From bugzilla at redhat.com Mon Apr 3 21:04:53 2017 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Mon, 3 Apr 2017 17:04:53 -0400 Subject: [RHSA-2017:0868-01] Important: Red Hat JBoss Fuse/A-MQ 6.3 R2 security and bug fix update Message-ID: <201704032104.v33L4reV029169@lists01.pubmisc.prod.ext.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Fuse/A-MQ 6.3 R2 security and bug fix update Advisory ID: RHSA-2017:0868-01 Product: Red Hat JBoss Fuse Advisory URL: https://access.redhat.com/errata/RHSA-2017:0868 Issue date: 2017-04-03 CVE Names: CVE-2012-5783 CVE-2015-1427 CVE-2016-1000229 CVE-2016-6812 CVE-2016-6814 CVE-2016-8739 CVE-2016-9177 CVE-2017-3159 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Fuse and Red Hat JBoss A-MQ. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications. This patch is an update to Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3. It includes bug fixes and enhancements, which are documented in the readme.txt file included with the patch files. Security Fix(es): * It was reported that Elasticsearch had vulnerabilities in the Groovy scripting engine, which allow an attacker to construct scripts that escape the sandbox and execute shell commands as the user running the Elasticsearch Java VM. (CVE-2015-1427) * It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. (CVE-2016-6814) * It was found that Apache Commons HttpClient does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. (CVE-2012-5783) * It was found that swagger-ui contains a cross site scripting (XSS) vulnerability in the key names in the JSON document. An attacker could use this flaw to supply a key name with script tags which could cause arbitrary code execution. Additionally it is possible to load the arbitrary JSON files remotely via the URL query-string parameter. (CVE-2016-1000229) * A vulnerability was found in FormattedServiceListWriter in Apache CXF HTTP transport module that could allow an attacker to inject unexpected matrix parameters into the request URL. On a successful injection these matrix parameters will find their way back to the client in the services list page which represents an XSS risk to the client. (CVE-2016-6812) * Apache CXF JAX-RS implementation provides a number of Atom MessageBodyReaders. These readers use Apache Abdera Parser to parse Atom feeds or Entries, with this Parser expanding XML entities by default. It was found that this represents a major XXE risk. (CVE-2016-8739) * A path traversal issue was found in Spark version 2.5 and potentially earlier versions. The vulnerability resides in the functionality to serve static files where there's no protection against directory traversal attacks. This could allow attackers access to private files including sensitive data. (CVE-2016-9177) * It was found that the camel-snakeyaml component is exploitable for code execution. An attacker could use this vulnerability to send specially crafted payload to a camel-snakeyaml endpoint and causing a remote code execution attack. (CVE-2017-3159) 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. It is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 873317 - CVE-2012-5783 jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name 1191969 - CVE-2015-1427 elasticsearch: remote code execution via Groovy sandbox bypass 1360275 - CVE-2016-1000229 swagger-ui: cross-site scripting in key names 1393607 - CVE-2016-9177 Spark: Directory traversal vulnerability in version 2.5 1406810 - CVE-2016-6812 apache-cxf: XSS in Apache CXF FormattedServiceListWriter 1406811 - CVE-2016-8739 apache-cxf: Atom entity provider of Apache CXF JAX-RS is vulnerable to XXE 1413466 - CVE-2016-6814 Apache Groovy: Remote code execution via deserialization 1420834 - CVE-2017-3159 camel-snakeyaml: Unmarshalling operation is vulnerable to RCE 5. References: https://access.redhat.com/security/cve/CVE-2012-5783 https://access.redhat.com/security/cve/CVE-2015-1427 https://access.redhat.com/security/cve/CVE-2016-1000229 https://access.redhat.com/security/cve/CVE-2016-6812 https://access.redhat.com/security/cve/CVE-2016-6814 https://access.redhat.com/security/cve/CVE-2016-8739 https://access.redhat.com/security/cve/CVE-2016-9177 https://access.redhat.com/security/cve/CVE-2017-3159 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.3.0 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=securityPatches&version=6.3.0 https://access.redhat.com/documentation/en/red-hat-jboss-fuse/ 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFY4rjtXlSAg2UNWIIRAryMAKCPl0Ov02ApsDlQ2LSSWEgE/QSz+ACgnzyt V+DkiT6TvH3/Ajnf1bJ8rAE= =blvE -----END PGP SIGNATURE----- From bugzilla at redhat.com Wed Apr 19 17:51:47 2017 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 19 Apr 2017 17:51:47 +0000 Subject: [RHSA-2017:1097-01] Moderate: Red Hat JBoss Data Grid 7.1 Message-ID: <201704191751.v3JHpqpC016004@lists01.pubmisc.prod.ext.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Data Grid 7.1 Advisory ID: RHSA-2017:1097-01 Product: Red Hat JBoss Data Grid Advisory URL: https://rhn.redhat.com/errata/RHSA-2017-1097.html Issue date: 2017-04-19 CVE Names: CVE-2016-4970 CVE-2017-2638 ===================================================================== 1. Summary: Red Hat JBoss Data Grid 7.1 is now available for download from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Data Grid is a distributed in-memory data grid, based on Infinispan. This release of Red Hat JBoss Data Grid 7.1.0 serves as a replacement for Red Hat JBoss Data Grid 7.0.0, and includes bug fixes and enhancements, which are documented in the Release Notes linked to in the References. Security Fix(es): * An infinite-loop vulnerability was discovered in Netty's OpenSslEngine handling of renegotiation. An attacker could exploit this flaw to cause a denial of service. Note: Netty is only vulnerable if renegotiation is enabled (default setting). (CVE-2016-4970) * It was found that the REST API in infinispan did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name. (CVE-2017-2638) The CVE-2017-2638 issue was discovered by Jonathan Mason (Red Hat). 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing Red Hat JBoss Data Grid installation (including databases, configuration files, and so on). 4. Bugs fixed (https://bugzilla.redhat.com/): 1343616 - CVE-2016-4970 netty: Infinite loop vulnerability when handling renegotiation using SslProvider.OpenSsl 1428564 - CVE-2017-2638 infinispan: auth bypass in REST api 5. References: https://access.redhat.com/security/cve/CVE-2016-4970 https://access.redhat.com/security/cve/CVE-2017-2638 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid&downloadType=distributions&version=7.1.0 https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Grid/ 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFY96OiXlSAg2UNWIIRAmwFAKCApaIF/7TCynlaeAZUyCIWJSnLJACfVyiD lyaUKhTBIUY6iu5upM0c6nk= =C6Iu -----END PGP SIGNATURE-----