(RHSA-2023:3954) Critical: Red Hat Fuse 7.12 release and security update


This release of Red Hat Fuse 7.12 serves as a replacement for Red Hat Fuse 7.11 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. Security Fix(es): * hazelcast: Hazelcast connection caching (CVE-2022-36437) * spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security (CVE-2022-31692) * xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow (CVE-2022-41966) * Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920) * Apache CXF: SSRF Vulnerability (CVE-2022-46364) * Undertow: Infinite loop in SslConduit during close (CVE-2023-1108) * json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370) * springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860) * spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883) * jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name (CVE-2012-5783) * apache-httpclient: incorrect handling of malformed authority component in request URIs (CVE-2020-13956) * undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492) * Moment.js: Path traversal in moment.locale (CVE-2022-24785) * batik: Server-Side Request Forgery (CVE-2022-38398) * batik: Server-Side Request Forgery (CVE-2022-38648) * batik: Server-Side Request Forgery (SSRF) vulnerability (CVE-2022-40146) * batik: Apache XML Graphics Batik vulnerable to code execution via SVG (CVE-2022-41704) * dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854) * codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881) * engine.io: Specially crafted HTTP request can trigger an uncaught exception (CVE-2022-41940) * postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions (CVE-2022-41946) * batik: Untrusted code execution in Apache XML Graphics Batik (CVE-2022-42890) * Apache CXF: directory listing / code exfiltration (CVE-2022-46363) * springframework: Spring Expression DoS Vulnerability (CVE-2023-20861) * shiro: Authentication bypass through a specially crafted HTTP request (CVE-2023-22602) * bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201) * tomcat: JsonErrorReportValve injection (CVE-2022-45143) For more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.