(RHSA-2024:3354) Important: Red Hat Fuse 7.13.0 release and security update

Red Hat Fuse 7.13.0 is released which includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.

Security Fix(es):

• undertow: OutOfMemoryError due to @MultipartConfig handling (CVE-2023-3223)

• jetty-servlets: jetty: Improper addition of quotation marks to user inputs in CgiServlet (CVE-2023-36479)

• jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)

• jetty-http: jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)

• avro: apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK (CVE-2023-39410)

• JSON-java: parser confusion leads to OOM (CVE-2023-5072)

• http2-hpack: jetty: hpack header values cause denial of service in http/2 (CVE-2023-36478)

• spring-boot: org.springframework.boot:spring-boot-actuator class vulnerable to denial of service (CVE-2023-34055)

• tomcat: HTTP request smuggling via malformed trailer headers (CVE-2023-46589)

• activemq: Apache ActiveMQ: Deserialization vulnerability on Jolokia that allows authenticated users to perform RCE (CVE-2022-41678)

• logback: serialization vulnerability in logback receiver (CVE-2023-6378)

• logback: A serialization vulnerability in logback receiver (CVE-2023-6481)

• solr: : Apache Solr: Host environment variables are published via the Metrics API (CVE-2023-50290)

• shiro: path traversal attack may lead to authentication bypass (CVE-2023-46749)

• tomcat: Leaking of unrelated request bodies in default error page (CVE-2024-21733)

• springframework: URL Parsing with Host Validation (CVE-2024-22243)

For more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.