(RHSA-2017:3115) Moderate: Red Hat JBoss Fuse/A-MQ 6.3 R5 security and bug fix update

ID RHSA-2017:3115
Type redhat
Reporter RedHat
Modified 2017-11-03T00:06:41


Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications.

This patch is an update to Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3. It includes bug fixes and enhancements, which are documented in the readme.txt file included with the patch files.

Security Fix(es):

  • It was found that ResourceServlet in Spring Framework does not sanitize the paths that have been provided properly. An attacker can utilize this flaw to conduct directory traversal attacks. (CVE-2016-9878)

  • A vulnerability was discovered in Apache Thrift client libraries that allows remote, authenticated attackers to cause an infinite recursion via vectors involving the skip function, resulting in a denial of service (DoS) condition. (CVE-2015-3254)

  • A vulnerability was discovered in JSch that allows a malicious sftp server to force a client-side relative path traversal in jsch's implementation for recursive sftp-get. An attacker could leverage this to write files outside the client's download basedir with effective permissions of the jsch sftp client process. (CVE-2016-5725)