exploit the possibilities

Red Hat Security Advisory 2019-2413-01

Red Hat Security Advisory 2019-2413-01
Posted Aug 8, 2019
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2019-2413-01 - This release of Red Hat Fuse 7.4.0 serves as a replacement for Red Hat Fuse 7.3, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include bypass, code execution, cross site request forgery, and deserialization vulnerabilities.

tags | advisory, vulnerability, code execution, csrf
systems | linux, redhat
advisories | CVE-2016-10750, CVE-2018-10899, CVE-2018-1258, CVE-2018-1320, CVE-2018-15758, CVE-2018-8088, CVE-2019-0192, CVE-2019-3805
MD5 | 53bb333aee70326e114d65367280c8c2

Red Hat Security Advisory 2019-2413-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat Fuse 7.4.0 security update
Advisory ID: RHSA-2019:2413-01
Product: Red Hat JBoss Fuse
Advisory URL: https://access.redhat.com/errata/RHSA-2019:2413
Issue date: 2019-08-08
CVE Names: CVE-2016-10750 CVE-2018-1258 CVE-2018-1320
CVE-2018-8088 CVE-2018-10899 CVE-2018-15758
CVE-2019-0192 CVE-2019-3805
====================================================================
1. Summary:

A minor version update (from 7.3 to 7.4) is now available for Red Hat Fuse.
The purpose of this text-only errata is to inform you about the security
issues fixed in this release.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

This release of Red Hat Fuse 7.4.0 serves as a replacement for Red Hat Fuse
7.3, and includes bug fixes and enhancements, which are documented in the
Release Notes document linked to in the References.

Security Fix(es):

* hazelcast: java deserialization in join cluster procedure leading to
remote code execution (CVE-2016-10750)

* slf4j: Deserialisation vulnerability in EventData constructor can allow
for arbitrary code execution (CVE-2018-8088)

* jolokia: system-wide CSRF that could lead to Remote Code Execution
(CVE-2018-10899)

* spring-security-oauth: Privilege escalation by manipulating saved
authorization request (CVE-2018-15758)

* solr: remote code execution due to unsafe deserialization (CVE-2019-0192)

* thrift: SASL negotiation isComplete validation bypass in the
org.apache.thrift.transport.TSaslTransport class (CVE-2018-1320)

* spring-security-core: Unauthorized Access with Spring Security Method
Security (CVE-2018-1258)

* wildfly: Race condition on PID file allows for termination of arbitrary
processes by local users (CVE-2019-3805)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

Installation instructions are available from the Fuse 7.4.0 product
documentation page:
https://access.redhat.com/documentation/en-us/red_hat_fuse/7.4/

4. Bugs fixed (https://bugzilla.redhat.com/):

1548909 - CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution
1578582 - CVE-2018-1258 spring-security-core: Unauthorized Access with Spring Security Method Security
1601037 - CVE-2018-10899 jolokia: system-wide CSRF that could lead to Remote Code Execution
1643048 - CVE-2018-15758 spring-security-oauth: Privilege escalation by manipulating saved authorization request
1660263 - CVE-2019-3805 wildfly: Race condition on PID file allows for termination of arbitrary processes by local users
1667204 - CVE-2018-1320 thrift: SASL negotiation isComplete validation bypass in the org.apache.thrift.transport.TSaslTransport class
1692345 - CVE-2019-0192 solr: remote code execution due to unsafe deserialization
1713215 - CVE-2016-10750 hazelcast: java deserialization in join cluster procedure leading to remote code execution

5. References:

https://access.redhat.com/security/cve/CVE-2016-10750
https://access.redhat.com/security/cve/CVE-2018-1258
https://access.redhat.com/security/cve/CVE-2018-1320
https://access.redhat.com/security/cve/CVE-2018-8088
https://access.redhat.com/security/cve/CVE-2018-10899
https://access.redhat.com/security/cve/CVE-2018-15758
https://access.redhat.com/security/cve/CVE-2019-0192
https://access.redhat.com/security/cve/CVE-2019-3805
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.fuse&version=7.4.0
https://access.redhat.com/documentation/en-us/red_hat_fuse/7.4/

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXUv0xNzjgjWX9erEAQhCzRAAjdpuIeE+WhWxaZpzsfh333p6RXGKoB8g
4BGVD7yZjSNoPmRzkSuaNUTT0wYZdRLSNeYK1FvxqZlTBesHbe3IV80gDNiV2vad
VzwNYukUoa6s8hdzKY/zCKwhuZ5cWkk+FLjFAPEfZt2Typ3kyYPnK/RxNnzfeSgc
90xh60LImUIJK/hGyOL40z8pGFbG404TJbdezYnQt0/l0NBGxPqBGOHnIgpZhAgw
gNMEglpIrxap4UzwSEzA5tmjRUDHeUBpsUpKsez5XL2ECssqrRyK8Hj/KeacnARF
Mnvf4U/lIOamD6Tles8IAFo/kexW+OxKiHbivOFutraLdEXysgkK8Uf5EQqYKW9+
7OgEuyMxUi5Pbj4kL666iBp5oV95gEHm2zcQEbn65BFJ3nomb5nReHh5t7G0AqHy
GYj9dlx84+UG0Fr717Vi586KwtCu6rgdZJS25+0kSCeZk/cowYLW09G+j/+Jk3yg
N/uUfoxqmC/A+SyupFh1A9XZg7oZhkB+Qwo6D2+BejiwXsD8Jv4uzrI7U7+Lg/YK
UFa2oqArMKNrF0zf9152lqCEpOL8dCO3X8RcB8LmQcapmr1MYGB+18oNT4o3JcY3
Aa1hoi5+2gGgR7HHuqTsxnDXYPtgqR9CMylc5gmYsMFK5W3sNX8Z/qazoH3fIVtu
NNAto03aZgE=rpUB
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

Comments (2)

RSS Feed Subscribe to this comment feed
csrfownedz

a

Comment by csrfownedz
2019-08-08 18:07:04 UTC | Permalink | Reply
fredluis721

Thanks a lot for sharing us about this update. Hope you will not get tired on making posts as informative as this. www.lakelandpressurewashing.com

Comment by fredluis721
2019-08-14 06:02:10 UTC | Permalink | Reply
Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    19 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close