Red Hat Product Errata RHSA-2024:3354 - Security Advisory
Issued:
2024-05-23
Updated:
2024-05-23

RHSA-2024:3354 - Security Advisory

Synopsis

Important: Red Hat Fuse 7.13.0 release and security update

Type/Severity

Security Advisory: Important

Topic

Red Hat Fuse 7.13.0 release is now available. The purpose of this text-only errata is to inform you about the security issues fixed in this release.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat Fuse 7.13.0 is released which includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.

Security Fix(es):

  • undertow: OutOfMemoryError due to @MultipartConfig handling (CVE-2023-3223)
  • jetty-servlets: jetty: Improper addition of quotation marks to user inputs in CgiServlet (CVE-2023-36479)
  • jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)
  • jetty-http: jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)
  • avro: apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK (CVE-2023-39410)
  • JSON-java: parser confusion leads to OOM (CVE-2023-5072)
  • http2-hpack: jetty: hpack header values cause denial of service in http/2 (CVE-2023-36478)
  • spring-boot: org.springframework.boot:spring-boot-actuator class vulnerable to denial of service (CVE-2023-34055)
  • tomcat: HTTP request smuggling via malformed trailer headers (CVE-2023-46589)
  • activemq: Apache ActiveMQ: Deserialization vulnerability on Jolokia that allows authenticated users to perform RCE (CVE-2022-41678)
  • logback: serialization vulnerability in logback receiver (CVE-2023-6378)
  • logback: A serialization vulnerability in logback receiver (CVE-2023-6481)
  • solr: : Apache Solr: Host environment variables are published via the Metrics API (CVE-2023-50290)
  • shiro: path traversal attack may lead to authentication bypass (CVE-2023-46749)
  • tomcat: Leaking of unrelated request bodies in default error page (CVE-2024-21733)
  • springframework: URL Parsing with Host Validation (CVE-2024-22243)

For more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Fuse 1 x86_64

Fixes

  • BZ - 2209689 - CVE-2023-3223 undertow: OutOfMemoryError due to @MultipartConfig handling
  • BZ - 2239630 - CVE-2023-36479 jetty: Improper addition of quotation marks to user inputs in CgiServlet
  • BZ - 2239634 - CVE-2023-40167 jetty: Improper validation of HTTP/1 content-length
  • BZ - 2242521 - CVE-2023-39410 apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK
  • BZ - 2243123 - CVE-2023-36478 jetty: hpack header values cause denial of service in http/2
  • BZ - 2246417 - CVE-2023-5072 JSON-java: parser confusion leads to OOM
  • BZ - 2251917 - CVE-2023-34055 spring-boot: org.springframework.boot:spring-boot-actuator class vulnerable to denial of service
  • BZ - 2252050 - CVE-2023-46589 tomcat: HTTP request smuggling via malformed trailer headers
  • BZ - 2252185 - CVE-2022-41678 Apache ActiveMQ: Deserialization vulnerability on Jolokia that allows authenticated users to perform RCE
  • BZ - 2252230 - CVE-2023-6378 logback: serialization vulnerability in logback receiver
  • BZ - 2252956 - CVE-2023-6481 logback: A serialization vulnerability in logback receiver
  • BZ - 2258132 - CVE-2023-50290 : Apache Solr: Host environment variables are published via the Metrics API
  • BZ - 2258134 - CVE-2023-46749 shiro: path traversal attack may lead to authentication bypass
  • BZ - 2259204 - CVE-2024-21733 tomcat: Leaking of unrelated request bodies in default error page
  • BZ - 2265735 - CVE-2024-22243 springframework: URL Parsing with Host Validation

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.