exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Red Hat Security Advisory 2016-2035-01

Red Hat Security Advisory 2016-2035-01
Posted Oct 6, 2016
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2016-2035-01 - Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss Fuse 6.3 is a minor product release that updates Red Hat JBoss Fuse 6.2.1, and includes several bug fixes and enhancements.

tags | advisory
systems | linux, redhat
advisories | CVE-2015-3192, CVE-2015-5344, CVE-2015-5348, CVE-2015-7940, CVE-2016-2141, CVE-2016-2510, CVE-2016-4437
SHA-256 | 783d844b4a979957118ea3b2ddd3e8f2ab6d7c6074b85f24619161724330d970

Red Hat Security Advisory 2016-2035-01

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat JBoss Fuse 6.3 security update
Advisory ID: RHSA-2016:2035-01
Product: Red Hat JBoss Fuse
Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-2035.html
Issue date: 2016-10-06
CVE Names: CVE-2015-3192 CVE-2015-5344 CVE-2015-5348
CVE-2015-7940 CVE-2016-2141 CVE-2016-2510
CVE-2016-4437
=====================================================================

1. Summary:

Red Hat JBoss Fuse 6.3, which fixes multiple security issues and includes
several bug fixes and enhancements, is now available from the Red Hat
Customer Portal.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,
flexible, open source enterprise service bus and integration platform.

Red Hat JBoss Fuse 6.3 is a minor product release that updates Red Hat
JBoss Fuse 6.2.1, and includes several bug fixes and enhancements. Refer to
the Release Notes document, available from the Product Documentation link
in the References section, for a list of these changes.

Security Fix(es):

It was found that JGroups did not require necessary headers for encrypt and
auth protocols from new nodes joining the cluster. An attacker could use
this flaw to bypass security restrictions, and use this vulnerability to
send and receive messages within the cluster, leading to information
disclosure, message spoofing, or further possible attacks. (CVE-2016-2141)

A deserialization flaw allowing remote code execution was found in the
BeanShell library. If BeanShell was on the classpath, it could permit code
execution if another part of the application deserialized objects involving
a specially constructed chain of classes. A remote attacker could use this
flaw to execute arbitrary code with the permissions of the application
using the BeanShell library. (CVE-2016-2510)

It was found that Apache Shiro uses a default cipher key for its "remember
me" feature. An attacker could use this to devise a malicious request
parameter and gain access to unauthorized content. (CVE-2016-4437)

A denial of service flaw was found in the way Spring processes inline DTD
declarations. A remote attacker could submit a specially crafted XML file
that would cause out-of-memory errors when parsed. (CVE-2015-3192)

It was found that Apache Camel's camel-xstream component was vulnerable to
Java object deserialization. This vulnerability permits deserialization of
data which could lead to information disclosure, code execution, or other
possible attacks. (CVE-2015-5344)

It was found that Apache Camel's Jetty/Servlet permitted object
deserialization. If using camel-jetty or camel-servlet as a consumer in
Camel routes, then Camel will automatically deserialize HTTP requests that
use the content-header: application/x-java-serialized-object. An attacker
could use this vulnerability to gain access to unauthorized information or
conduct further attacks. (CVE-2015-5348)

It was found that bouncycastle is vulnerable to an invalid curve attack. An
attacker could extract private keys used in elliptic curve cryptography
with a few thousand queries. (CVE-2015-7940)

The CVE-2016-2141 issue was discovered by Dennis Reed (Red Hat).

Refer to the Product Documentation link in the References section for
installation instructions.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

1239002 - CVE-2015-3192 Spring Framework: denial-of-service attack with XML input
1276272 - CVE-2015-7940 bouncycastle: Invalid curve attack allowing to extract private keys
1292849 - CVE-2015-5348 Camel: Java object deserialisation in Jetty/Servlet
1303609 - CVE-2015-5344 camel-xstream: Java object de-serialization vulnerability leads to RCE
1310647 - CVE-2016-2510 bsh2: remote code execution via deserialization
1313589 - CVE-2016-2141 Authorization bypass in JGroups
1343346 - CVE-2016-4437 shiro: Security constraint bypass

5. References:

https://access.redhat.com/security/cve/CVE-2015-3192
https://access.redhat.com/security/cve/CVE-2015-5344
https://access.redhat.com/security/cve/CVE-2015-5348
https://access.redhat.com/security/cve/CVE-2015-7940
https://access.redhat.com/security/cve/CVE-2016-2141
https://access.redhat.com/security/cve/CVE-2016-2510
https://access.redhat.com/security/cve/CVE-2016-4437
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=6.3.0
https://access.redhat.com/documentation/en/red-hat-jboss-fuse/?version=6.3

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFX9nl4XlSAg2UNWIIRAjzuAJ9IjZsuMRzFPBfv/AW1xXlo9AHHNwCeNayc
X467FkxtKPz7MAU5sEu9U/c=
=tF7y
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    0 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    0 Files
  • 7
    Mar 7th
    0 Files
  • 8
    Mar 8th
    0 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    0 Files
  • 14
    Mar 14th
    0 Files
  • 15
    Mar 15th
    0 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close