-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3165
  Critical: Red Hat FIS 2.0 on Fuse 6.3.0 R8 security and bug fix update
                              18 October 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat Fuse Integration Services
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 6
                   Red Hat Enterprise Linux Server 7
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
                   Unauthorised Access             -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-7489 CVE-2018-1336 CVE-2018-1305
                   CVE-2018-1304 CVE-2018-1275 CVE-2018-1271
                   CVE-2018-1270 CVE-2018-1260 CVE-2017-12617
                   CVE-2017-12615 CVE-2017-7525 

Reference:         ASB-2018.0172
                   ASB-2018.0168
                   ASB-2018.0163
                   ESB-2018.2600
                   ESB-2018.2516
                   ESB-2018.2490
                   ESB-2018.2310

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2018:2939

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Critical: Red Hat FIS 2.0 on Fuse 6.3.0 R8 security and bug fix update
Advisory ID:       RHSA-2018:2939-01
Product:           Red Hat JBoss Fuse
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:2939
Issue date:        2018-10-17
CVE Names:         CVE-2017-12617 CVE-2018-1260 CVE-2018-1270 
                   CVE-2018-1271 CVE-2018-1275 CVE-2018-1304 
                   CVE-2018-1305 CVE-2018-1336 CVE-2018-7489 
=====================================================================

1. Summary:

An update is now available for Red Hat Fuse Integration Services.

Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat Fuse Integration Services provides a set of tools and containerized
xPaaS images that enable development, deployment, and management of
integration microservices within OpenShift.

Security fix(es):

* jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe
serialization via c3p0 libraries (CVE-2018-7489)

* spring-framework: Address partial fix for CVE-2018-1270 (CVE-2018-1275)

* spring-framework: Directory traversal vulnerability with static resources
on Windows filesystems (CVE-2018-1271)

* spring-framework: Possible RCE via spring messaging (CVE-2018-1270)

* spring-security-oauth: remote code execution in the authorization process
(CVE-2018-1260)

* tomcat: A bug in the UTF-8 decoder can lead to DoS (CVE-2018-1336)

* tomcat: Incorrect handling of empty string URL in security constraints
can lead to unintended exposure of resources (CVE-2018-1304)

* tomcat: Late application of security constraints can lead to resource
exposure for unauthorised users (CVE-2018-1305)

* tomcat: Remote Code Execution bypass for CVE-2017-12615 (CVE-2017-12617)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

Updating instructions and release notes may be found at:

https://access.redhat.com/articles/3060411

4. Bugs fixed (https://bugzilla.redhat.com/):

1494283 - CVE-2017-12617 tomcat: Remote Code Execution bypass for CVE-2017-12615
1548282 - CVE-2018-1305 tomcat: Late application of security constraints can lead to resource exposure for unauthorised users
1548289 - CVE-2018-1304 tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources
1549276 - CVE-2018-7489 jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries
1564405 - CVE-2018-1270 spring-framework: Possible RCE via spring messaging
1565307 - CVE-2018-1275 spring-framework: Address partial fix for CVE-2018-1270
1571050 - CVE-2018-1271 spring-framework: Directory traversal vulnerability with static resources on Windows filesystems
1584376 - CVE-2018-1260 spring-security-oauth: remote code execution in the authorization process
1607591 - CVE-2018-1336 tomcat: A bug in the UTF-8 decoder can lead to DoS

5. References:

https://access.redhat.com/security/cve/CVE-2017-12617
https://access.redhat.com/security/cve/CVE-2018-1260
https://access.redhat.com/security/cve/CVE-2018-1270
https://access.redhat.com/security/cve/CVE-2018-1271
https://access.redhat.com/security/cve/CVE-2018-1275
https://access.redhat.com/security/cve/CVE-2018-1304
https://access.redhat.com/security/cve/CVE-2018-1305
https://access.redhat.com/security/cve/CVE-2018-1336
https://access.redhat.com/security/cve/CVE-2018-7489
https://access.redhat.com/security/updates/classification/#critical

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBW8eNhdzjgjWX9erEAQgCYw//fxaqJeQ2VPWVSwfYTALj1Lvjrx0bTnip
T8MKlgYC4PSKZcOmchvC3f01kNljr1CEJaUQWQi1A+is141gjHgV2nFMSGTUBwBK
yGSPLD0oLDJWc/7y7qWMxrotEWjROKIQ72AXwjOtcEeSe9vzSmWotexKR0JYUdgw
8GAMlBhyiQagOncOP3JkWnUkTdNryhY9f5tfX7xfXcDDoxjq4rAVqLrCrWZvr4ec
P89vACj8PonE+U5DvFrWWH9nKxGcdvnm0ouib/XFB8GJ/jHhRgBsk/CFpDoEEng5
rzFmbt7fm1OKfgFhRCyrxsVQVUbk0d1ATs+Lpu7Ty3fGysW2bN860Hi+20RSWyow
ybjLNU9xSHUG9623XTyyVYgRIox991zpHCHsDWwjsV1NxfjdYlJfHGtuHKNeVQzf
h71cHuC7o7VhxZFhMFHjp+O71Ow5N6HcrZAtmKrihfhHRVFugXkvFGRl55gqb4rr
Y6/dX/H1abVCNGA5kziXQnO0ce/dAdUZ2mb8XRs3UVgt0MIVD1zisE9d52fsRkr/
NygTi1xn4Pmodoth3C209aA4Iaycixmx4F8HoXSTPNUCYrr0FIjBpDJX35TeTcxg
/RU/vyHwdAwz/5aJgFDFxILd4z8a9bIpYGMglMU1rB5y/ovuBB4qUU/o4y8aVYzh
bunfRFjDlIY=
=l0NF
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW8gabWaOgq3Tt24GAQgcVxAAp9hdVBtrHYt0cIE3lYTMezQn7U7mZAzm
rvF2bdEvAardKjOpyoCPlCPMQWlSpEpje8XMtmAdu0euLhNoqFTJeh2EYycmPe+s
u974SUe7ulbnoGmO61gcsIijPVZV1ZbNkm+b55c1aUfRnkKyPSGIxxRwbFQyAzou
rCyMPgnF27S/BkKfQshEDd0DxEkn+HJ+dotiZ4IKLcmxO53Yomtr4t77fzFTGA0w
REg2lXWEeyDBKKE6Nw6cntt1Lox8YPoPbXnM+MXZHMVj0/hkJK3OAPdqbZoXckWr
qhu0Dzc7CqXeEtkHr3UypIn/E6VGGNkM4rMRklPGcX9TRv43F49NSVnE+Y5LFtLo
ak2ryjyWrz4odQmfAkwgBO28j70grM7wliEyx0YUkLE5eviNKCz9oQE+x04DvzeS
XBWxZjvjdyQJHqmS6mR9ayIvdsIqc5sBmJ/PAD8mEjwuI3G4+Xz8QopKK7MNqF1s
3B5cnmwx+3qKlHSyHcvTbP1MTiAsPMZ2LjPWxO/1eT7VKJuc2AqGP7g03Pbx5xHH
yhQujjYECHCmT0MIKUun5sBx1ssdhS042n2+nhRSJDfSzAd0i5htyABH5R6hQ48q
X/Hhq7+wFqvnWlX1jRE8h0vRBDaYyDXB0smt9JNAu8eMwJ8+w4RNylmKW09QwriJ
Aj4Pa9CldsI=
=KvgD
-----END PGP SIGNATURE-----