—–BEGIN PGP SIGNED MESSAGE—–
\nHash: SHA256<\/p>\n
====================================================================
\nRed Hat Security Advisory<\/p>\n
Synopsis: Important: Red Hat Fuse 7.11.1 release and security update
\nAdvisory ID: RHSA-2022:8652-01
\nProduct: Red Hat JBoss Fuse
\nAdvisory URL: https:\/\/access.redhat.com\/errata\/RHSA-2022:8652
\nIssue date: 2022-11-28
\nCVE Names: CVE-2019-8331 CVE-2021-3717 CVE-2021-31684
\nCVE-2021-44906 CVE-2022-0613 CVE-2022-2048
\nCVE-2022-2053 CVE-2022-24723 CVE-2022-24785
\nCVE-2022-24823 CVE-2022-25857 CVE-2022-31129
\nCVE-2022-31197 CVE-2022-33980 CVE-2022-38749
\nCVE-2022-41853 CVE-2022-42889
\n====================================================================
\n1. Summary:<\/p>\n
A minor version update (from 7.11 to 7.11.1) is now available for Red Hat
\nFuse. The purpose of this text-only errata is to inform you about the
\nsecurity issues fixed in this release.<\/p>\n
Red Hat Product Security has rated this update as having a security impact
\nof Important. A Common Vulnerability Scoring System (CVSS) base score,
\nwhich gives a detailed severity rating, is available for each vulnerability
\nfrom the CVE link(s) in the References section.<\/p>\n
2. Description:<\/p>\n
This release of Red Hat Fuse 7.11.1 serves as a replacement for Red Hat
\nFuse 7.11 and includes bug fixes and enhancements, which are documented in
\nthe Release Notes document linked in the References.<\/p>\n
Security Fix(es):<\/p>\n
* hsqldb: Untrusted input may lead to RCE attack [fuse-7] (CVE-2022-41853)<\/p>\n
* io.hawt-hawtio-online: bootstrap: XSS in the tooltip or popover
\ndata-template attribute [fuse-7] (CVE-2019-8331)<\/p>\n
* io.hawt-project: bootstrap: XSS in the tooltip or popover data-template
\nattribute [fuse-7] (CVE-2019-8331)<\/p>\n
* wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving
\naccess to all the local users [fuse-7] (CVE-2021-3717)<\/p>\n
* json-smart: Denial of Service in JSONParserByteArray function [fuse-7]\n(CVE-2021-31684)<\/p>\n
* io.hawt-hawtio-integration: minimist: prototype pollution [fuse-7]\n(CVE-2021-44906)<\/p>\n
* urijs: Authorization Bypass Through User-Controlled Key [fuse-7]\n(CVE-2022-0613)<\/p>\n
* http2-server: Invalid HTTP\/2 requests cause DoS [fuse-7] (CVE-2022-2048)<\/p>\n
* snakeyaml: Denial of Service due to missing nested depth limitation for
\ncollections [fuse-7] (CVE-2022-25857)<\/p>\n
* urijs: Leading white space bypasses protocol validation [fuse-7]\n(CVE-2022-24723)<\/p>\n
* Moment.js: Path traversal in moment.locale [fuse-7] (CVE-2022-24785)<\/p>\n
* netty: world readable temporary file containing sensitive data [fuse-7]\n(CVE-2022-24823)<\/p>\n
* jdbc-postgresql: postgresql: SQL Injection in ResultSet.refreshRow() with
\nmalicious column names [fuse-7] (CVE-2022-31197)<\/p>\n
* commons-configuration2: apache-commons-configuration: Apache Commons
\nConfiguration insecure interpolation defaults [fuse-7] (CVE-2022-33980)<\/p>\n
* commons-text: apache-commons-text: variable interpolation RCE [fuse-7]\n(CVE-2022-42889)<\/p>\n
* undertow: Large AJP request may cause DoS [fuse-7] (CVE-2022-2053)<\/p>\n
* moment: inefficient parsing algorithm resulting in DoS [fuse-7]\n(CVE-2022-31129)<\/p>\n
* snakeyaml: Uncaught exception in
\norg.yaml.snakeyaml.composer.Composer.composeSequenceNode [fuse-7]\n(CVE-2022-38749)<\/p>\n
For more details about the security issues, including the impact, CVSS
\nscore, acknowledgments, and other related information, refer to the CVE
\npage(s) listed in the References section.<\/p>\n
3. Solution:<\/p>\n
Before applying the update, back up your existing installation, including
\nall applications, configuration files, databases and database settings, and
\nso on.<\/p>\n
Installation instructions are available from the Fuse 7.11.1 product
\ndocumentation page:
\nhttps:\/\/access.redhat.com\/documentation\/en-us\/red_hat_fuse\/7.11\/<\/p>\n
4. Bugs fixed (https:\/\/bugzilla.redhat.com\/):<\/p>\n
1686454 – CVE-2019-8331 bootstrap: XSS in the tooltip or popover data-template attribute
\n1991305 – CVE-2021-3717 wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users
\n2055496 – CVE-2022-0613 urijs: Authorization Bypass Through User-Controlled Key
\n2062370 – CVE-2022-24723 urijs: Leading white space bypasses protocol validation
\n2066009 – CVE-2021-44906 minimist: prototype pollution
\n2072009 – CVE-2022-24785 Moment.js: Path traversal in moment.locale
\n2087186 – CVE-2022-24823 netty: world readable temporary file containing sensitive data
\n2095862 – CVE-2022-2053 undertow: Large AJP request may cause DoS
\n2102695 – CVE-2021-31684 json-smart: Denial of Service in JSONParserByteArray function
\n2105067 – CVE-2022-33980 apache-commons-configuration: Apache Commons Configuration insecure interpolation defaults
\n2105075 – CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS
\n2116952 – CVE-2022-2048 http2-server: Invalid HTTP\/2 requests cause DoS
\n2126789 – CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections
\n2129428 – CVE-2022-31197 postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names
\n2129706 – CVE-2022-38749 snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode
\n2135435 – CVE-2022-42889 apache-commons-text: variable interpolation RCE
\n2136141 – CVE-2022-41853 hsqldb: Untrusted input may lead to RCE attack<\/p>\n
5. References:<\/p>\n
https:\/\/access.redhat.com\/security\/cve\/CVE-2019-8331
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2021-3717
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2021-31684
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2021-44906
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-0613
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-2048
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-2053
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-24723
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-24785
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-24823
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-25857
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-31129
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-31197
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-33980
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-38749
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-41853
\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-42889
\nhttps:\/\/access.redhat.com\/security\/updates\/classification\/#important<\/p>\n
6. Contact:<\/p>\n
The Red Hat security contact is <secalert@redhat.com>. More contact
\ndetails at https:\/\/access.redhat.com\/security\/team\/contact\/<\/p>\n
Copyright 2022 Red Hat, Inc.
\n—–BEGIN PGP SIGNATURE—–
\nVersion: GnuPG v1<\/p>\n
iQIVAwUBY4UEJdzjgjWX9erEAQg9jw\/\/bHEzcxXGN9kNp1msJRaz6iQEu7dv9TYV
\nN1lsrfJEc\/fosdjIilTzia9hKhMVvbC6iv6lWGc6s3E9t48vGdSYLHbh+qHnFo7t
\nWtrjZnejl53WYwRc70oyeUmXTNrrd9iuATkvkFF6MA024hcJFksuiHmF5\/Awa9T8
\nsSsLbm5eutvBz1rBDGgcq4fDCFB40YmKsLKhzHrV0SpeZKTCgwNyzvpAVVlsxXhk
\nOSSCmda+ZTxkA9+gaTsJqqeBeDgHhSL+PVzWOYuRM6wT49tkwSJHfBs9EgV55IjE
\nIVOQm3oGUyMSGBjbbiD8NuYEQkAip8AK0eTIQbaWW4n9geXpw5VOh\/E3U8u+a9xY
\nh0pAs6ACta+fD3d9hSabTkDDno6NU94bcmKh2rfpNvj6h9UX0Ca0lKMZ25t6zUln
\n2OHzLhilUnbOSwnE709NBaEaI4t\/aev1TBpeZ1KFpn\/6Mdbx6pvjuh76kCHwdg7o
\nOVsrvplG6hJ93S5vNNYxwfcL7TFNyWBcHR0Em7D51zZ87HkzYcNh9Ay481BgXGz+
\nz2N71zc+h0auaMo5bnL68hMSjFmhiMWZmfy1H8w2Sz6fol8iO\/aYI\/ddv\/8aYP1k
\n3ZMY7ygpkvcryPaz7VKixbX7yZNOI2gfXl2zDSvIoOjaajND4ctdidxJ9MeZYj6r
\nWzRyyCDzfVo=IsTh
\n—–END PGP SIGNATURE—–
\n—
\nRHSA-announce mailing list
\nRHSA-announce@redhat.com
\nhttps:\/\/listman.redhat.com\/mailman\/listinfo\/rhsa-announce<\/p>\n","protected":false},"excerpt":{"rendered":"
—–BEGIN PGP SIGNED MESSAGE—– Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Fuse 7.11.1 release and security update Advisory ID: RHSA-2022:8652-01 Product: Red Hat JBoss Fuse Advisory URL: https:\/\/access.redhat.com\/errata\/RHSA-2022:8652 Issue date: 2022-11-28 CVE Names: CVE-2019-8331 CVE-2021-3717 CVE-2021-31684 CVE-2021-44906 CVE-2022-0613 CVE-2022-2048 CVE-2022-2053 CVE-2022-24723 CVE-2022-24785 CVE-2022-24823 CVE-2022-25857 CVE-2022-31129 CVE-2022-31197 CVE-2022-33980 CVE-2022-38749 CVE-2022-41853 CVE-2022-42889 ==================================================================== …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-34186","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/34186","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=34186"}],"version-history":[{"count":1,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/34186\/revisions"}],"predecessor-version":[{"id":34200,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/34186\/revisions\/34200"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=34186"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=34186"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=34186"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}