Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.0877
Important: Red Hat JBoss Fuse/A-MQ 6.3 R2 security and bug fix update
4 April 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat JBoss Fuse/A-MQ
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Privileged Data -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Provide Misleading Information -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2017-3159 CVE-2016-1000229 CVE-2016-9177
CVE-2016-8739 CVE-2016-6814 CVE-2016-6812
CVE-2015-1427 CVE-2012-5783
Reference: ESB-2017.0426
ESB-2015.2574
ESB-2015.1317
Original Bulletin:
https://access.redhat.com/errata/RHSA-2017:0868
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat JBoss Fuse/A-MQ 6.3 R2 security and bug fix update
Advisory ID: RHSA-2017:0868-01
Product: Red Hat JBoss Fuse
Advisory URL: https://access.redhat.com/errata/RHSA-2017:0868
Issue date: 2017-04-03
CVE Names: CVE-2012-5783 CVE-2015-1427 CVE-2016-1000229
CVE-2016-6812 CVE-2016-6814 CVE-2016-8739
CVE-2016-9177 CVE-2017-3159
=====================================================================
1. Summary:
An update is now available for Red Hat JBoss Fuse and Red Hat JBoss A-MQ.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Description:
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,
flexible, open source enterprise service bus and integration platform. Red
Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant
messaging system that is tailored for use in mission critical applications.
This patch is an update to Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ
6.3. It includes bug fixes and enhancements, which are documented in the
readme.txt file included with the patch files.
Security Fix(es):
* It was reported that Elasticsearch had vulnerabilities in the Groovy
scripting engine, which allow an attacker to construct scripts that escape
the sandbox and execute shell commands as the user running the
Elasticsearch Java VM. (CVE-2015-1427)
* It was found that a flaw in Apache groovy library allows remote code
execution wherever deserialization occurs in the application. It is
possible for an attacker to craft a special serialized object that will
execute code directly when deserialized. All applications which rely on
serialization and do not isolate the code which deserializes objects are
subject to this vulnerability. (CVE-2016-6814)
* It was found that Apache Commons HttpClient does not verify that the
server hostname matches a domain name in the subject's Common Name (CN) or
subjectAltName field of the X.509 certificate, which allows
man-in-the-middle attackers to spoof SSL servers via an arbitrary valid
certificate. (CVE-2012-5783)
* It was found that swagger-ui contains a cross site scripting (XSS)
vulnerability in the key names in the JSON document. An attacker could use
this flaw to supply a key name with script tags which could cause arbitrary
code execution. Additionally it is possible to load the arbitrary JSON
files remotely via the URL query-string parameter. (CVE-2016-1000229)
* A vulnerability was found in FormattedServiceListWriter in Apache CXF
HTTP transport module that could allow an attacker to inject unexpected
matrix parameters into the request URL. On a successful injection these
matrix parameters will find their way back to the client in the services
list page which represents an XSS risk to the client. (CVE-2016-6812)
* Apache CXF JAX-RS implementation provides a number of Atom
MessageBodyReaders. These readers use Apache Abdera Parser to parse Atom
feeds or Entries, with this Parser expanding XML entities by default. It
was found that this represents a major XXE risk. (CVE-2016-8739)
* A path traversal issue was found in Spark version 2.5 and potentially
earlier versions. The vulnerability resides in the functionality to serve
static files where there's no protection against directory traversal
attacks. This could allow attackers access to private files including
sensitive data. (CVE-2016-9177)
* It was found that the camel-snakeyaml component is exploitable for code
execution. An attacker could use this vulnerability to send specially
crafted payload to a camel-snakeyaml endpoint and causing a remote code
execution attack. (CVE-2017-3159)
3. Solution:
Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.
It is recommended to halt the server by stopping the JBoss Application
Server process before installing this update; after installing the update,
restart the server by starting the JBoss Application Server process.
The References section of this erratum contains a download link (you must
log in to download the update).
4. Bugs fixed (https://bugzilla.redhat.com/):
873317 - CVE-2012-5783 jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name
1191969 - CVE-2015-1427 elasticsearch: remote code execution via Groovy sandbox bypass
1360275 - CVE-2016-1000229 swagger-ui: cross-site scripting in key names
1393607 - CVE-2016-9177 Spark: Directory traversal vulnerability in version 2.5
1406810 - CVE-2016-6812 apache-cxf: XSS in Apache CXF FormattedServiceListWriter
1406811 - CVE-2016-8739 apache-cxf: Atom entity provider of Apache CXF JAX-RS is vulnerable to XXE
1413466 - CVE-2016-6814 Apache Groovy: Remote code execution via deserialization
1420834 - CVE-2017-3159 camel-snakeyaml: Unmarshalling operation is vulnerable to RCE
5. References:
https://access.redhat.com/security/cve/CVE-2012-5783
https://access.redhat.com/security/cve/CVE-2015-1427
https://access.redhat.com/security/cve/CVE-2016-1000229
https://access.redhat.com/security/cve/CVE-2016-6812
https://access.redhat.com/security/cve/CVE-2016-6814
https://access.redhat.com/security/cve/CVE-2016-8739
https://access.redhat.com/security/cve/CVE-2016-9177
https://access.redhat.com/security/cve/CVE-2017-3159
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.3.0
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=securityPatches&version=6.3.0
https://access.redhat.com/documentation/en/red-hat-jboss-fuse/
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2017 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFY4rjtXlSAg2UNWIIRAryMAKCPl0Ov02ApsDlQ2LSSWEgE/QSz+ACgnzyt
V+DkiT6TvH3/Ajnf1bJ8rAE=
=blvE
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWOLtR4x+lLeg9Ub1AQiWhA//b1lLrwObGJmLnKesKkpk9T4dEFSmVhLa
q7iL/Hyy9dql00/Pj1rv3JV5j8EI07tauCjA7KpczZJyZNZE5yrBupdfFFlUqfci
QEOJiP5UW/vSkVBSO+4qCS7qZG4BAgYccxaBORNnrJmBeDDg37USiYI+Z3zcXACs
/Kx+cxSrj4iRRj0Bp/xE2qg0dlM6DNCz0el1qBq5MJc3uhXXFKyJ1hBtI2/A+z/Q
Z/0bpncdISKXq5b89gL1Qx50Q6oRs7xrIIc7OI80v09Vqu/qClfWUp5O/UCUlwkf
uLPsBoNhqffeXyD6tNAfp+cz4H4IhVxIzG7oi8kKDYnzuYwmNNTB612PRSNET6gW
7OqDWASVHBCoACSt1wZsp43wpKEXyPo7qKc7bFpAJKPyZzHltp8D/vT+q2JxWxGO
4hoEAyW9aIF48ekSRql6fkAAot1Tn5BlxHdywXp0KB/rCvYPU6wJDGV9nPQQ2axC
MntxdiSgXRZZvnlsEESQiYINi1m9Qxi63DbQ/xHUnmySPKloV1RM8yDRnYWNcy90
ae7yTMoty2MnKClz29YjrHgSQbPc0458qWxyFngv0NC3oTOLO2trd+LoiVrj6I9I
056jXY0uZ5MMk+h2RGkT6XmkYyTQ818bBCNElKDOje3ugO4qAg2xULqDQiP2SxvA
UeEZT1RmPDs=
=lKZk
-----END PGP SIGNATURE-----