Lucene search

K
redhatRedHatRHSA-2019:2804
HistorySep 17, 2019 - 9:21 a.m.

(RHSA-2019:2804) Important: Red Hat JBoss Fuse/A-MQ 6.3 R13 security and bug fix update

2019-09-1709:21:53
access.redhat.com
38
red hat jboss fuse
red hat a-mq
security fix
bug fix
jolokia
jackson-databind
cve-2018-10899
cve-2018-11307
cve-2018-12022
cve-2018-12023
cve-2018-14718
cve-2018-14719
cve-2018-19360
cve-2018-19361
cve-2018-19362

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.037

Percentile

91.9%

Red Hat Fuse provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat A-MQ is a standards compliant messaging system that is tailored for use in mission critical applications.

This patch is an update to Red Hat Fuse 6.3 and Red Hat A-MQ 6.3. It includes bug fixes, which are documented in the patch notes accompanying the package on the download page. See the download link given in the references section below.

Security fix(es):

  • jolokia: system-wide CSRF that could lead to Remote Code Execution (CVE-2018-10899)

  • jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis (CVE-2018-11307)

  • jackson-databind: improper polymorphic deserialization of types from Jodd-db library (CVE-2018-12022)

  • jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver (CVE-2018-12023)

  • jackson-databind: arbitrary code execution in slf4j-ext class (CVE-2018-14718)

  • jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes (CVE-2018-14719)

  • jackson-databind: improper polymorphic deserialization in axis2-transport-jms class (CVE-2018-19360)

  • jackson-databind: improper polymorphic deserialization in openjpa class (CVE-2018-19361)

  • jackson-databind: improper polymorphic deserialization in jboss-common-core class (CVE-2018-19362)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.037

Percentile

91.9%