- Vulnerability/
- RHSA-2018:0319
RHSA-2018:0319: Important: Red Hat JBoss Fuse/A-MQ 6.3 R6 security and bug fix update
First published: Wed Feb 14 2018(Updated: )
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. <br>Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications.<br>This patch is an update to Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3. It includes bug fixes and enhancements, which are documented in the readme.txt file included with the patch files.<br>Security Fix(es):<br><li> It was found that spring-ldap contains a security vulnerability that allows an attacker to authenticate with arbitrary password. When spring-ldap connected to some LDAP servers, and when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. (CVE-2017-8028)</li> <li> It was found that a flaw in hawtio could cause remote code execution via file upload. An attacker could use this vulnerability to upload crafted file which could be executed on target machine where hawtio is deployed. (CVE-2017-2617)</li> <li> It was found that Apache Camel contains a security vulnerability via camel-hessian component. An attacker can utilize this flaw to deserialize malicious object on the target machine which could lead to Remote Code Execution (RCE). (CVE-2017-12633)</li> <li> It was found that Apache Camel contains a security vulnerability via camel-castor component. An attacker can utilize this flaw to deserialize malicious object on the target machine which could lead to Remote Code Execution (RCE). (CVE-2017-12634)</li> <li> It was found that a flaw exists in Switchyard component via Apache Batick. If an attacker sends a maliciously crafted SVG formed file on the target machine, that uses batik, files lying on the file system could be revealed to the attacker, depending on the user context in which the exploitable application is running. This flaw can also be leveraged to attack the availability of the target machine via DoS. (CVE-2017-5662)</li> The CVE-2017-2617 issue was discovered by Hooman Broujerdi (Red Hat).
| Affected Software | Affected Version | How to fix |
|---|
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1419363
- https://bugzilla.redhat.com/show_bug.cgi?id=1443592
- https://bugzilla.redhat.com/show_bug.cgi?id=1510968
- https://bugzilla.redhat.com/show_bug.cgi?id=1513376
- https://bugzilla.redhat.com/show_bug.cgi?id=1513382
- https://access.redhat.com/security/updates/classification/#important
- https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.3
- https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=jboss.amq.broker&version=6.3.0
- https://access.redhat.com/documentation/en/red-hat-jboss-fuse/
- https://access.redhat.com/errata/RHSA-2018:0319 (Advisory)
- collector/redhat-errata
- source/Red Hat
- anchor-id/RHSA-2018:0319
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type