(RHSA-2023:7247) Critical: Red Hat Fuse 7.12.1 release and security update

This release of Red Hat Fuse 7.12.1 serves as a replacement for Red Hat Fuse 7.12 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.

Security Fix(es):

• HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

A Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the References section.

• OpenWire Module: Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack (CVE-2023-46604)

• undertow: OutOfMemoryError due to @MultipartConfig handling (CVE-2023-3223)

• okio: GzipSource class improper exception handling (CVE-2023-3635)

• spring-security: spring-security-webflux: path wildcard leads to security bypass (CVE-2023-34034)

• http2-hpack: jetty: hpack header values cause denial of service in http/2 (CVE-2023-36478)

• avro: apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK (CVE-2023-39410)

• jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)

• tomcat: FileUpload: DoS due to accumulation of temporary files on Windows (CVE-2023-42794)

• tomcat: improper cleaning of recycled objects could lead to information leak (CVE-2023-42795)

• tomcat: incorrectly parsed http trailer headers can cause request smuggling (CVE-2023-45648)

• jetty: Improper addition of quotation marks to user inputs in CgiServlet (CVE-2023-36479)

• jetty: OpenId Revoked authentication allows one request (CVE-2023-41900)

For more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.