RHSA-2016:2035 - Security Advisory

Topic

Red Hat JBoss Fuse 6.3, which fixes multiple security issues and includes several bug fixes and enhancements, is now available from the Red Hat Customer Portal.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform.

Red Hat JBoss Fuse 6.3 is a minor product release that updates Red Hat JBoss Fuse 6.2.1, and includes several bug fixes and enhancements. Refer to the Release Notes document, available from the Product Documentation link in the References section, for a list of these changes.

Security Fix(es):

It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks. (CVE-2016-2141)

A deserialization flaw allowing remote code execution was found in the BeanShell library. If BeanShell was on the classpath, it could permit code execution if another part of the application deserialized objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the BeanShell library. (CVE-2016-2510)

It was found that Apache Shiro uses a default cipher key for its "remember me" feature. An attacker could use this to devise a malicious request parameter and gain access to unauthorized content. (CVE-2016-4437)

A denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed. (CVE-2015-3192)

It was found that Apache Camel's camel-xstream component was vulnerable to Java object deserialization. This vulnerability permits deserialization of data which could lead to information disclosure, code execution, or other possible attacks. (CVE-2015-5344)

It was found that Apache Camel's Jetty/Servlet permitted object deserialization. If using camel-jetty or camel-servlet as a consumer in Camel routes, then Camel will automatically deserialize HTTP requests that use the content-header: application/x-java-serialized-object. An attacker could use this vulnerability to gain access to unauthorized information or conduct further attacks. (CVE-2015-5348)

It was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries. (CVE-2015-7940)

The CVE-2016-2141 issue was discovered by Dennis Reed (Red Hat).

Refer to the Product Documentation link in the References section for installation instructions.

Solution

The References section of this erratum contains a download link (you must
log in to download the update).

Affected Products

• Red Hat Fuse 1 x86_64

Fixes

• BZ - 1239002 - CVE-2015-3192 Spring Framework: denial-of-service attack with XML input
• BZ - 1276272 - CVE-2015-7940 bouncycastle: Invalid curve attack allowing to extract private keys
• BZ - 1292849 - CVE-2015-5348 Camel: Java object deserialisation in Jetty/Servlet
• BZ - 1303609 - CVE-2015-5344 camel-xstream: Java object de-serialization vulnerability leads to RCE
• BZ - 1310647 - CVE-2016-2510 bsh2: remote code execution via deserialization
• BZ - 1313589 - CVE-2016-2141 JGroups: Authorization bypass
• BZ - 1343346 - CVE-2016-4437 shiro: Security constraint bypass

CVEs

• CVE-2015-3192
• CVE-2015-5254
• CVE-2015-5344
• CVE-2015-5348
• CVE-2015-7940
• CVE-2016-2141
• CVE-2016-2510
• CVE-2016-4437

References

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=6.3.0
• https://access.redhat.com/documentation/en/red-hat-jboss-fuse/?version=6.3