- Vulnerability/
- RHSA-2013:1185
RHSA-2013:1185: Important: Red Hat JBoss Fuse 6.0.0 patch 2
First published: Thu Aug 29 2013(Updated: )
Red Hat JBoss Fuse 6.0.0, based on Apache ServiceMix, provides an<br>integration platform.<br>Red Hat JBoss Fuse 6.0.0 patch 2 is an update to Red Hat JBoss Fuse 6.0.0<br>and includes bug fixes. Refer to the readme file included with the patch<br>files for information about these fixes.<br>The following security issues are also resolved with this update:<br>A flaw was found in the logging performed during deserialization of the<br>BrokerFactory class in Apache OpenJPA. A remote attacker able to supply a<br>serialized instance of the BrokerFactory class, which will be deserialized<br>on a server, could use this flaw to write an executable file to the<br>server's file system. (CVE-2013-1768)<br>A flaw in JRuby's JSON gem allowed remote attacks by creating different<br>types of malicious objects. For example, it could initiate a denial of<br>service attack through resource consumption by using a JSON document to<br>create arbitrary Ruby symbols, which were never garbage collected. It could<br>also be exploited to create internal objects which could allow a SQL<br>injection attack. (CVE-2013-0269)<br>It was discovered that JRuby's REXML library did not properly restrict XML<br>entity expansion. An attacker could use this flaw to cause a denial of<br>service by tricking a Ruby application using REXML to read text nodes from<br>specially-crafted XML content, which will result in REXML consuming large<br>amounts of system memory. (CVE-2013-1821)<br>Note: Red Hat JBoss Fuse 6.0.0 ships JRuby as part of the camel-ruby<br>component, which allows users to define Camel routes in Ruby. The default<br>use of JRuby in Red Hat JBoss Fuse 6.0.0 does not appear to expose either<br>CVE-2013-0269 or CVE-2013-1821. If the version of JRuby shipped with Red<br>Hat JBoss Fuse 6.0.0 was used to build a custom application, then these<br>flaws could be exposed.<br>Multiple denial of service flaws were found in the way the Apache CXF StAX<br>parser implementation processed certain XML files. If a web service<br>utilized the StAX parser, a remote attacker could provide a<br>specially-crafted XML file that, when processed, would lead to excessive<br>CPU and memory consumption. (CVE-2013-2160)<br>Red Hat would like to thank Ruby on Rails upstream for reporting<br>CVE-2013-0269, and Andreas Falkenberg of SEC Consult Deutschland GmbH, and<br>Christian Mainka, Juraj Somorovsky and Joerg Schwenk of Ruhr-University<br>Bochum for reporting CVE-2013-2160. Upstream acknowledges Thomas Hollstegge<br>of Zweitag and Ben Murphy as the original reporters of CVE-2013-0269.<br>All users of Red Hat JBoss Fuse 6.0 as provided from the Red Hat Customer<br>Portal are advised to apply this patch.<br>
| Affected Software | Affected Version | How to fix |
|---|
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=909029
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=914716
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=929197
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=984034
- https://access.redhat.com/security/updates/classification/#important
- https://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc
- https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.0.0
- https://access.redhat.com/errata/RHSA-2013:1185 (Advisory)
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- collector/redhat-errata
- anchor-id/RHSA-2013:1185