8RT5rnHFjjRbUvKbljzNBX2Co4CJ32zk3L1ol6GHZh
rvnG1Tco9us8BbVHhSWaTSt3UOjf1eg1U9fhEijA8jR8tSf2Fw7c4e6dqU5kytVp
ihK2fPpJ1HKqEm3gmPBEIYzSn7UxpjFMN1aZLRa5CZAD4p410Qg1zNX3BVLLI3zp
vi0V6dxNE2g=yKwR
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-3954:01 Critical: Red Hat Fuse 7.12 release and security

A minor version update (from 7.11 to 7.12) is now available for Red Hat Fuse

Summary

This release of Red Hat Fuse 7.12 serves as a replacement for Red Hat Fuse 7.11 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.
Security Fix(es):
* hazelcast: Hazelcast connection caching (CVE-2022-36437)
* spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security (CVE-2022-31692)
* xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow (CVE-2022-41966)
* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)
* Apache CXF: SSRF Vulnerability (CVE-2022-46364)
* Undertow: Infinite loop in SslConduit during close (CVE-2023-1108)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)
* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)
* jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name (CVE-2012-5783)
* apache-httpclient: incorrect handling of malformed authority component in request URIs (CVE-2020-13956)
* undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492)
* Moment.js: Path traversal in moment.locale (CVE-2022-24785)
* batik: Server-Side Request Forgery (CVE-2022-38398)
* batik: Server-Side Request Forgery (CVE-2022-38648)
* batik: Server-Side Request Forgery (SSRF) vulnerability (CVE-2022-40146)
* batik: Apache XML Graphics Batik vulnerable to code execution via SVG (CVE-2022-41704)
* dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)
* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881)
* engine.io: Specially crafted HTTP request can trigger an uncaught exception (CVE-2022-41940)
* postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions (CVE-2022-41946)
* batik: Untrusted code execution in Apache XML Graphics Batik (CVE-2022-42890)
* Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)
* shiro: Authentication bypass through a specially crafted HTTP request (CVE-2023-22602)
* bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)
* tomcat: JsonErrorReportValve injection (CVE-2022-45143)
For more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2012-5783 https://access.redhat.com/security/cve/CVE-2020-13956 https://access.redhat.com/security/cve/CVE-2022-4492 https://access.redhat.com/security/cve/CVE-2022-24785 https://access.redhat.com/security/cve/CVE-2022-31692 https://access.redhat.com/security/cve/CVE-2022-36437 https://access.redhat.com/security/cve/CVE-2022-38398 https://access.redhat.com/security/cve/CVE-2022-38648 https://access.redhat.com/security/cve/CVE-2022-40146 https://access.redhat.com/security/cve/CVE-2022-41704 https://access.redhat.com/security/cve/CVE-2022-41854 https://access.redhat.com/security/cve/CVE-2022-41881 https://access.redhat.com/security/cve/CVE-2022-41940 https://access.redhat.com/security/cve/CVE-2022-41946 https://access.redhat.com/security/cve/CVE-2022-41966 https://access.redhat.com/security/cve/CVE-2022-42890 https://access.redhat.com/security/cve/CVE-2022-42920 https://access.redhat.com/security/cve/CVE-2022-45143 https://access.redhat.com/security/cve/CVE-2022-46363 https://access.redhat.com/security/cve/CVE-2022-46364 https://access.redhat.com/security/cve/CVE-2023-1108 https://access.redhat.com/security/cve/CVE-2023-1370 https://access.redhat.com/security/cve/CVE-2023-20860 https://access.redhat.com/security/cve/CVE-2023-20861 https://access.redhat.com/security/cve/CVE-2023-20883 https://access.redhat.com/security/cve/CVE-2023-22602 https://access.redhat.com/security/cve/CVE-2023-33201 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.fuse&version=7.12.0 https://access.redhat.com/documentation/en-us/red_hat_fuse/7.12/

Package List


Severity
Advisory ID: RHSA-2023:3954-01
Product: Red Hat JBoss Fuse
Advisory URL: https://access.redhat.com/errata/RHSA-2023:3954
Issued Date: : 2023-06-29
CVE Names: CVE-2012-5783 CVE-2020-13956 CVE-2022-4492 CVE-2022-24785 CVE-2022-31692 CVE-2022-36437 CVE-2022-38398 CVE-2022-38648 CVE-2022-40146 CVE-2022-41704 CVE-2022-41854 CVE-2022-41881 CVE-2022-41940 CVE-2022-41946 CVE-2022-41966 CVE-2022-42890 CVE-2022-42920 CVE-2022-45143 CVE-2022-46363 CVE-2022-46364 CVE-2023-1108 CVE-2023-1370 CVE-2023-20860 CVE-2023-20861 CVE-2023-20883 CVE-2023-22602 CVE-2023-33201

Topic

A minor version update (from 7.11 to 7.12) is now available for Red HatFuse. The purpose of this text-only errata is to inform you about thesecurity issues fixed in this release.Red Hat Product Security has rated this update as having a security impactof Critical. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

873317 - CVE-2012-5783 jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name

1886587 - CVE-2020-13956 apache-httpclient: incorrect handling of malformed authority component in request URIs

2072009 - CVE-2022-24785 Moment.js: Path traversal in moment.locale

2142707 - CVE-2022-42920 Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing

2144970 - CVE-2022-41940 engine.io: Specially crafted HTTP request can trigger an uncaught exception

2151988 - CVE-2022-41854 dev-java/snakeyaml: DoS via stack overflow

2153260 - CVE-2022-4492 undertow: Server identity in https connection is not checked by the undertow client

2153379 - CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS

2153399 - CVE-2022-41946 postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions

2155291 - CVE-2022-40146 batik: Server-Side Request Forgery (SSRF) vulnerability

2155292 - CVE-2022-38398 batik: Server-Side Request Forgery

2155295 - CVE-2022-38648 batik: Server-Side Request Forgery

2155681 - CVE-2022-46363 Apache CXF: directory listing / code exfiltration

2155682 - CVE-2022-46364 Apache CXF: SSRF Vulnerability

2158695 - CVE-2022-45143 tomcat: JsonErrorReportValve injection

2162053 - CVE-2022-36437 hazelcast: Hazelcast connection caching

2162206 - CVE-2022-31692 spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security

2170431 - CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow

2174246 - CVE-2023-1108 Undertow: Infinite loop in SslConduit during close

2180528 - CVE-2023-20860 springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern

2180530 - CVE-2023-20861 springframework: Spring Expression DoS Vulnerability

2182182 - CVE-2022-41704 batik: Apache XML Graphics Batik vulnerable to code execution via SVG

2182183 - CVE-2022-42890 batik: Untrusted code execution in Apache XML Graphics Batik

2182198 - CVE-2023-22602 shiro: Authentication bypass through a specially crafted HTTP request

2188542 - CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)

2209342 - CVE-2023-20883 spring-boot: Spring Boot Welcome Page DoS Vulnerability

2215465 - CVE-2023-33201 bouncycastle: potential blind LDAP injection attack using a self-signed certificate

5. JIRA issues fixed (https://issues.redhat.com/):

ENTESB-20598 - Incomplete fix of CVE-2020-13956

ENTESB-20598 - Incomplete fix of CVE-2020-13956

ENTESB-21418 - CVE-2023-1370, ensure that Syndesis is using fixed json-smart


Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved