-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Fuse/A-MQ 6.3 R4 security and bug fix update Advisory ID: RHSA-2017:1832-01 Product: Red Hat JBoss Fuse Advisory URL: https://access.redhat.com/errata/RHSA-2017:1832 Issue date: 2017-08-10 CVE Names: CVE-2015-6644 CVE-2016-8749 CVE-2016-9879 CVE-2017-2589 CVE-2017-2594 CVE-2017-3156 CVE-2017-5643 CVE-2017-5653 CVE-2017-5656 CVE-2017-5929 CVE-2017-7957 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Fuse and Red Hat JBoss A-MQ. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications. This patch is an update to Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3. It includes bug fixes and enhancements, which are documented in the readme.txt file included with the patch files. Security Fix(es): * It was discovered that the hawtio servlet uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies. (CVE-2017-2589) * It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information. (CVE-2015-6644) * It was found that Apache Camel's camel-jackson and camel-jacksonxml components are vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues. (CVE-2016-8749) * It was found that Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded / to a request an attacker may be able to bypass a security constraint. (CVE-2016-9879) * It was found that a path traversal vulnerability in hawtio leads to a NullPointerException with a full stacktrace. An attacker could use this flaw to gather undisclosed information from within hawtio's root. (CVE-2017-2594) * It was found that Apache CXF OAuth2 Hawk and JOSE MAC Validation code is not using a constant time MAC signature comparison algorithm which may be exploited by some sophisticated timing attacks. It may only affect OAuth2 Hawk, JWT access tokens, or JOSE JWS/JWE interceptors which depend on HMAC secret key algorithms. (CVE-2017-3156) * It was found that Apache Camel's validation component evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. Remote attackers can use this feature to make Server-Side Request Forgery (SSRF) attacks by sending XML documents with remote DTDs URLs or XML External Entities (XXE). (CVE-2017-5643) * It was found that a flaw exists in JAX-RS clients using the streaming approach for XML signatures and encryption, where it does not enforce the message to be signed/encrypted. This could allow an attacker to subvert the integrity of the message. (CVE-2017-5653) * It was found that the token cacher in Apache cxf uses a flawed way of caching tokens that are associated with the delegation token received from Security Token Service (STS). This vulnerability could allow an attacker to craft a token which could return an identifier corresponding to a cached token for another user. (CVE-2017-5656) * It was found that logback is vulnerable to a deserialization issue. Logback can be configured to allow remote logging through SocketServer/ServerSocketReceiver interfaces that can accept untrusted serialized data. Authenticated attackers on the adjacent network can leverage this vulnerability to execute arbitrary code through deserialization of custom gadget chains. (CVE-2017-5929) * It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system. (CVE-2017-7957) The CVE-2017-2589 issue was discovered by Adam Willard (Blue Canopy) and Dennis Reed (Red Hat) and the CVE-2017-2594 issue was discovered by Hooman Broujerdi (Red Hat). 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. You can find installation instructions in the download section of the customer portal. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1409838 - CVE-2016-9879 Spring Security: Improper handling of path parameters allows bypassing the security constraint 1413905 - CVE-2017-2589 hawtio: Proxy is sharing cookies among all the clients 1415543 - CVE-2017-2594 Hawtio information Disclosure flaws due to unsafe path traversal 1420832 - CVE-2016-8749 camel-jackson, camel-jacksonxml: Unmarshalling operation are vulnerable to RCE 1425455 - CVE-2017-3156 cxf: CXF OAuth2 Hawk and JOSE MAC Validation code are vulnerable to timing attacks 1432858 - CVE-2017-5929 logback: Serialization vulnerability in SocketServer and ServerSocketReceiver 1433374 - CVE-2017-5643 camel-core: Validation component vulnerable to SSRF via remote DTDs and XXE 1441538 - CVE-2017-7957 XStream: DoS when unmarshalling void type 1444015 - CVE-2015-6644 bouncycastle: Information disclosure in GCMBlockCipher 1445327 - CVE-2017-5653 cxf: CXF JAX-RS XML Security streaming clients do not validate that the service response was signed or encrypted 1445329 - CVE-2017-5656 cxf: CXF's STSClient uses a flawed way of caching tokens that are associated with delegation tokens 5. References: https://access.redhat.com/security/cve/CVE-2015-6644 https://access.redhat.com/security/cve/CVE-2016-8749 https://access.redhat.com/security/cve/CVE-2016-9879 https://access.redhat.com/security/cve/CVE-2017-2589 https://access.redhat.com/security/cve/CVE-2017-2594 https://access.redhat.com/security/cve/CVE-2017-3156 https://access.redhat.com/security/cve/CVE-2017-5643 https://access.redhat.com/security/cve/CVE-2017-5653 https://access.redhat.com/security/cve/CVE-2017-5656 https://access.redhat.com/security/cve/CVE-2017-5929 https://access.redhat.com/security/cve/CVE-2017-7957 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.3 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=securityPatches&version=6.3 https://access.redhat.com/documentation/en/red-hat-jboss-fuse/ 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFZjOeSXlSAg2UNWIIRAlJyAJ0SQuzh7ygwEkV13KsYvsAU+mmM4wCeOP47 KasCT9HsJuncvPk4hGkjKxY= =pWh5 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce