RHSA-2022:8652: Important: Red Hat Fuse 7.11.1 release and security update
First published: Mon Nov 28 2022(Updated: )
This release of Red Hat Fuse 7.11.1 serves as a replacement for Red Hat Fuse 7.11 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.<br>Security Fix(es):<br><li> hsqldb: Untrusted input may lead to RCE attack [fuse-7] (CVE-2022-41853)</li> <li> io.hawt-hawtio-online: bootstrap: XSS in the tooltip or popover data-template attribute [fuse-7] (CVE-2019-8331)</li> <li> io.hawt-project: bootstrap: XSS in the tooltip or popover data-template attribute [fuse-7] (CVE-2019-8331)</li> <li> wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users [fuse-7] (CVE-2021-3717)</li> <li> json-smart: Denial of Service in JSONParserByteArray function [fuse-7] (CVE-2021-31684)</li> <li> io.hawt-hawtio-integration: minimist: prototype pollution [fuse-7] (CVE-2021-44906)</li> <li> urijs: Authorization Bypass Through User-Controlled Key [fuse-7] (CVE-2022-0613)</li> <li> http2-server: Invalid HTTP/2 requests cause DoS [fuse-7] (CVE-2022-2048)</li> <li> snakeyaml: Denial of Service due to missing nested depth limitation for collections [fuse-7] (CVE-2022-25857)</li> <li> urijs: Leading white space bypasses protocol validation [fuse-7] (CVE-2022-24723)</li> <li> Moment.js: Path traversal in moment.locale [fuse-7] (CVE-2022-24785)</li> <li> netty: world readable temporary file containing sensitive data [fuse-7] (CVE-2022-24823)</li> <li> jdbc-postgresql: postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names [fuse-7] (CVE-2022-31197)</li> <li> commons-configuration2: apache-commons-configuration: Apache Commons Configuration insecure interpolation defaults [fuse-7] (CVE-2022-33980)</li> <li> commons-text: apache-commons-text: variable interpolation RCE [fuse-7] (CVE-2022-42889)</li> <li> undertow: Large AJP request may cause DoS [fuse-7] (CVE-2022-2053)</li> <li> moment: inefficient parsing algorithm resulting in DoS [fuse-7] (CVE-2022-31129)</li> <li> snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode [fuse-7] (CVE-2022-38749)</li> For more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
| Affected Software | Affected Version | How to fix |
|---|
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1686454
- https://bugzilla.redhat.com/show_bug.cgi?id=1991305
- https://bugzilla.redhat.com/show_bug.cgi?id=2055496
- https://bugzilla.redhat.com/show_bug.cgi?id=2062370
- https://bugzilla.redhat.com/show_bug.cgi?id=2066009
- https://bugzilla.redhat.com/show_bug.cgi?id=2072009
- https://bugzilla.redhat.com/show_bug.cgi?id=2087186
- https://bugzilla.redhat.com/show_bug.cgi?id=2095862
- https://bugzilla.redhat.com/show_bug.cgi?id=2102695
- https://bugzilla.redhat.com/show_bug.cgi?id=2105067
- https://bugzilla.redhat.com/show_bug.cgi?id=2105075
- https://bugzilla.redhat.com/show_bug.cgi?id=2116952
- https://bugzilla.redhat.com/show_bug.cgi?id=2126789
- https://bugzilla.redhat.com/show_bug.cgi?id=2129428
- https://bugzilla.redhat.com/show_bug.cgi?id=2129706
- https://bugzilla.redhat.com/show_bug.cgi?id=2135435
- https://bugzilla.redhat.com/show_bug.cgi?id=2136141
- https://access.redhat.com/security/updates/classification/#important
- https://access.redhat.com/errata/RHSA-2022:8652 (Advisory)
- collector/redhat-errata
- source/Red Hat
- anchor-id/RHSA-2022:8652
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- agent/weakness