(RHSA-2023:3954) Critical: Red Hat Fuse 7.12 release and security update

2023-06-2920:05:32

access.redhat.com

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.039 Low

EPSS

Percentile

91.9%

JSON

This release of Red Hat Fuse 7.12 serves as a replacement for Red Hat Fuse 7.11 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.

Security Fix(es):

hazelcast: Hazelcast connection caching (CVE-2022-36437)
spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security (CVE-2022-31692)
xstream: Denial of Service by injecting recursive collections or maps based on element’s hash values raising a stack overflow (CVE-2022-41966)
Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)
Apache CXF: SSRF Vulnerability (CVE-2022-46364)
Undertow: Infinite loop in SslConduit during close (CVE-2023-1108)
json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)
spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)
jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name (CVE-2012-5783)
apache-httpclient: incorrect handling of malformed authority component in request URIs (CVE-2020-13956)
undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492)
Moment.js: Path traversal in moment.locale (CVE-2022-24785)
batik: Server-Side Request Forgery (CVE-2022-38398)
batik: Server-Side Request Forgery (CVE-2022-38648)
batik: Server-Side Request Forgery (SSRF) vulnerability (CVE-2022-40146)
batik: Apache XML Graphics Batik vulnerable to code execution via SVG (CVE-2022-41704)
dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)
codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881)
engine.io: Specially crafted HTTP request can trigger an uncaught exception (CVE-2022-41940)
postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions (CVE-2022-41946)
batik: Untrusted code execution in Apache XML Graphics Batik (CVE-2022-42890)
Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)
shiro: Authentication bypass through a specially crafted HTTP request (CVE-2023-22602)
bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)
tomcat: JsonErrorReportValve injection (CVE-2022-45143)

For more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.