(RHSA-2019:2804) Important: Red Hat JBoss Fuse/A-MQ 6.3 R13 security and bug fix update

Red Hat Fuse provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat A-MQ is a standards compliant messaging system that is tailored for use in mission critical applications.

This patch is an update to Red Hat Fuse 6.3 and Red Hat A-MQ 6.3. It includes bug fixes, which are documented in the patch notes accompanying the package on the download page. See the download link given in the references section below.

Security fix(es):

• jolokia: system-wide CSRF that could lead to Remote Code Execution (CVE-2018-10899)

• jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis (CVE-2018-11307)

• jackson-databind: improper polymorphic deserialization of types from Jodd-db library (CVE-2018-12022)

• jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver (CVE-2018-12023)

• jackson-databind: arbitrary code execution in slf4j-ext class (CVE-2018-14718)

• jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes (CVE-2018-14719)

• jackson-databind: improper polymorphic deserialization in axis2-transport-jms class (CVE-2018-19360)

• jackson-databind: improper polymorphic deserialization in openjpa class (CVE-2018-19361)

• jackson-databind: improper polymorphic deserialization in jboss-common-core class (CVE-2018-19362)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.