RHSA-2019:3892: Important: Red Hat Fuse 7.5.0 security update

First published: Thu Nov 14 2019(Updated: )

This release of Red Hat Fuse 7.5.0 serves as a replacement for Red Hat Fuse 7.4, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.<br>Security Fix(es):<br><li> jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095)</li> <li> jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485)</li> <li> infinispan: deserialization of data in XML and JSON transcoders (CVE-2018-1131)</li> <li> hadoop: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file (CVE-2018-8009)</li> <li> jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis (CVE-2018-11307)</li> <li> jackson-databind: improper polymorphic deserialization of types from Jodd-db library (CVE-2018-12022)</li> <li> jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver (CVE-2018-12023)</li> <li> jackson-databind: arbitrary code execution in slf4j-ext class (CVE-2018-14718)</li> <li> jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes (CVE-2018-14719)</li> <li> jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720)</li> <li> jackson-databind: improper polymorphic deserialization in axis2-transport-jms class (CVE-2018-19360)</li> <li> jackson-databind: improper polymorphic deserialization in openjpa class (CVE-2018-19361)</li> <li> jackson-databind: improper polymorphic deserialization in jboss-common-core class (CVE-2018-19362)</li> <li> retrofit: Directory traversal in RequestBuilder allows manipulation of resources (CVE-2018-1000850)</li> <li> zookeeper: Information disclosure in Apache ZooKeeper (CVE-2019-0201)</li> <li> mesos: docker image code execution (CVE-2019-0204)</li> <li> netty: HTTP/2: flood using PING frames results in unbounded memory growth (CVE-2019-9512)</li> <li> grpc: HTTP/2: flood using PING frames results in unbounded memory growth (CVE-2019-9512)</li> <li> netty: HTTP/2: flood using HEADERS frames results in unbounded memory growth (CVE-2019-9514)</li> <li> grpc: HTTP/2: flood using HEADERS frames results in unbounded memory growth (CVE-2019-9514)</li> <li> netty: HTTP/2: flood using SETTINGS frames results in unbounded memory growth (CVE-2019-9515)</li> <li> grpc: HTTP/2: flood using SETTINGS frames results in unbounded memory growth (CVE-2019-9515)</li> <li> netty: HTTP/2: flood using empty frames results in excessive resource consumption (CVE-2019-9518)</li> <li> xstream: remote code execution due to insecure XML deserialization (regression of CVE-2013-7285) (CVE-2019-10173)</li> <li> syndesis: default CORS configuration is allow all (CVE-2019-14860)</li> <li> netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers (CVE-2019-16869)</li> <li> activemq: ActiveMQ Client Missing TLS Hostname Verification (CVE-2018-11775)</li> <li> tika: Incomplete fix allows for XML entity expansion resulting in denial of service (CVE-2018-11796)</li> <li> jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class (CVE-2018-14721)</li> <li> tomcat: Host name verification missing in WebSocket client (CVE-2018-8034)</li> For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/redhat-errata
• source/Red Hat
• anchor-id/RHSA-2019:3892
• agent/description
• agent/event
• agent/first-publish-date
• agent/last-modified-date
• agent/references
• agent/remedy
• agent/severity
• agent/softwarecombine
• agent/tags
• agent/title
• agent/type
• agent/weakness