Lucene search

K
redhatRedHatRHSA-2024:3354
HistoryMay 23, 2024 - 10:44 p.m.

(RHSA-2024:3354) Important: Red Hat Fuse 7.13.0 release and security update

2024-05-2322:44:00
access.redhat.com
10
red hat fuse 7.13.0
security fixes
cve-2023-3223
cve-2023-36479
cve-2023-40167
cve-2023-39410
cve-2023-5072
cve-2023-36478
cve-2023-34055
cve-2023-46589
cve-2022-41678
cve-2023-6378
cve-2023-6481
cve-2023-50290
cve-2023-46749
cve-2024-21733
cve-2024-22243

7.5 High

AI Score

Confidence

High

0.069 Low

EPSS

Percentile

93.9%

Red Hat Fuse 7.13.0 is released which includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.

Security Fix(es):

  • undertow: OutOfMemoryError due to @MultipartConfig handling (CVE-2023-3223)

  • jetty-servlets: jetty: Improper addition of quotation marks to user inputs in CgiServlet (CVE-2023-36479)

  • jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)

  • jetty-http: jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)

  • avro: apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK (CVE-2023-39410)

  • JSON-java: parser confusion leads to OOM (CVE-2023-5072)

  • http2-hpack: jetty: hpack header values cause denial of service in http/2 (CVE-2023-36478)

  • spring-boot: org.springframework.boot:spring-boot-actuator class vulnerable to denial of service (CVE-2023-34055)

  • tomcat: HTTP request smuggling via malformed trailer headers (CVE-2023-46589)

  • activemq: Apache ActiveMQ: Deserialization vulnerability on Jolokia that allows authenticated users to perform RCE (CVE-2022-41678)

  • logback: serialization vulnerability in logback receiver (CVE-2023-6378)

  • logback: A serialization vulnerability in logback receiver (CVE-2023-6481)

  • solr: : Apache Solr: Host environment variables are published via the Metrics API (CVE-2023-50290)

  • shiro: path traversal attack may lead to authentication bypass (CVE-2023-46749)

  • tomcat: Leaking of unrelated request bodies in default error page (CVE-2024-21733)

  • springframework: URL Parsing with Host Validation (CVE-2024-22243)

For more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.