Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.3040
Red Hat Fuse 7.4.0 security update
9 August 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat Fuse 7.4.0
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Increased Privileges -- Existing Account
Denial of Service -- Remote/Unauthenticated
Cross-site Request Forgery -- Remote with User Interaction
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-3805 CVE-2019-0192 CVE-2018-15758
CVE-2018-10899 CVE-2018-8088 CVE-2018-1320
CVE-2018-1258 CVE-2016-10750
Reference: ESB-2019.1638
ESB-2018.0983
ESB-2018.0859
Original Bulletin:
https://access.redhat.com/errata/RHSA-2019:2413
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat Fuse 7.4.0 security update
Advisory ID: RHSA-2019:2413-01
Product: Red Hat JBoss Fuse
Advisory URL: https://access.redhat.com/errata/RHSA-2019:2413
Issue date: 2019-08-08
CVE Names: CVE-2016-10750 CVE-2018-1258 CVE-2018-1320
CVE-2018-8088 CVE-2018-10899 CVE-2018-15758
CVE-2019-0192 CVE-2019-3805
=====================================================================
1. Summary:
A minor version update (from 7.3 to 7.4) is now available for Red Hat Fuse.
The purpose of this text-only errata is to inform you about the security
issues fixed in this release.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Description:
This release of Red Hat Fuse 7.4.0 serves as a replacement for Red Hat Fuse
7.3, and includes bug fixes and enhancements, which are documented in the
Release Notes document linked to in the References.
Security Fix(es):
* hazelcast: java deserialization in join cluster procedure leading to
remote code execution (CVE-2016-10750)
* slf4j: Deserialisation vulnerability in EventData constructor can allow
for arbitrary code execution (CVE-2018-8088)
* jolokia: system-wide CSRF that could lead to Remote Code Execution
(CVE-2018-10899)
* spring-security-oauth: Privilege escalation by manipulating saved
authorization request (CVE-2018-15758)
* solr: remote code execution due to unsafe deserialization (CVE-2019-0192)
* thrift: SASL negotiation isComplete validation bypass in the
org.apache.thrift.transport.TSaslTransport class (CVE-2018-1320)
* spring-security-core: Unauthorized Access with Spring Security Method
Security (CVE-2018-1258)
* wildfly: Race condition on PID file allows for termination of arbitrary
processes by local users (CVE-2019-3805)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
3. Solution:
Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.
Installation instructions are available from the Fuse 7.4.0 product
documentation page:
https://access.redhat.com/documentation/en-us/red_hat_fuse/7.4/
4. Bugs fixed (https://bugzilla.redhat.com/):
1548909 - CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution
1578582 - CVE-2018-1258 spring-security-core: Unauthorized Access with Spring Security Method Security
1601037 - CVE-2018-10899 jolokia: system-wide CSRF that could lead to Remote Code Execution
1643048 - CVE-2018-15758 spring-security-oauth: Privilege escalation by manipulating saved authorization request
1660263 - CVE-2019-3805 wildfly: Race condition on PID file allows for termination of arbitrary processes by local users
1667204 - CVE-2018-1320 thrift: SASL negotiation isComplete validation bypass in the org.apache.thrift.transport.TSaslTransport class
1692345 - CVE-2019-0192 solr: remote code execution due to unsafe deserialization
1713215 - CVE-2016-10750 hazelcast: java deserialization in join cluster procedure leading to remote code execution
5. References:
https://access.redhat.com/security/cve/CVE-2016-10750
https://access.redhat.com/security/cve/CVE-2018-1258
https://access.redhat.com/security/cve/CVE-2018-1320
https://access.redhat.com/security/cve/CVE-2018-8088
https://access.redhat.com/security/cve/CVE-2018-10899
https://access.redhat.com/security/cve/CVE-2018-15758
https://access.redhat.com/security/cve/CVE-2019-0192
https://access.redhat.com/security/cve/CVE-2019-3805
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.fuse&version=7.4.0
https://access.redhat.com/documentation/en-us/red_hat_fuse/7.4/
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXUv0xNzjgjWX9erEAQhCzRAAjdpuIeE+WhWxaZpzsfh333p6RXGKoB8g
4BGVD7yZjSNoPmRzkSuaNUTT0wYZdRLSNeYK1FvxqZlTBesHbe3IV80gDNiV2vad
VzwNYukUoa6s8hdzKY/zCKwhuZ5cWkk+FLjFAPEfZt2Typ3kyYPnK/RxNnzfeSgc
90xh60LImUIJK/hGyOL40z8pGFbG404TJbdezYnQt0/l0NBGxPqBGOHnIgpZhAgw
gNMEglpIrxap4UzwSEzA5tmjRUDHeUBpsUpKsez5XL2ECssqrRyK8Hj/KeacnARF
Mnvf4U/lIOamD6Tles8IAFo/kexW+OxKiHbivOFutraLdEXysgkK8Uf5EQqYKW9+
7OgEuyMxUi5Pbj4kL666iBp5oV95gEHm2zcQEbn65BFJ3nomb5nReHh5t7G0AqHy
GYj9dlx84+UG0Fr717Vi586KwtCu6rgdZJS25+0kSCeZk/cowYLW09G+j/+Jk3yg
N/uUfoxqmC/A+SyupFh1A9XZg7oZhkB+Qwo6D2+BejiwXsD8Jv4uzrI7U7+Lg/YK
UFa2oqArMKNrF0zf9152lqCEpOL8dCO3X8RcB8LmQcapmr1MYGB+18oNT4o3JcY3
Aa1hoi5+2gGgR7HHuqTsxnDXYPtgqR9CMylc5gmYsMFK5W3sNX8Z/qazoH3fIVtu
NNAto03aZgE=
=rpUB
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXUz0JmaOgq3Tt24GAQhcehAAw1J1+60P2aGsaIryg6BsHlPnjQnNaQS4
tNi2d82MoPTdnVAlROBdvWbpklbtyX88Urpl/YWlT8dQxjNv8+hUCBI55iumLv0G
hz62m+Gk9sNpsoRIIpBBF58b9RzQghq+SDFRdvGAXVy1za7szKfsib3ahvYELBsy
obZ59y4cxJK2d+caBydRLKU1k+WXJPbydkvFKEyVcwK2CjBJOjV3/abOpA93xCg0
dlc5PNMz2gYL5CI8g4MSGm4vAVXFEr23L/JB2xjrt1e/T4dIEX2lM1rTSol8fBKI
laIJGH+cz6UZfNctrECqjlTlLA+cedJU3XdQmjRnlJenDPPqJuOlcwcbQxdn4djA
oyg/iPujdDnZx5Fc6YKTdL0l59PaG+0/3xsyKcfhzC4uq+XfzrwesgxdLB/Tndt2
xrFH2ATAKSbfOJXdooRlEMsPtFwedY6u4pETo/P6UaSMAK+DUGyC0mI3a0rZ4OVw
rfNFZ2neUWBI/uACjAVWrf75I47MAfHl3tmu1IAZHXxVjvxZDb58GZ1Hn9BeNdKH
IBJNFP+GfCZIkj8/Ba48d9iTm3Ng2ZmFLCAYcxQLMKorSWRTdO6M7JaBzcFG+XHL
w8784vinVEXqs+BywWxjieNxgj9rdtbOWHy6GjdmPYjhO20gSMQcz6PPGvN4QJ29
GV+xiYcEPyI=
=3iCt
-----END PGP SIGNATURE-----