Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Products & Services

    Products

    Support

    • Production Support
    • Development Support
    • Product Life Cycles

    Services

    • Consulting
    • Technical Account Management
    • Training & Certifications

    Documentation

    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    All Documentation

    Ecosystem Catalog

    • Red Hat Partner Ecosystem
    • Partner Resources
  • Tools

    Tools

    • Troubleshoot a product issue
    • Packages
    • Errata

    Customer Portal Labs

    • Configuration
    • Deployment
    • Security
    • Troubleshoot
    All labs

    Red Hat Insights

    Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

    Learn More
    Go to Insights
  • Security

    Red Hat Product Security Center

    Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

    Product Security Center

    Security Updates

    • Security Advisories
    • Red Hat CVE Database
    • Security Labs

    Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

    View Responses

    Resources

    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community

    Customer Portal Community

    • Discussions
    • Private Groups
    Community Activity

    Customer Events

    • Red Hat Convergence
    • Red Hat Summit

    Stories

    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
Or troubleshoot an issue.

Select Your Language

  • English
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Integration
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
  • Red Hat JBoss Data Virtualization
  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager
All Products
Red Hat Product Errata RHSA-2021:5134 - Security Advisory
Issued:
2021-12-14
Updated:
2021-12-14

RHSA-2021:5134 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Critical: Red Hat Fuse 7.10.0 release and security update

Type/Severity

Security Advisory: Critical

Topic

A minor version update (from 7.9 to 7.10) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

This release of Red Hat Fuse 7.10.0 serves as a replacement for Red Hat Fuse 7.9, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.

Security Fix(es):

  • log4j-core (CVE-2020-9488, CVE-2021-44228)
  • nodejs-lodash (CVE-2019-10744)
  • libthrift (CVE-2020-13949)
  • xstream (CVE-2020-26217, CVE-2020-26259, CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350, CVE-2021-21351)
  • undertow (CVE-2020-27782, CVE-2021-3597, CVE-2021-3629, CVE-2021-3690)
  • xmlbeans (CVE-2021-23926)
  • batik (CVE-2020-11987)
  • xmlgraphics-commons (CVE-2020-11988)
  • tomcat (CVE-2020-13943)
  • bouncycastle (CVE-2020-15522, CVE-2020-15522)
  • groovy (CVE-2020-17521)
  • tomcat (CVE-2020-17527)
  • jetty (CVE-2020-27218, CVE-2020-27223, CVE-2021-28163, CVE-2021-28164, CVE-2021-28169, CVE-2021-34428)
  • jackson-dataformat-cbor (CVE-2020-28491)
  • jboss-remoting (CVE-2020-35510)
  • kubernetes-client (CVE-2021-20218)
  • netty (CVE-2021-21290, CVE-2021-21295, CVE-2021-21409)
  • spring-web (CVE-2021-22118)
  • cxf-core (CVE-2021-22696)
  • json-smart (CVE-2021-27568)
  • jakarta.el (CVE-2021-28170)
  • commons-io (CVE-2021-29425)
  • sshd-core (CVE-2021-30129)
  • cxf-rt-rs-json-basic (CVE-2021-30468)
  • netty-codec (CVE-2021-37136, CVE-2021-37137)
  • jsoup (CVE-2021-37714)
  • poi (CVE-2019-12415)
  • mysql-connector-java (CVE-2020-2875, CVE-2020-2934)
  • wildfly (CVE-2021-3536)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.

Installation instructions are available from the Fuse 7.10.0 product
documentation page:
https://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/

Affected Products

  • Red Hat Fuse 1 x86_64

Fixes

  • BZ - 1739497 - CVE-2019-10744 nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties
  • BZ - 1802531 - CVE-2019-12415 poi: a specially crafted Microsoft Excel document allows attacker to read files from the local filesystem
  • BZ - 1831139 - CVE-2020-9488 log4j: improper validation of certificate with host mismatch in SMTP appender
  • BZ - 1851014 - CVE-2020-2934 mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete
  • BZ - 1851019 - CVE-2020-2875 mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete
  • BZ - 1887648 - CVE-2020-13943 tomcat: Apache Tomcat HTTP/2 Request mix-up
  • BZ - 1898907 - CVE-2020-26217 XStream: remote code execution due to insecure XML deserialization when relying on blocklists
  • BZ - 1901304 - CVE-2020-27782 undertow: special character in query results in server errors
  • BZ - 1902826 - CVE-2020-27218 jetty: buffer not correctly recycled in Gzip Request inflation
  • BZ - 1904221 - CVE-2020-17527 tomcat: HTTP/2 request header mix-up
  • BZ - 1905796 - CVE-2020-35510 jboss-remoting: Threads hold up forever in the EJB server by suppressing the ack from an EJB client
  • BZ - 1908837 - CVE-2020-26259 XStream: arbitrary file deletion on the local host when unmarshalling
  • BZ - 1922102 - CVE-2021-23926 xmlbeans: allowed malicious XML input may lead to XML Entity Expansion attack
  • BZ - 1922123 - CVE-2020-17521 groovy: OS temporary directory leads to information disclosure
  • BZ - 1923405 - CVE-2021-20218 fabric8-kubernetes-client: vulnerable to a path traversal leading to integrity and availability compromise
  • BZ - 1927028 - CVE-2021-21290 netty: Information disclosure via the local system temporary directory
  • BZ - 1928172 - CVE-2020-13949 libthrift: potential DoS when processing untrusted payloads
  • BZ - 1930423 - CVE-2020-28491 jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception
  • BZ - 1933808 - CVE-2020-11987 batik: SSRF due to improper input validation by the NodePickerPanel
  • BZ - 1933816 - CVE-2020-11988 xmlgraphics-commons: SSRF due to improper input validation by the XMPParser
  • BZ - 1934116 - CVE-2020-27223 jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS
  • BZ - 1937364 - CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation
  • BZ - 1939839 - CVE-2021-27568 json-smart: uncaught exception may lead to crash or information disclosure
  • BZ - 1942539 - CVE-2021-21341 XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream
  • BZ - 1942545 - CVE-2021-21342 XStream: SSRF via crafted input stream
  • BZ - 1942550 - CVE-2021-21343 XStream: arbitrary file deletion on the local host via crafted input stream
  • BZ - 1942554 - CVE-2021-21344 XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet
  • BZ - 1942558 - CVE-2021-21345 XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry
  • BZ - 1942578 - CVE-2021-21346 XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue
  • BZ - 1942629 - CVE-2021-21347 XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator
  • BZ - 1942633 - CVE-2021-21348 XStream: ReDoS vulnerability
  • BZ - 1942635 - CVE-2021-21349 XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host
  • BZ - 1942637 - CVE-2021-21350 XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader
  • BZ - 1942642 - CVE-2021-21351 XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream
  • BZ - 1944888 - CVE-2021-21409 netty: Request smuggling via content-length header
  • BZ - 1945710 - CVE-2021-28163 jetty: Symlink directory exposes webapp directory contents
  • BZ - 1945712 - CVE-2021-28164 jetty: Ambiguous paths can access WEB-INF
  • BZ - 1946341 - CVE-2021-22696 cxf: OAuth 2 authorization service vulnerable to DDos attacks
  • BZ - 1948001 - CVE-2021-3536 wildfly: XSS via admin console when creating roles in domain mode
  • BZ - 1948752 - CVE-2021-29425 apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6
  • BZ - 1962879 - CVE-2020-15522 bouncycastle: Timing issue within the EC math library
  • BZ - 1965497 - CVE-2021-28170 jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate
  • BZ - 1970930 - CVE-2021-3597 undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS
  • BZ - 1971016 - CVE-2021-28169 jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory
  • BZ - 1973392 - CVE-2021-30468 CXF: Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter
  • BZ - 1974854 - CVE-2021-22118 spring-web: (re)creating the temporary storage directory could result in a privilege escalation within WebFlux application
  • BZ - 1974891 - CVE-2021-34428 jetty: SessionListener can prevent a session from being invalidated breaking logout
  • BZ - 1977362 - CVE-2021-3629 undertow: potential security issue in flow control over HTTP/2 may lead to DOS
  • BZ - 1981527 - CVE-2021-30129 mina-sshd-core: Memory leak denial of service in Apache Mina SSHD Server
  • BZ - 1991299 - CVE-2021-3690 undertow: buffer leak on incoming websocket PONG message may lead to DoS
  • BZ - 1995259 - CVE-2021-37714 jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck
  • BZ - 2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data
  • BZ - 2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way
  • BZ - 2030932 - CVE-2021-44228 log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value

CVEs

  • CVE-2019-10744
  • CVE-2019-12415
  • CVE-2020-2875
  • CVE-2020-2934
  • CVE-2020-9488
  • CVE-2020-11987
  • CVE-2020-11988
  • CVE-2020-13943
  • CVE-2020-13949
  • CVE-2020-15522
  • CVE-2020-17521
  • CVE-2020-17527
  • CVE-2020-26217
  • CVE-2020-26259
  • CVE-2020-27218
  • CVE-2020-27223
  • CVE-2020-27782
  • CVE-2020-28491
  • CVE-2020-35510
  • CVE-2021-3536
  • CVE-2021-3597
  • CVE-2021-3629
  • CVE-2021-3690
  • CVE-2021-20218
  • CVE-2021-21290
  • CVE-2021-21295
  • CVE-2021-21341
  • CVE-2021-21342
  • CVE-2021-21343
  • CVE-2021-21344
  • CVE-2021-21345
  • CVE-2021-21346
  • CVE-2021-21347
  • CVE-2021-21348
  • CVE-2021-21349
  • CVE-2021-21350
  • CVE-2021-21351
  • CVE-2021-21409
  • CVE-2021-22118
  • CVE-2021-22696
  • CVE-2021-23926
  • CVE-2021-27568
  • CVE-2021-28163
  • CVE-2021-28164
  • CVE-2021-28169
  • CVE-2021-28170
  • CVE-2021-29425
  • CVE-2021-30129
  • CVE-2021-30468
  • CVE-2021-34428
  • CVE-2021-37136
  • CVE-2021-37137
  • CVE-2021-37714
  • CVE-2021-44228

References

  • https://access.redhat.com/security/updates/classification/#critical
  • https://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/
  • https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.fuse&version=7.10.0
  • https://access.redhat.com/security/vulnerabilities/RHSB-2021-009
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Fuse 1

SRPM
x86_64

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
Copyright © 2022 Red Hat, Inc.
  • Privacy Statement
  • Customer Portal Terms of Use
  • All Policies and Guidelines
Red Hat Summit
Twitter