(RHSA-2018:2669) Important: Fuse 7.1 security update

Red Hat Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform.

This release of Red Hat Fuse 7.1 serves as a replacement for Red Hat Fuse 7.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.

Security Fix(es):

• Apache Struts 1: Class Loader manipulation via request parameters (CVE-2014-0114)

• thrift: Improper file path sanitization in t_go_generator.cc:format_go_output() of the go client library can allow an attacker to inject commands (CVE-2016-5397)

• slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088)

• jolokia: JMX proxy mode vulnerable to remote code execution (CVE-2018-1000130)

• bouncycastle: DSA does not fully validate ASN.1 encoding during signature verification allowing for injection of unsigned data (CVE-2016-1000338)

• bouncycastle: Information leak in AESFastEngine class (CVE-2016-1000339)

• bouncycastle: Information exposure in DSA signature generation via timing attack (CVE-2016-1000341)

• bouncycastle: ECDSA improper validation of ASN.1 encoding of signature (CVE-2016-1000342)

• bouncycastle: DHIES implementation allowed the use of ECB mode (CVE-2016-1000344)

• bouncycastle: DHIES/ECIES CBC modes are vulnerable to padding oracle attack (CVE-2016-1000345)

• bouncycastle: Other party DH public keys are not fully validated (CVE-2016-1000346)

• bouncycastle: ECIES implementation allowed the use of ECB mode (CVE-2016-1000352)

• async-http-client: Invalid URL parsing with ‘?’ (CVE-2017-14063)

• undertow: File descriptor leak caused by JarURLConnection.getLastModified() allows attacker to cause a denial of service (CVE-2018-1114)

• spring-framework: Directory traversal vulnerability with static resources on Windows filesystems (CVE-2018-1271)

• tika: Infinite loop in BPGParser can allow remote attacker to cause a denial of service (CVE-2018-1338)

• tika: Infinite loop in ChmParser can allow remote attacker to cause a denial of service (CVE-2018-1339)

• pdfbox: Infinite loop in AFMParser.java allows for out of memory erros via crafted PDF (CVE-2018-8036)

• jolokia: Cross site scripting in the HTTP servlet (CVE-2018-1000129)

• bouncycastle: flaw in the low-level interface to RSA key pair generator (CVE-2018-1000180)

• bouncycastle: Carry propagation bug in math.raw.Nat??? class (CVE-2016-1000340)

• bouncycastle: DSA key pair generator generates a weak private key by default (CVE-2016-1000343)

• spring-framework: Multipart content pollution (CVE-2018-1272)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Chris McCown for reporting CVE-2018-8088.