RHSA-2013:1028: Important: Fuse ESB Enterprise 7.1.0 update

First published: Tue Jul 09 2013(Updated: )

Fuse ESB Enterprise, based on Apache ServiceMix, provides an integration<br>platform.<br>This release of Fuse ESB Enterprise 7.1.0 roll up patch 1 is an update to<br>Fuse ESB Enterprise 7.1.0 and includes bug fixes. Refer to the readme file<br>included with the patch files for information about the bug fixes.<br>The following security issues are also fixed with this release:<br>XML encryption backwards compatibility attacks were found against various<br>frameworks, including Apache CXF. An attacker could force a server to use<br>insecure, legacy cryptosystems, even when secure cryptosystems were enabled<br>on endpoints. By forcing the use of legacy cryptosystems, flaws such as<br>CVE-2011-1096 and CVE-2011-2487 would be exposed, allowing plain text to be<br>recovered from cryptograms and symmetric keys. (CVE-2012-5575)<br>Note: Automatic checks to prevent CVE-2012-5575 are only run when<br>WS-SecurityPolicy is used to enforce security requirements. It is best<br>practice to use WS-SecurityPolicy to enforce security requirements.<br>A flaw in JRuby's JSON gem allowed remote attacks by creating different<br>types of malicious objects. For example, it could initiate a denial of<br>service attack through resource consumption by using a JSON document to<br>create arbitrary Ruby symbols, which were never garbage collected. It could<br>also be exploited to create internal objects which could allow a SQL<br>injection attack. (CVE-2013-0269)<br>It was discovered that JRuby's REXML library did not properly restrict XML<br>entity expansion. An attacker could use this flaw to cause a denial of<br>service by tricking a Ruby application using REXML to read text nodes from<br>specially-crafted XML content, which will result in REXML consuming large<br>amounts of system memory. (CVE-2013-1821)<br>Multiple denial of service flaws were found in the way the Apache CXF<br>StAX parser implementation processed certain XML files. If a web service<br>utilized the StAX parser, a remote attacker could provide a<br>specially-crafted XML file that, when processed, would lead to excessive<br>CPU and memory consumption. (CVE-2013-2160)<br>Note: Fuse ESB Enterprise 7.1.0 ships JRuby as part of the camel-ruby<br>component, which allows users to define Camel routes in Ruby. The default<br>use of JRuby in Fuse ESB Enterprise 7.1.0 does not appear to expose either<br>CVE-2013-0269 or CVE-2013-1821. If the version of JRuby shipped with Fuse<br>ESB Enterprise 7.1.0 was used to build a custom application, then these<br>flaws could be exposed.<br>Red Hat would like to thank Tibor Jager, Kenneth G. Paterson and Juraj<br>Somorovsky of Ruhr-University Bochum for reporting CVE-2012-5575; Ruby<br>on Rails upstream for reporting CVE-2013-0269; and Andreas Falkenberg of<br>SEC Consult Deutschland GmbH, and Christian Mainka, Juraj Somorovsky and<br>Joerg Schwenk of Ruhr-University Bochum for reporting CVE-2013-2160.<br>Upstream acknowledges Thomas Hollstegge of Zweitag and Ben Murphy as the<br>original reporters of CVE-2013-0269.<br>All users of Fuse ESB Enterprise 7.1.0 as provided from the Red Hat<br>Customer Portal are advised to upgrade to Fuse ESB Enterprise 7.1.0 roll up<br>patch 1.<br>

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/description
• agent/event
• agent/first-publish-date
• agent/last-modified-date
• agent/references
• agent/remedy
• agent/severity
• agent/softwarecombine
• agent/tags
• agent/title
• agent/type
• collector/redhat-errata
• anchor-id/RHSA-2013:1028