- Issued:
- 2018-02-14
- Updated:
- 2018-02-14
RHSA-2018:0319 - Security Advisory
Synopsis
Important: Red Hat JBoss Fuse/A-MQ 6.3 R6 security and bug fix update
Type/Severity
Security Advisory: Important
Topic
An update is now available for Red Hat JBoss Fuse and Red Hat JBoss A-MQ.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform.
Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications.
This patch is an update to Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3. It includes bug fixes and enhancements, which are documented in the readme.txt file included with the patch files.
Security Fix(es):
- It was found that spring-ldap contains a security vulnerability that allows an attacker to authenticate with arbitrary password. When spring-ldap connected to some LDAP servers, and when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting userSearch, authentication is allowed with an arbitrary password when the username is correct. (CVE-2017-8028)
- It was found that a flaw in hawtio could cause remote code execution via file upload. An attacker could use this vulnerability to upload crafted file which could be executed on target machine where hawtio is deployed. (CVE-2017-2617)
- It was found that Apache Camel contains a security vulnerability via camel-hessian component. An attacker can utilize this flaw to deserialize malicious object on the target machine which could lead to Remote Code Execution (RCE). (CVE-2017-12633)
- It was found that Apache Camel contains a security vulnerability via camel-castor component. An attacker can utilize this flaw to deserialize malicious object on the target machine which could lead to Remote Code Execution (RCE). (CVE-2017-12634)
- It was found that a flaw exists in Switchyard component via Apache Batick. If an attacker sends a maliciously crafted SVG formed file on the target machine, that uses batik, files lying on the file system could be revealed to the attacker, depending on the user context in which the exploitable application is running. This flaw can also be leveraged to attack the availability of the target machine via DoS. (CVE-2017-5662)
The CVE-2017-2617 issue was discovered by Hooman Broujerdi (Red Hat).
Solution
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
Installation instructions are located in the download section of the customer portal.
The References section of this erratum contains a download link (you must log in to download the update).
Affected Products
- Red Hat Fuse 1 x86_64
Fixes
- BZ - 1419363 - CVE-2017-2617 Hawtio: Unrestricted file upload leads to RCE
- BZ - 1443592 - CVE-2017-5662 batik: XML external entity processing vulnerability
- BZ - 1510968 - CVE-2017-8028 spring-ldap: Authentication with userSearch and STARTTLS allows authentication with arbitrary password
- BZ - 1513376 - CVE-2017-12634 camel-castor: Apache Camel's Castor unmarshalling operation is vulnerable to Remote Code Execution attacks
- BZ - 1513382 - CVE-2017-12633 camel-hessian: Apache Camel's Hessian unmarshalling operation is vulnerable to Remote Code Execution attacks
References
- https://access.redhat.com/security/updates/classification/#important
- https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.3
- https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=jboss.amq.broker&version=6.3.0
- https://access.redhat.com/documentation/en/red-hat-jboss-fuse/
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.