RHSA-2014:0498 - Security Advisory
Important: Fuse ESB Enterprise 7.1.0 security update
Security Advisory: Important
Fuse ESB Enterprise 7.1.0 R1 P4 (Patch 4 on Rollup Patch 1), a security
update that addresses one security issue, is now available from the Red Hat
The Red Hat Security Response Team has rated this update as having
Important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.
Fuse ESB Enterprise is an integration platform based on Apache ServiceMix.
It was found that the Struts 1 ActionForm object allowed access to the
'class' parameter, which is directly mapped to the getClass() method.
A remote attacker could use this flaw to manipulate the ClassLoader used by
an application server running Struts 1. This could lead to remote code
execution under certain conditions. (CVE-2014-0114)
Refer to the readme.txt file included with the patch files for
All users of Fuse ESB Enterprise 7.1.0 as provided from the Red Hat
Customer Portal are advised to apply this security update.
The References section of this erratum contains a download link (you must
log in to download the update).
- Red Hat JBoss Middleware Text-Only Advisories for MIDDLEWARE 1 x86_64
- BZ - 1091938 - CVE-2014-0114 Apache Struts 1: Class Loader manipulation via request parameters
Red Hat JBoss Middleware Text-Only Advisories for MIDDLEWARE 1