Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications.
This patch is an update to Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3. It includes bug fixes and enhancements, which are documented in the readme.txt file included with the patch files.
It was found that ResourceServlet in Spring Framework does not sanitize the paths that have been provided properly. An attacker can utilize this flaw to conduct directory traversal attacks. (CVE-2016-9878)
A vulnerability was discovered in Apache Thrift client libraries that allows remote, authenticated attackers to cause an infinite recursion via vectors involving the skip function, resulting in a denial of service (DoS) condition. (CVE-2015-3254)
A vulnerability was discovered in JSch that allows a malicious sftp server to force a client-side relative path traversal in jsch's implementation for recursive sftp-get. An attacker could leverage this to write files outside the client's download basedir with effective permissions of the jsch sftp client process. (CVE-2016-5725)