(RHSA-2020:5568) Important: Red Hat Fuse 7.8.0 release and security update

This release of Red Hat Fuse 7.8.0 serves as a replacement for Red Hat Fuse 7.7, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.

Security Fix(es):

• libquartz: XXE attacks via job description (CVE-2019-13990)

• jetty: double release of resource can lead to information disclosure (CVE-2019-17638)

• keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution (CVE-2020-1714)

• springframework: RFD attack via Content-Disposition Header sourced from request input by Spring MVC or Spring WebFlux Application (CVE-2020-5398)

• wildfly: unsafe deserialization in Wildfly Enterprise Java Beans (CVE-2020-10740)

• camel: RabbitMQ enables Java deserialization by default which could leed to remote code execution (CVE-2020-11972)

• camel: Netty enables Java deserialization by default which could leed to remote code execution (CVE-2020-11973)

• shiro: spring dynamic controllers, a specially crafted request may cause an authentication bypass (CVE-2020-11989)

• camel: server-side template injection and arbitrary file disclosure on templating components (CVE-2020-11994)

• postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692)

• shiro: specially crafted HTTP request may cause an authentication bypass (CVE-2020-13933)

• RESTEasy: Caching routes in RootNode may result in DoS (CVE-2020-14326)

• jackson-modules-java8: DoS due to an Improper Input Validation (CVE-2018-1000873)

• thrift: Endless loop when feed with specific input data (CVE-2019-0205)

• thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210)

• mysql-connector-java: privilege escalation in MySQL connector (CVE-2019-2692)

• spring-ws: XML External Entity Injection (XXE) when receiving XML data from untrusted sources (CVE-2019-3773)

• spring-batch: XML External Entity Injection (XXE) when receiving XML data from untrusted sources (CVE-2019-3774)

• codehaus: incomplete fix for unsafe deserialization in jackson-databind vulnerabilities (CVE-2019-10202)

• hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219)

• org.eclipse.paho.client.mqttv3: Improper hostname validation in the MQTT library (CVE-2019-11777)

• cxf: does not restrict the number of message attachments (CVE-2019-12406)

• cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12423)

• hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900)

• batik: SSRF via “xlink:href” (CVE-2019-17566)

• Undertow: Memory Leak in Undertow HttpOpenListener due to holding remoting connections indefinitely (CVE-2019-19343)

• Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain (CVE-2020-1719)

• apache-flink: JMX information disclosure vulnerability (CVE-2020-1960)

• cryptacular: excessive memory allocation during a decode operation (CVE-2020-7226)

• tika-core: Denial of Service Vulnerabilities in Some of Apache Tika’s Parsers (CVE-2020-9489)

• dom4j: XML External Entity vulnerability in default SAX parser (CVE-2020-10683)

• netty: compression/decompression codecs don’t enforce limits on buffer allocation sizes (CVE-2020-11612)

• camel: DNS Rebinding in JMX Connector could result in remote command execution (CVE-2020-11971)

• karaf: A remote client could create MBeans from arbitrary URLs (CVE-2020-11980)

• tika: excessive memory usage in PSDParser (CVE-2020-1950)

• log4j: improper validation of certificate with host mismatch in SMTP appender (CVE-2020-9488)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.