Chapter 8. Fixed Issues in Fuse 7.12
The following sections list the issues that have been fixed in Fuse 7.12:
8.1. Enhancements in Fuse 7.12
| Issue | Description |
|---|---|
| Expose loaded plugins to avoid multiple requests to PluginServlet | |
| Fuse Console - Allow the possibility to set label at the hawtio CR | |
| Certify Fuse 7 on OpenJDK 17 before ELS | |
| operators.openshift.io/valid-subscription annotation for operator metadata bundles | |
| ensure all CXF tests passed with JDK17 | |
| Certify Fuse 7 on RHEL 9 | |
| Upgrade to EAP-7.4.10.GA-redhat-00002 |
8.2. Component Upgrades in Fuse 7.12
The following table lists the component upgrades in Fuse 7.12.
Table 8.1. Fuse 7.12 Component Upgrades
| Issue | Description |
|---|---|
| Upgrade Spring Boot to 2.7.12 | |
| Align camel test dependencies to be compatible with JDK17 | |
| Align to kafka-clients v3 |
8.3. Bugs resolved in Fuse 7.12
The following tables list the resolved bugs in Fuse 7.12.
Table 8.2. Fuse 7.12 Resolved Bugs
| Issue | Description |
|---|---|
| Offline repository contains org.jboss.fuse.fis.archetypes group name artfacts | |
| Next button disabled in SQS step creation until I change the autopopulated queue value | |
| Restore using operator binary not working as expected | |
| Operator instructions unclear and secret create steps are not easy to debug | |
| Discovery of deployed integration API seems disabled but not really | |
| support for multicast queue | |
| Error exclamation marks doesn’t show error message | |
| Build leveldb-jni for x86 | |
| validation error when connecting to an https endpoint | |
| Failed to watch errors printed in the operator logs | |
| Hawtio - CSP issues when using Hawtio with Keycloak | |
| FIPS on OCP - Jolokia agent doesn’t start due to unsupported security encoding | |
| FIPS on OCP - karaf-maven-plugin assembly goal fails to unsupported security provider | |
| Quickstart spring-boot-camel-amq integrations tests references old AMQ Broker version | |
| Provide a source container image for apicurito | |
| [Syndesis] CVE-2022-24785 Moment.js: Path traversal in moment.locale [fuse-7] | |
| Fuse hawtio includes HTTPClient 3.1 - CVE-2012-5783 | |
| AMQ6 image - V2 schema 1 manifest digest are no longer supported for image pulls | |
| Missing dataformats fhir-json/fhir-xml/xml-json in runtime specific catalogs | |
| Send correct UMB messages for container builds | |
| Camel http4 producer encodes array data to the http uri parameter as comma separated instead of multi-values parameters | |
| CVE-2022-42920 apache-bcel: Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing [fuse-7] | |
| Backport request for ENTMQCL-2977 to Fuse 7.11.x | |
| CVE-2022-41940 engine.io: Specially crafted HTTP request can trigger an uncaught exception [fuse-7] | |
| Incomplete fix of CVE-2020-13956 | |
| CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS [fuse-7] | |
| CVE-2022-41854 dev-java-snakeyaml: dev-java/snakeyaml: DoS via stack overflow [fuse-7] | |
| CVE-2022-40146 batik: Server-Side Request Forgery (SSRF) vulnerability [fuse-7] | |
| CVE-2022-38398 batik: Server-Side Request Forgery [fuse-7] | |
| CVE-2022-38648 batik: Server-Side Request Forgery [fuse-7] | |
| CVE-2022-46364 CXF: Apache CXF: SSRF Vulnerability [fuse-7] | |
| CVE-2022-46363 CXF: Apache CXF: directory listing / code exfiltration [fuse-7] | |
| CVE-2022-4492 undertow: Server identity in https connection is not checked by the undertow client [fuse-7] | |
| CVE-2022-41946 jdbc-postgresql: postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions [fuse-7] | |
| Errors during Karaf startup with jdk17 | |
| Errors during EAP startup with jdk17 | |
| CVE-2022-45143 tomcat: JsonErrorReportValve injection [fuse-7] | |
| CVE-2022-36437 hazelcast: Hazelcast connection caching [fuse-7] | |
| Review patch-maven-plugin → karaf-maven-plugin communication | |
| A custom fuse console route doesn’t work. | |
| AutomaticRecovery from RabbitMQ Connection Factory is always creating a new connection | |
| fuse-patch may incorrectly report that a patch has already been applied | |
| netty4-http forwards a bad response (exception + http code 200) | |
| CXF test errors after upgrading to Karaf 4.4 and Pax Web 8 | |
| Any issue with camel-aws 2.23 component with TLS 1.3 in Fuse 7.11 ? | |
| Camel test errors after upgrading to Karaf 4.4 and Pax Web 8 | |
| Multicast not returning aggregated | |
| Hazelcast upgrade seems to break JCache Integration | |
| Wrong javax/mail/mail version used in fuse projects. | |
| Wrong log4j-slf4j18-impl version is used fuse projects. | |
| [Hawtio] Can’t login in Karaf | |
| CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element’s hash values raising a stack overflow [fuse-7] | |
| cxf - server transport isn’t up properly | |
| [Karaf] JCE cannot authenticate the provider BC | |
| Use groupified API versions in json files | |
| Karaf pax web - OPTIONS methods not exposed | |
| Hibernate fuse version clashes with spring boot | |
| [Karaf] JMX ACL MBean authentification problem | |
| [Karaf] 10 features cannot be installed | |
| Fuse archetype Spring Boot properties in SB1 format | |
| camel-master component is unable to load cluster service | |
| CVE-2023-1108 undertow: Infinite loop in SslConduit during close [fuse-7] | |
| [Karaf] Jasypt encryption problem JDK 17 and RHEL8-FIPS | |
| [Standalone] No response messages via fuse client | |
| [Standalone] Colorised commands in history | |
| [Fuse on Openshift] - Wrong Docker image reference in Quickstarts | |
| [Fuse on Openshift] - Application templates - No tag "1.12" with image streams in fis-image-streams.json | |
| [Fuse on Openshift] - Wrong WILDFLY version in EAP images JDK8/11 | |
| [Fuse on Openshift] - Application templates - Templates filled with old 7.11 references | |
| [Patching] Unable to patch 7.11 to 7.12 | |
| [karaf FoO] unable to use client into the POD | |
| CVE-2023-20860 springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern [fuse-7] | |
| CVE-2023-20861 springframework: Spring Expression DoS Vulnerability [fuse-7] | |
| Camel 2.23 tests do not support jdk17 | |
| Wildfly Camel 5.10 tests do not support jdk17 | |
| CXF 3.3.6 tests do not support jdk17 | |
| [Karaf] Doesn’t install features | |
| Camel Mail Component doesn’t use host/port information from session URI parameter | |
| CVE-2022-4492, ensure that Syndesis is using fixed undertow | |
| CVE-2023-1108 undertow: Infinite loop in SslConduit during close (fuse online) | |
| CVE-2022-41704 batik: Apache XML Graphics Batik vulnerable to code execution via SVG [fuse-7] | |
| CVE-2022-42890 batik: Untrusted code execution in Apache XML Graphics Batik [fuse-7] | |
| CVE-2023-22602 shiro-core: shiro: Authentication bypass through a specially crafted HTTP request [fuse-7] | |
| [Fuse On Openshift] QS spring-boot-camel-amq contains a removed image | |
| [Fuse On Openshift] QS Spring-Boot Camel Rest SQL reports wrong deployment step in README | |
| [Fuse On Openshift] Adjust Pod metering label rht.prod_ver formatting | |
| [Fuse on Openshift] QS Spring-Boot Camel Config fails on Spring Cloud due to SB upgrade | |
| Unable to install karaf features separately | |
| [Fuse On Openshift] QS Spring-Boot Camel Rest SQL throws bad SQL grammar exception | |
| [Fuse On Openshift] QS Spring-Boot Camel XA throws bad SQL grammar exception on PostGresSQL connection | |
| Hawtio console metrics shows free memory instead of used | |
| Pax-web-jetty features cannot be installed | |
| [Fuse standalone] Exception in log jdk11 and jdk17 | |
| CVE-2023-20860, ensure that Syndesis is using fixed springframework | |
| Cannot install CVE patch on top of 7.12 | |
| CVE-2022-41854, ensure that Syndesis is using fixed snakeyaml | |
| Remove org.apache.tomcat.embed dependencies from cxf-spring-boot-starter-jaxrs | |
| [Fuse On Openshift] QS Spring-Boot Camel-Drools, unable to create Kie Server | |
| [Fuse on Openshift] QS Spring Boot Camel Singleton, app won’t start | |
| [Fuse on Openshift] - Karaf - Unable to resolve missing rquirement in a cxf-jaxrs application | |
| CVE-2023-20861, ensure that Syndesis is using fixed springframework | |
| CVE-2022-41946, ensure that Syndesis is using fixed jdbc-postgresql | |
| Karaf, some bundle versions are not inline with versions specified in karaf-bom | |
| Memory leak in pax-url-aether | |
| CXF 3.3.6 downstream failures | |
| CVE-2023-20863 springframework: Spring Expression DoS Vulnerability [fuse-7] | |
| Unattended Jolokia Queries Not Working When Keycloak is Integrated for Access Control | |
| [Offliner] Files cannot be downloaded using offliner manifest file | |
| [Offliner] Missing artifacts | |
| Apicurito pods contain metering labels with incorrect values | |
| CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) [fuse-7] | |
| [Fuse on Openshift] Wrong version in Quickstart BOM | |
| Remove or refactor non-working quickstart spring-boot-camel-soap-rest-bridge | |
| Wildfly camel 5.10.0 downstream failure | |
| [Fuse on Openshift] - Illegal access on java.xml module using Karaf, jaxws and JDK17, because xerces packages are not exposed | |
| [Fuse on Openshift] - In camel-jdbc on Karaf, can’t retrieve a column from the body exchange | |
| Camel-Velocity: Deprecation warnings | |
| SpringFramework caches a missed TypeConverter and user can not clean it | |
| [Fuse On Openshift] - Dismiss/Remove RHOSAK Quickstarts | |
| CVE-2022-31692 spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security [fuse-7] | |
| Invalid qualifier for Karaf bundle | |
| CVE-2023-20883 spring-boot: Spring Boot Welcome Page DoS Vulnerability [fuse-7] | |
| patch-maven-plugin doesn’t work with Maven 3.9 | |
| Missing refs/tags on GitHub | |
| [Fuse Standalone] Camel-chunk feature missing dependency | |
| CXF 3.3.6 downstream failures | |
| CVE-2023-1370, ensure that Syndesis is using fixed json-smart | |
| [Karaf] Jasypt encryption problem JDK 17 and RHEL8-FIPS | |
| Camel health check behaviour change on Spring Boot runtime |