[RHSA-2016:2035-01] Important: Red Hat JBoss Fuse 6.3 security update

bugzilla at redhat.com bugzilla at redhat.com
Thu Oct 6 16:19:06 UTC 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Fuse 6.3 security update
Advisory ID:       RHSA-2016:2035-01
Product:           Red Hat JBoss Fuse
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2016-2035.html
Issue date:        2016-10-06
CVE Names:         CVE-2015-3192 CVE-2015-5344 CVE-2015-5348 
                   CVE-2015-7940 CVE-2016-2141 CVE-2016-2510 
                   CVE-2016-4437 
=====================================================================

1. Summary:

Red Hat JBoss Fuse 6.3, which fixes multiple security issues and includes
several bug fixes and enhancements, is now available from the Red Hat
Customer Portal.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,
flexible, open source enterprise service bus and integration platform.

Red Hat JBoss Fuse 6.3 is a minor product release that updates Red Hat
JBoss Fuse 6.2.1, and includes several bug fixes and enhancements. Refer to
the Release Notes document, available from the Product Documentation link
in the References section, for a list of these changes.

Security Fix(es):

It was found that JGroups did not require necessary headers for encrypt and
auth protocols from new nodes joining the cluster. An attacker could use
this flaw to bypass security restrictions, and use this vulnerability to
send and receive messages within the cluster, leading to information
disclosure, message spoofing, or further possible attacks. (CVE-2016-2141)

A deserialization flaw allowing remote code execution was found in the
BeanShell library. If BeanShell was on the classpath, it could permit code
execution if another part of the application deserialized objects involving
a specially constructed chain of classes. A remote attacker could use this
flaw to execute arbitrary code with the permissions of the application
using the BeanShell library. (CVE-2016-2510)

It was found that Apache Shiro uses a default cipher key for its "remember
me" feature. An attacker could use this to devise a malicious request
parameter and gain access to unauthorized content. (CVE-2016-4437)

A denial of service flaw was found in the way Spring processes inline DTD
declarations. A remote attacker could submit a specially crafted XML file
that would cause out-of-memory errors when parsed. (CVE-2015-3192)

It was found that Apache Camel's camel-xstream component was vulnerable to
Java object deserialization. This vulnerability permits deserialization of
data which could lead to information disclosure, code execution, or other
possible attacks. (CVE-2015-5344)

It was found that Apache Camel's Jetty/Servlet permitted object
deserialization. If using camel-jetty or camel-servlet as a consumer in
Camel routes, then Camel will automatically deserialize HTTP requests that
use the content-header: application/x-java-serialized-object. An attacker
could use this vulnerability to gain access to unauthorized information or
conduct further attacks. (CVE-2015-5348)

It was found that bouncycastle is vulnerable to an invalid curve attack. An
attacker could extract private keys used in elliptic curve cryptography
with a few thousand queries. (CVE-2015-7940)

The CVE-2016-2141 issue was discovered by Dennis Reed (Red Hat).

Refer to the Product Documentation link in the References section for
installation instructions.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

1239002 - CVE-2015-3192 Spring Framework: denial-of-service attack with XML input
1276272 - CVE-2015-7940 bouncycastle: Invalid curve attack allowing to extract private keys
1292849 - CVE-2015-5348 Camel: Java object deserialisation in Jetty/Servlet
1303609 - CVE-2015-5344 camel-xstream: Java object de-serialization vulnerability leads to RCE
1310647 - CVE-2016-2510 bsh2: remote code execution via deserialization
1313589 - CVE-2016-2141 Authorization bypass in JGroups
1343346 - CVE-2016-4437 shiro: Security constraint bypass

5. References:

https://access.redhat.com/security/cve/CVE-2015-3192
https://access.redhat.com/security/cve/CVE-2015-5344
https://access.redhat.com/security/cve/CVE-2015-5348
https://access.redhat.com/security/cve/CVE-2015-7940
https://access.redhat.com/security/cve/CVE-2016-2141
https://access.redhat.com/security/cve/CVE-2016-2510
https://access.redhat.com/security/cve/CVE-2016-4437
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=6.3.0
https://access.redhat.com/documentation/en/red-hat-jboss-fuse/?version=6.3

6. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFX9nl4XlSAg2UNWIIRAjzuAJ9IjZsuMRzFPBfv/AW1xXlo9AHHNwCeNayc
X467FkxtKPz7MAU5sEu9U/c=
=tF7y
-----END PGP SIGNATURE-----




More information about the Jboss-watch-list mailing list