This release of Red Hat Fuse 7.8.0 serves as a replacement for Red Hat Fuse 7.7, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
libquartz: XXE attacks via job description (CVE-2019-13990)
jetty: double release of resource can lead to information disclosure (CVE-2019-17638)
keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution (CVE-2020-1714)
springframework: RFD attack via Content-Disposition Header sourced from request input by Spring MVC or Spring WebFlux Application (CVE-2020-5398)
wildfly: unsafe deserialization in Wildfly Enterprise Java Beans (CVE-2020-10740)
camel: RabbitMQ enables Java deserialization by default which could leed to remote code execution (CVE-2020-11972)
camel: Netty enables Java deserialization by default which could leed to remote code execution (CVE-2020-11973)
shiro: spring dynamic controllers, a specially crafted request may cause an authentication bypass (CVE-2020-11989)
camel: server-side template injection and arbitrary file disclosure on templating components (CVE-2020-11994)
postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692)
shiro: specially crafted HTTP request may cause an authentication bypass (CVE-2020-13933)
RESTEasy: Caching routes in RootNode may result in DoS (CVE-2020-14326)
jackson-modules-java8: DoS due to an Improper Input Validation (CVE-2018-1000873)
thrift: Endless loop when feed with specific input data (CVE-2019-0205)
thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210)
mysql-connector-java: privilege escalation in MySQL connector (CVE-2019-2692)
spring-ws: XML External Entity Injection (XXE) when receiving XML data from untrusted sources (CVE-2019-3773)
spring-batch: XML External Entity Injection (XXE) when receiving XML data from untrusted sources (CVE-2019-3774)
codehaus: incomplete fix for unsafe deserialization in jackson-databind vulnerabilities (CVE-2019-10202)
hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219)
org.eclipse.paho.client.mqttv3: Improper hostname validation in the MQTT library (CVE-2019-11777)
cxf: does not restrict the number of message attachments (CVE-2019-12406)
cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12423)
hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900)
batik: SSRF via “xlink:href” (CVE-2019-17566)
Undertow: Memory Leak in Undertow HttpOpenListener due to holding remoting connections indefinitely (CVE-2019-19343)
Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain (CVE-2020-1719)
apache-flink: JMX information disclosure vulnerability (CVE-2020-1960)
cryptacular: excessive memory allocation during a decode operation (CVE-2020-7226)
tika-core: Denial of Service Vulnerabilities in Some of Apache Tika’s Parsers (CVE-2020-9489)
dom4j: XML External Entity vulnerability in default SAX parser (CVE-2020-10683)
netty: compression/decompression codecs don’t enforce limits on buffer allocation sizes (CVE-2020-11612)
camel: DNS Rebinding in JMX Connector could result in remote command execution (CVE-2020-11971)
karaf: A remote client could create MBeans from arbitrary URLs (CVE-2020-11980)
tika: excessive memory usage in PSDParser (CVE-2020-1950)
log4j: improper validation of certificate with host mismatch in SMTP appender (CVE-2020-9488)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.