JBoss Fuse Integration Services on Fuse 6.3 Patch Release Notes

Updated -

This article provides the details around our JBoss Fuse Integration Services patches.

The intention of this article is provide the details on the relevant releases that you may need to apply the maintenance as well as document the associated fixes. For information on how to apply the patches, please refer to the Patching Documentation.

These patches may have three different components and each will detail the issues resolved:

Application Dependency Updates
Image Updates
Template Updates

Patch releases are typically driven by application dependency updates. The following table highlights the relationship between the different versions. Note images may be released outside of a major patch release and will be documented in the Image Updates section.

Versions

This section documents the versions for the different components for major patch releases.

JBoss Fuse Release SpringBoot BOM Version Karaf BOM Version Fabric8 Maven Plug-In Version Image Tags
JBoss Fuse 6.3.0 Roll Up 14 2.2.170.redhat-000037 2.2.170.redhat-000037 3.1.80.redhat-000037 Karaf: 2.0-68
Spring Boot: 2.0-65
JBoss Fuse 6.3.0 Roll Up 13 2.2.170.redhat-000036 2.2.170.redhat-000036 3.1.80.redhat-000036 Karaf: 2.0-60
Spring Boot: 2.0-58
JBoss Fuse 6.3.0 Roll Up 11 2.2.170.redhat-000032 2.2.170.redhat-000032 3.1.80.redhat-000032 Karaf: 2.0-57
Spring Boot: 2.0-55
JBoss Fuse 6.3.0 Roll Up 10 2.2.170.redhat-000031 2.2.170.redhat-000031 3.1.80.redhat-000031 Karaf: 2.0-49
Spring Boot: 2.0-47
JBoss Fuse 6.3.0 Roll Up 8 2.2.170.redhat-000030 2.2.170.redhat-000030 3.1.80.redhat-000030 Karaf: 2.0-39.1539812383
Spring Boot: 2.0-38.1539812388
JBoss Fuse 6.3.0 Roll Up 7 2.2.170.redhat-000024 2.2.170.redhat-000024 3.1.80.redhat-000024 Karaf - 2.0-32
Spring Boot- 2.0-31
JBoss Fuse 6.3.0 Roll Up 6 2.2.170.redhat-000023 2.2.170.redhat-000023 3.1.80.redhat-000023 Karaf - 2.0-19
Spring Boot- 2.0-19
JBoss Fuse 6.3.0 Roll Up 5 2.2.170.redhat-000022 2.2.170.redhat-000022 3.1.80.redhat-000022 Karaf - 2.0-15
Spring Boot - 2.0-15
JBoss Fuse 6.3.0 Roll Up 4 2.2.170.redhat-000019 2.2.170.redhat-000019 3.1.80.redhat-000019 Karaf - 2.0-12
Spring Boot - 2.0-12
JBoss Fuse 6.3.0 Roll Up 2 2.2.170.redhat-000013 2.2.170.redhat-000013 3.1.80.redhat-000013 Karaf - 2.0-6
Spring Boot - 2.0-6

Application Dependencies


The following table lists the patches specific to FIS that have been addressed in the varying release as well as a link to the Fuse rollup release notes.

Type JIRA description
6.3 R14 R14 Release Notes Issues resolved in Fuse 6.3 R14
ENTESB-8509 CVE-2017-15089 infinispan-core: infinispan: Unsafe deserialization of malicious object injected into data cache
ENTESB-11664 Wrong infinispan version in camel-infinispan in Camel 2.18.1
6.3 R13 R13 Release Notes Issues resolved in Fuse 6.3 R13
ENTESB-10662 CVE-2018-11307 jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis
ENTESB-10661 CVE-2018-12022 jackson-databind: improper polymorphic deserialization of types from Jodd-db library
ENTESB-10660 CVE-2018-12023 jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver
ENTESB-10659 CVE-2018-19362 jackson-databind: improper polymorphic deserialization in jboss-common-core class
ENTESB-10658 CVE-2018-19361 jackson-databind: improper polymorphic deserialization in openjpa class
ENTESB-10657 CVE-2018-19360 jackson-databind: improper polymorphic deserialization in axis2-transport-jms class
ENTESB-10656 CVE-2018-14719 jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes
ENTESB-10655 CVE-2018-14718 jackson-databind: arbitrary code execution in slf4j-ext class
ENTESB-10904 CVE: python update - RHSA: 43130
ENTESB-10919 CVE: vim update RHSA: 43265
ENTESB-11734 Wrong version of jackson-databind in camel-spring-boot BOM
ENTESB-11714 spring-boot-camel-rest-sql-1.0.0.fuse-000169 limits service name
ENTESB-11709 Wrong jackson-databind version in FIS 2.0 based on R13
ENTESB-8615 CVE-2016-5397 libthrift: thrift: Improper file path sanitization in t_go_generator.cc:format_go_output() of the go client library can allow an attacker to inject commands
6.3 R11 R11 Release Notes Issues resolved in Fuse 6.3 R11
ENTESB-9951 CXFRS header "CamelDestinationOverrideUrl" stops working, after changing it twice
ENTESB-10252 no_proxy in jvm argument not honoured in FIS Image
6.3 R10 R10 Release Notes Issues resolved in Fuse 6.3 R10
ENTESB-8757 CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution
ENTESB-8555 CVE-2018-1000129 jolokia-core: jolokia: Cross site scripting in the HTTP servlet
ENTESB-8481 CVE-2017-5929 logback-classic: logback: Serialization vulnerability in SocketServer and ServerSocketReceiver
6.3 R8 R8 Release Notes Issues resolved in Fuse 6.3 R8
ENTESB-9009 Publish Narayana artifacts for spring-boot in MRRC
ENTESB-8314 CVE-2018-1304 tomcat8: tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources
ENTESB-8312 CVE-2018-1305 tomcat8: tomcat: Late application of security constraints can lead to resource exposure for unauthorised users
ENTESB-7949 CVE-2018-1270 spring: spring-framework: Possible RCE via spring messaging
ENTESB-7950 CVE-2018-1275 spring: spring-framework: Address partial fix for CVE-2018-1270
ENTESB-8552 CVE-2018-7489 jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries
OSFUSE-770 CVE-2018-1305 tomcat8: tomcat: Late application of security constraints can lead to resource exposure for unauthorised users
OSFUSE-802 CVE-2018-1270 spring: spring-framework: Possible RCE via spring messaging
OSFUSE-823 jetty: Timing channel attack in util/security/Password.java
OSFUSE-804 spring: spring-framework: Multipart content pollution
OSFUSE-769 tomcat8: tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources
OSFUSE-832 CVE-2018-1271 spring: spring-framework: Directory traversal vulnerability with static resources on Windows filesystems
OSFUSE-765 Can't specify camel REST producer target URI in FIS
ENTESB-8704 CVE-2018-1260 spring-security-oauth: remote code execution in the authorization process
ENTESB-9071 EMBARGOED plexus-archiver: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file
ENTESB-7407 XSLT fails if the XML document contains a default namespace
ENTESB-9141 karaf2-cxf-rest - NoSuchMethodError: BeanConfig.setUsePathBasedConfig(Z)V
ENTESB-9133 activemq-camel gives NoClassDefFoundError: MessageHandlerMethodFactory
ENTESB-9262 CVE-2017-12617 tomcat: Remote Code Execution bypass for CVE-2017-12615
ENTESB-9295 CVE-2018-1336 tomcat: A bug in the UTF-8 decoder can lead to DoS
ENTESB-9497 Regression between R7 and R8 - missing slf4j in BOM
6.3 R7 R7 Release Notes Issues resolved in Fuse 6.3 R7
ENTESB-8536 Quickstarts fail with OOM
ENTESB-8308 CVE-2017-8046 spring-boot: Malicious PATCH requests submitted to servers can use specially crafted JSON data to run arbitrary Java code
ENTESB-8456 CVE-2018-1199 spring: spring-framework: Improper URL path validation allows for bypassing of security checks on static resources [fis-2.0]
ENTESB-8741 Backport CAMEL-11229
ENTESB-8682 CVE-2018-1295 ignite-core: ignite: Possible Execution of Arbitrary Code Within Deserialization Endpoints [fis-2.0]
ENTESB-8569 CVE-2018-9159 spark-core: spark: Absolute and relative pathnames allow for unintended static file disclosure [fis-2.0]
ENTESB-8506 CVE-2017-12196 Undertow: Client can use bogus uri in Digest authentication [fis-2.0]
ENTESB-8609 Camel Jasypt Encryption support in Spring Boot.
ENTESB-7950 CVE-2018-1275 spring: spring-framework: Address partial fix for CVE-2018-1270 [fuse-6.3.0]
ENTESB-9133 activemq-camel gives NoClassDefFoundError: MessageHandlerMethodFactory
6.3 R6 R6 Release Notes Issues resolved in Fuse 6.3 R6
OSFUSE-655 [OCP 3.7] fabric8 client HorizontalPodAutoscaler returns 404 on OCP 3.7
OSFUSE-718 [OSO][OCP 3.7] f-m-p redeployments failing to deploy
OSFUSE-734 Backport CAMEL-11622 feature to FIS 2.0
OSFUSE-786 Add openshift.io/display-name annotation to quickstart templates
OSFUSE-787 Update quickstart template icon-class to icon-rh-integration
6.3 R5 R5 Release Notes Issues resolved in Fuse 6.3 R5
OSFUSE-633 Update documentation / quickstarts to use AMQ 6.3 image instead of the deprecated AMQ 6.2 image
OSFUSE-641 Diff between karaf feature bundle commons-codec version and pom version
OSFUSE-645 UIntegrate Camel 2.19.1 with FIS 2.x because of ThrottlingExceptionRoutePoli
OSFUSE-689 Update FIS 2.0 images to address OSOP memory limitations
6.3 R4 R4 Release Notes Issues resolved in Fuse 6.3 R4
OSFUSE-545 Archetypes don't contain configuration/settings.xml
OSFUSE-555 f-m-p misleading log warning if oc binary is missing
OSFUSE-577 Upgrade Jolokia to 1.3.6
OSFUSE-558 [maven-repo] Missing org.apache.tomcat.embed:tomcat-embed-jasper:jar:8.0.36.redhat-14
OSFUSE-579 FMP Karaf binary s2i-built image from Windows fails on startup exec: /deployments/karaf/bin/karaf: cannot execute: Permission denied
OSFUSE-588 - XML Routes do not load when a camel component id is similar to a camel component definition id
OSFUSE-596 Including configuration/settings.xml in FIS Maven archetypes
OSFUSE-600 Update Camel SQL-Stored component to allow for stored functions
OSFUSE-619 SB apps have shrinkwrap jars in them
OSFUSE-605 - f-m-p stuck in waitUntilBuildFinished
OSFUSE-560 editing karaf camel route XML via hawtio console creates a broken XML with xmlns:xmlns
OSFUSE-657 Bump tomcat version
6.3 R2 R2 Release Notes Issues resloved in 6.3 R2
OSFUSE-601 Update POM Files to use GA version of TomCat
OSFUSE-572 camel-salesforce: backport streaming improvements
OSFUSE-573 camel-salesforce: backport Composite API support
OSFUSE-577 Upgrade Jolokia to 1.3.6
OSFUSE-537 CXF templates lack Routes
OSFUSE-545 | Archetypes don't contain configuration/settings.xml
OSFUSE-555 f-m-p misleading log warning if oc binary is missing
OSFUSE-545 Improve error feedback when the targeted docker registry is not secured and not configured as such instead of just "An error has occurred. Stream Closed"

Image Updates

This section is to document images update. Image updates are tracked through the Red Hat erratas. In some occasions images may be updated outside of a patch cycle to incorporate important fixes or security updates. Aside from checking this document or the container catalog, you may also get notifications about updates directly by completing this form..

Image Image Tag Rollup Base Errata
JBoss Fuse for OpenShift 2.0-58 R13 RHBA-2019:3000
2.0-55 R11 RHBA-2019:0768
2.0-47 R10 RHBA-2019:0166
2.0-38.1539812388 R8 RHBA-2018:2942
2.0-38 R8 RHBA-2018:2940
2.0-31 R7 RHBA-2018:2564
2.0-17 R6 RHSA-2018:0805
2.0-15 R5 RHBA-2018:0291
2.0-13 R4 RHBA-2017:3055
2.0-12 R4 RHBA-2017:2883
2.0-9 R2 RHBA-2017:1796
2.0-7 R2 RHBA-2017:1531
2.0-6 R2 RHBA-2017:1237
2.0-3 GA RHEA-2017:0288
JBoss Fuse for OpenShift - Karaf based 2.0-60 R13 RHBA-2019:3000
2.0-57 R11 RHBA-2019:0768
2.0-49 R10 RHBA-2019:0166
2.0-39.1539812383 R8 RHBA-2018:2942
2.0-39 R8 RHBA-2018:2940
2.0-32 R7 RHBA-2018:2564
2.0-28 R6 RHBA-2018:2368
2.0-19 R6 RHBA-2018:1845
2.0-18 R6 RHBA-2018:1729
2.0-15 R5 RHBA-2018:0291
2.0-13 R4 RHBA-2017:3055
2.0-12 R4 RHBA-2017:2883
2.0-9 R2 RHBA-2017:1796
2.0-7 R2 RHBA-2017:1531
2.0-6 R2 RHBA-2017:1237
2.0-5 R2 RHBA-2017:1165
2.0-3 GA RHEA-2017:0288

Template Updates

Templates are rebased on the latest rollup and you'll need to update them each time so that so that new projects created with the these templates will use the correct versions.
This article provideds the details around our JBoss Fuse Integration Services patches.

Comments