Home / mailings [RHSA-2019:2413-01] Important: Red Hat Fuse 7.4.0 security update
Posted on 08 August 2019
RedHat===================================================================== Red Hat Security Advisory
Synopsis: Important: Red Hat Fuse 7.4.0 security update
Advisory ID: RHSA-2019:2413-01
Product: Red Hat JBoss Fuse
Advisory URL: https://access.redhat.com/errata/RHSA-2019:2413
Issue date: 2019-08-08
CVE Names: CVE-2016-10750 CVE-2018-1258 CVE-2018-1320
CVE-2018-8088 CVE-2018-10899 CVE-2018-15758
CVE-2019-0192 CVE-2019-3805
=====================================================================
1. Summary:
A minor version update (from 7.3 to 7.4) is now available for Red Hat Fuse.
The purpose of this text-only errata is to inform you about the security
issues fixed in this release.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Description:
This release of Red Hat Fuse 7.4.0 serves as a replacement for Red Hat Fuse
7.3, and includes bug fixes and enhancements, which are documented in the
Release Notes document linked to in the References.
Security Fix(es):
* hazelcast: java deserialization in join cluster procedure leading to
remote code execution (CVE-2016-10750)
* slf4j: Deserialisation vulnerability in EventData constructor can allow
for arbitrary code execution (CVE-2018-8088)
* jolokia: system-wide CSRF that could lead to Remote Code Execution
(CVE-2018-10899)
* spring-security-oauth: Privilege escalation by manipulating saved
authorization request (CVE-2018-15758)
* solr: remote code execution due to unsafe deserialization (CVE-2019-0192)
* thrift: SASL negotiation isComplete validation bypass in the
org.apache.thrift.transport.TSaslTransport class (CVE-2018-1320)
* spring-security-core: Unauthorized Access with Spring Security Method
Security (CVE-2018-1258)
* wildfly: Race condition on PID file allows for termination of arbitrary
processes by local users (CVE-2019-3805)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
3. Solution:
Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.
Installation instructions are available from the Fuse 7.4.0 product
documentation page:
https://access.redhat.com/documentation/en-us/red_hat_fuse/7.4/
4. Bugs fixed (https://bugzilla.redhat.com/):
1548909 - CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution
1578582 - CVE-2018-1258 spring-security-core: Unauthorized Access with Spring Security Method Security
1601037 - CVE-2018-10899 jolokia: system-wide CSRF that could lead to Remote Code Execution
1643048 - CVE-2018-15758 spring-security-oauth: Privilege escalation by manipulating saved authorization request
1660263 - CVE-2019-3805 wildfly: Race condition on PID file allows for termination of arbitrary processes by local users
1667204 - CVE-2018-1320 thrift: SASL negotiation isComplete validation bypass in the org.apache.thrift.transport.TSaslTransport class
1692345 - CVE-2019-0192 solr: remote code execution due to unsafe deserialization
1713215 - CVE-2016-10750 hazelcast: java deserialization in join cluster procedure leading to remote code execution
5. References:
https://access.redhat.com/security/cve/CVE-2016-10750
https://access.redhat.com/security/cve/CVE-2018-1258
https://access.redhat.com/security/cve/CVE-2018-1320
https://access.redhat.com/security/cve/CVE-2018-8088
https://access.redhat.com/security/cve/CVE-2018-10899
https://access.redhat.com/security/cve/CVE-2018-15758
https://access.redhat.com/security/cve/CVE-2019-0192
https://access.redhat.com/security/cve/CVE-2019-3805
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.fuse&version=7.4.0
https://access.redhat.com/documentation/en-us/red_hat_fuse/7.4/
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc.
